Researchers say the campaign uses a browser-based JavaScript VM to hide credential theft and intercept MFA at scale.