🚨 #Salty2FA: A Previously Undetected Phishing Kit Targeting High-Risk Industries.
⚠️ We’ve identified an active #phishing campaign, ongoing since June, engineered to bypass nearly all known 2FA methods and linked to the #Storm1575 threat actor.

We named it for its distinctive anti-detect ‘salting’ of source code, a technique designed to evade detection and disrupt both manual and static analysis.

🎯 Salty2FA focuses on harvesting Microsoft 365 credentials and is actively targeting the USA, Canada, Europe, and international holdings.

This phishkit combines a resilient infrastructure with advanced interception capabilities, posing a serious threat to enterprises in finance, government, manufacturing, and other high-risk industries, including:
🔹 Energy
🔹 Transportation
🔹 Healthcare
🔹 Telecommunications
🔹 Education

🔗 Delivered via phishing emails and links (#MITRE T1566), Salty2FA leverages infrastructure built from multiple servers and chained domain names in compound .??.com and .ru TLD zones (T1583).

🌐 It maintains a complex interaction model with C2 servers (T1071.001) and implements interception & processing capabilities (T1557) for nearly all known 2FA methods: Phone App Notification, Phone App OTP, One-way SMS, Two-way Voice (Mobile and Office), Companion Apps Notification.

Observed activity shares #IOCs with Storm-1575, known for developing and operating the #Dadsec phishing kit, suggesting possible shared infrastructure or operational ties.

📌 What can you do now? Expand your threat landscape visibility by determining whether your organization falls within Salty2FA’s scope, and update detection logic with both static IOCs & behavioral indicators to reduce MTTR and ensure resilience against the threat actor’s constantly evolving toolkit.

👨‍💻 #ANYRUN enables proactive, behavior-based detection and continuous threat hunting, helping you uncover intrusions early and act before damage is done.
Examine Salty2FA behavior, download actionable report, and collect IOCs:
https://app.any.run/tasks/a601b5c4-c178-4a8e-b941-230636d11a1c/?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_term=140825&utm_content=linktoservice

🔍 Further investigate Salty2FA, track campaigns, and enrich IOCs with live attack data using TI Lookup:
1️⃣ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_content=linktolookup&utm_term=140825#%7B%2522query%2522:%2522threatName:%255C%2522salty2fa%255C%2522%2522,%2522dateRange%2522:180%7D
2️⃣ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_content=linktolookup&utm_term=140825#%7B%2522query%2522:%2522threatName:%255C%2522salty2fa%255C%2522%2520and%2520threatName:%255C%2522storm1575%255C%2522%2522,%2522dateRange%2522:180%7D%20

Find IOCs in the replies 💬
🎯 MITRE ATT&CK Techniques:
Acquire Infrastructure (T1583)
Phishing (T1566)
Adversary-in-the-Middle (T1557)
Application Layer Protocol: Web Protocols (T1071.001)

Full technical breakdown is on the way, stay tuned.
Protect critical assets with faster, deeper visibility into threats using #ANYRUN 🚀

#cybersecurity #infosec

The operators of the #Dadsec #PhaaS platform (Storm-1575) have deleted all of their public fronts: store websites, Telegram channels and YouTube videos.

Dadsec's main infrastructure still hosts new phishing pages, but the panels now display a new brand name: "Phoenix Panel".