ANY.RUNπ¨ #Salty2FA is a new #phishkit linked to #Storm1575.
Active since June, it bypasses 2FA to gain access beyond stolen creds. Using a unique domain pattern and multi-stage chain, it targets finance, energy, telecom and more.
π¨ #Salty2FA is a new #phishkit from #Storm1575 that has been evading detection since June
π― Targets finance, energy, and telecom companies in the US & EU
πͺ Steals creds and bypasses multiple 2FA methods
Read analysis of its attack chain π
https://any.run/cybersecurity-blog/salty2fa-technical-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa_analysis&utm_term=190825&utm_content=linktoblog
π¨ #Salty2FA: A Previously Undetected Phishing Kit Targeting High-Risk Industries.
β οΈ Weβve identified an active #phishing campaign, ongoing since June, engineered to bypass nearly all known 2FA methods and linked to the #Storm1575 threat actor.
We named it for its distinctive anti-detect βsaltingβ of source code, a technique designed to evade detection and disrupt both manual and static analysis.
π― Salty2FA focuses on harvesting Microsoft 365 credentials and is actively targeting the USA, Canada, Europe, and international holdings.
This phishkit combines a resilient infrastructure with advanced interception capabilities, posing a serious threat to enterprises in finance, government, manufacturing, and other high-risk industries, including:
πΉ Energy
πΉ Transportation
πΉ Healthcare
πΉ Telecommunications
πΉ Education
π Delivered via phishing emails and links (#MITRE T1566), Salty2FA leverages infrastructure built from multiple servers and chained domain names in compound .??.com and .ru TLD zones (T1583).
π It maintains a complex interaction model with C2 servers (T1071.001) and implements interception & processing capabilities (T1557) for nearly all known 2FA methods: Phone App Notification, Phone App OTP, One-way SMS, Two-way Voice (Mobile and Office), Companion Apps Notification.
Observed activity shares #IOCs with Storm-1575, known for developing and operating the #Dadsec phishing kit, suggesting possible shared infrastructure or operational ties.
π What can you do now? Expand your threat landscape visibility by determining whether your organization falls within Salty2FAβs scope, and update detection logic with both static IOCs & behavioral indicators to reduce MTTR and ensure resilience against the threat actorβs constantly evolving toolkit.
π¨βπ» #ANYRUN enables proactive, behavior-based detection and continuous threat hunting, helping you uncover intrusions early and act before damage is done.
Examine Salty2FA behavior, download actionable report, and collect IOCs:
https://app.any.run/tasks/a601b5c4-c178-4a8e-b941-230636d11a1c/?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_term=140825&utm_content=linktoservice
π Further investigate Salty2FA, track campaigns, and enrich IOCs with live attack data using TI Lookup:
1οΈβ£ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_content=linktolookup&utm_term=140825#%7B%2522query%2522:%2522threatName:%255C%2522salty2fa%255C%2522%2522,%2522dateRange%2522:180%7D
2οΈβ£ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_content=linktolookup&utm_term=140825#%7B%2522query%2522:%2522threatName:%255C%2522salty2fa%255C%2522%2520and%2520threatName:%255C%2522storm1575%255C%2522%2522,%2522dateRange%2522:180%7D%20
Find IOCs in the replies π¬
π― MITRE ATT&CK Techniques:
Acquire Infrastructure (T1583)
Phishing (T1566)
Adversary-in-the-Middle (T1557)
Application Layer Protocol: Web Protocols (T1071.001)
Full technical breakdown is on the way, stay tuned.
Protect critical assets with faster, deeper visibility into threats using #ANYRUN π
