ANY.RUN๐จ #Salty2FA is a new #phishkit linked to #Storm1575.
Active since June, it bypasses 2FA to gain access beyond stolen creds. Using a unique domain pattern and multi-stage chain, it targets finance, energy, telecom and more.
๐จ #Salty2FA is a new #phishkit from #Storm1575 that has been evading detection since June
๐ฏ Targets finance, energy, and telecom companies in the US & EU
๐ช Steals creds and bypasses multiple 2FA methods
Read analysis of its attack chain ๐
https://any.run/cybersecurity-blog/salty2fa-technical-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa_analysis&utm_term=190825&utm_content=linktoblog
๐จ #Salty2FA: A Previously Undetected Phishing Kit Targeting High-Risk Industries.
โ ๏ธ Weโve identified an active #phishing campaign, ongoing since June, engineered to bypass nearly all known 2FA methods and linked to the #Storm1575 threat actor.
We named it for its distinctive anti-detect โsaltingโ of source code, a technique designed to evade detection and disrupt both manual and static analysis.
๐ฏ Salty2FA focuses on harvesting Microsoft 365 credentials and is actively targeting the USA, Canada, Europe, and international holdings.
This phishkit combines a resilient infrastructure with advanced interception capabilities, posing a serious threat to enterprises in finance, government, manufacturing, and other high-risk industries, including:
๐น Energy
๐น Transportation
๐น Healthcare
๐น Telecommunications
๐น Education
๐ Delivered via phishing emails and links (#MITRE T1566), Salty2FA leverages infrastructure built from multiple servers and chained domain names in compound .??.com and .ru TLD zones (T1583).
๐ It maintains a complex interaction model with C2 servers (T1071.001) and implements interception & processing capabilities (T1557) for nearly all known 2FA methods: Phone App Notification, Phone App OTP, One-way SMS, Two-way Voice (Mobile and Office), Companion Apps Notification.
Observed activity shares #IOCs with Storm-1575, known for developing and operating the #Dadsec phishing kit, suggesting possible shared infrastructure or operational ties.
๐ What can you do now? Expand your threat landscape visibility by determining whether your organization falls within Salty2FAโs scope, and update detection logic with both static IOCs & behavioral indicators to reduce MTTR and ensure resilience against the threat actorโs constantly evolving toolkit.
๐จโ๐ป #ANYRUN enables proactive, behavior-based detection and continuous threat hunting, helping you uncover intrusions early and act before damage is done.
Examine Salty2FA behavior, download actionable report, and collect IOCs:
https://app.any.run/tasks/a601b5c4-c178-4a8e-b941-230636d11a1c/?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_term=140825&utm_content=linktoservice
๐ Further investigate Salty2FA, track campaigns, and enrich IOCs with live attack data using TI Lookup:
1๏ธโฃ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_content=linktolookup&utm_term=140825#%7B%2522query%2522:%2522threatName:%255C%2522salty2fa%255C%2522%2522,%2522dateRange%2522:180%7D
2๏ธโฃ https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa&utm_content=linktolookup&utm_term=140825#%7B%2522query%2522:%2522threatName:%255C%2522salty2fa%255C%2522%2520and%2520threatName:%255C%2522storm1575%255C%2522%2522,%2522dateRange%2522:180%7D%20
Find IOCs in the replies ๐ฌ
๐ฏ MITRE ATT&CK Techniques:
Acquire Infrastructure (T1583)
Phishing (T1566)
Adversary-in-the-Middle (T1557)
Application Layer Protocol: Web Protocols (T1071.001)
Full technical breakdown is on the way, stay tuned.
Protect critical assets with faster, deeper visibility into threats using #ANYRUN ๐
