By addressing these overlooked risk vectors, organizations can continue leveraging GitHub’s innovation while protecting against sophisticated supply chain attacks targeting interconnected software.
darkreading – Read More
Today, phishing accounts for the majority of all cyberattacks. The availability of low-cost, easy-to-use Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, EvilProxy, and Sneaky2FA only makes the problem worse.
These services are actively maintained by their operators; new evasion techniques are regularly added, and the multi-layered infrastructure behind the phishing kits continues to evolve and expand.
But beyond these established players in the PhaaS market, the ANY.RUN team sometimes comes across phishing campaigns that use tools unlike anything we’ve seen before.
One such example is a framework we’ve dubbed Salty 2FA, whose execution chain and infrastructure have not previously been documented.
Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials. It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis.
Let’s dive deeper into how Salty 2FA works.
During phishing campaign hunting, several ANY.RUN sandbox sessions were identified that had not yet been flagged as malicious. At first glance, they showed familiar traits: Cloudflare Turnstile, a fake Microsoft login page, and unknown domains.
Check analysis sessions:
What stood out in these cases was the domain infrastructure. In the IOCs section of the sessions, a pattern became clear: the consistent use of compound domains in “.com” zones (e.g., .com.de, .it.com) in combination with domains registered under the .ru TLD. The phishing pages themselves also followed a recurring format, embedding “.com” subdomains within a pattern of <sub_domain>.<main_domain>.??.com.
The URI paths hosting the phishing content also appeared unusual. While they initially looked randomly generated and unrelated, further inspection suggested they might share commonalities worth examining.
With this hypothesis in mind, a query was run in Threat Intelligence Lookup:
domainName:”*.*.??.com$” AND domainName:”.ru$”
The results confirmed that this domain pairing is indeed a recurring element tied to phishing activity. Moreover, it highlighted that this indicator had not yet been fully integrated into the detection system, leaving a potential coverage gap.
The initial results left some uncertainty. In addition to the incomplete detection coverage at the time of analysis, the sample included tasks with potential true negative verdicts, as well as tasks tagged under different categories. These ranged from generic phishing labels to Tycoon and EvilProxy; campaigns that had not previously demonstrated the observed behavior (the .??.com + .ru domain combination).
To reduce ambiguity, the query was refined with contextual filters, focusing on specific resources such as requests to Cloudflare.
The updated TI query produced much clearer results, confirming that this activity is almost certainly tied to a distinct phishing operation. However, it cannot yet be definitively attributed to any of the known actors.
Refined TI query:
After a quick review of the external indicators, the next step was to examine the client-side code used in this phishing campaign to better understand its functionality and capabilities.
To capture decrypted traffic and analyze the payload step by step, a similar session was rerun with the MITM proxy enabled.
Check analysis session with MITM enabled
When the page loads from parochially[.]frankfurtwebs[.]com[.]de, a small “trampoline” JavaScript executes. It initializes the Cloudflare Turnstile widget, runs the associated checks, and returns a cf_response token. After that validation, the server delivers the HTML that initiates the main execution chain.
The source code contains comment inserts with inspiring quotes. These do not affect functionality but act as filler “noise,” making static analysis more challenging.
A small JavaScript snippet contains an obfuscated function designed to decode the address of the next stage, retrieve it, decode it in the same way, and then write the result into the DOM of the current page.
Decoding the value lPwICAQHzsPDAfUG//kIBAD19/nGyPn9wgYJw8M= reveals the URL of the next payload:
hxxps[://]marketplace24ei[.]ru//
After loading and decoding the payload, the result is a large HTML page—again padded with non-functional “noise” just like the previous stage—with an obfuscated JavaScript snippet at the end.
A quick search through the HTML for <input> tags revealed several matches. One stood out:
<input hidden id=”lessen” value=”aHR0cHM6Ly9tYXJrZXRwbGFjZTI0ZWkucnUvNzkwNjI4LnBocA”>
Decoding the Base64 value exposes another URL that becomes relevant later:
hxxps[://]marketplace24ei[.]ru/790628[.]php
Comparing the HTML source to the session’s runtime behavior also shows that the attacker obfuscates the page text itself. For example, the string:
“Because you’re accessing sensitive info, you need to verify your password.”
appears obfuscated in the code rather than in plain text.
All of the logic for switching between page states, as well as the collection and exfiltration of user input, is handled by the previously mentioned JavaScript code.
After deobfuscating this script, we can walk through its key technical details and capabilities.
To begin with, nearly all of the front-end logic relies on calls to page elements through jQuery. The identifiers for these elements are generated dynamically, making analysis more difficult. In addition, the element IDs themselves are encoded using a combination of Base64 and XOR with a fixed generated value, which must be decoded through a dedicated routine.
The phishing payload also includes several basic defense mechanisms commonly seen in such campaigns:
For exfiltration of the victim’s input, the data is “encrypted” using the same Base64 + XOR technique. This time, however, the key parameter is derived from the victim’s session identifier.
The stolen data is sent to servers using .ru domains from the observed cluster, with endpoints following the format:
/<5-6_digits>.php
The data itself is encoded and placed in the request= parameter of the POST request, while the decoding key (along with the victim’s session ID) is stored in the session= parameter.
Using a POST request captured in the session as an example, the data can be examined by applying the same encoding routine in reverse:
Utilize the following CyberChef recipe to decode the data: https://gchq.github.io/CyberChef/#recipe=URL_Decode(true)From_Base64(%27A-Za-z0-9%2B/%3D%27,true,false)XOR(%7B%27option%27:%27UTF8%27,%27string%27:%27b17be01b20c089141058415728fd66ff%27%7D,%27Standard%27,false)&input=R1JOWUVrY0tFeFpBUlFZU0ZCdFVXUk1LRjFWZFdsQjNVMW9GU2xWWkMwUWY&oeol=VT
In response to the POST request, the server returns a JSON object. The value of the response field depends on the current state of the phishing page; that is, on which opcode was specified when the data was submitted.
Analysis of the code revealed several possible states of the phishing page, along with the data structures transmitted to the attacker as the page transitions between these states.
The identified states are as follows:
| State # | State Name | Function | Trigger | Data Sent (decoded) | Data Received (decoded) |
|---|---|---|---|---|---|
| 1 | Initial state | Prompts victim to enter email | When the phishing login page first loads | n/a | n/a |
| 2 | Switch to password page state | Prompts for password | When the victim enters a valid email | {“op”:”true”,”em”:} | {“status”:, “banner”:, “background”:, “boilerPlateText”:, “token”:, “ho”:} |
| 3 | Switch to “Stay signed in” state | Prompts “Stay signed in?” | When the victim enters a valid password | {“op”:”bk”} | n/a |
| 4 | Switch to “Incorrect password” state | Prompts “Account locked / incorrect password” | When the victim enters an empty or invalid password | n/a | n/a |
| 5 | Switch to “2FA” state | Initiates 2FA handling | When the victim’s account has 2FA enabled | {“op”:”ne”,”em”:,”px”:,”sec”:} | {“status”:, “sec”:, “method”:, “token”:} |
| 6 | Switch to “Process 2FA method” state | Processes the chosen 2FA method | After state #5 | {“m”:,”token”:,”op”:”ver”,”sec”:} | {“status”:, “type”:, “otp”:, “token”:} |
| 6.1 | Phone App Notification 2FA | Handles phone app push notifications | After state #6 | {“op”:”Vx”,”token”:,”service”:”a”,”sec”:} | {“status”:} |
| 6.2 | Phone App OTP 2FA | Handles OTP from phone app | After state #6 | {“op”:”Vx”,”token”:,”service”:”c”,”otc”:,”sec”:} | {“status”:, “newToken”:} |
| 6.3 | OneWaySMS 2FA | Handles one-way SMS OTP | After state #6 | {“op”:”Vx”,”token”:,”service”:”b”,”otc”:,”sec”:} | {“status”:, “newTokenn”:} |
| 6.4 | TwoWayVoiceMobile 2FA | Handles mobile voice call 2FA | After state #6 | {“op”:”Vx”,”token”:,”service”:”d”,”sec”:} | {“status”:, “calltoken”:} |
| 6.5 | TwoWayVoiceOffice 2FA | Handles office phone voice call 2FA | After state #6 | {“op”:”Vx”,”token”:,”service”:”e”,”sec”:} | {“status”:, “newtokenoff”:} |
| 6.6 | Companion Apps Notification 2FA | Handles companion app push notifications | After state #6 | {“op”:”Vx”,”token”:,”service”:”o”,”sec”:} | {“status”:} |
Based on the complexity of its infrastructure, such as the use of multiple domains across specific TLDs, including a dedicated domain for data exfiltration, the presence of evasion techniques, and its extensive functionality (credential validation, handling multiple 2FA methods, and intercepting OTP codes), this campaign appears to represent a new PhaaS framework. Its behavioral patterns differ from those of the major players in the phishing ecosystem, such as Tycoon, EvilProxy, and others.
At the time of initial research, no clear evidence was found to indicate who operates or develops this phishing kit, how the attackers obtain access (e.g., whether they purchase software), or any distinctive technical traits that would link it to other known kits.
After updating detection methods and re-hunting indicators in the ANY.RUN Sandbox and TI, some overlap in IOCs (specifically domains) emerged with activity tracked as Storm-1575 and Storm-1747.
Storm-1575 is associated with the PhaaS platform Dadsec and is presumed to be its developer. However, Dadsec activity has not been observed recently, and attribution boundaries for Storm-1575 remain unclear.
Storm-1747, on the other hand, is well known for Tycoon 2FA—a state-of-the-art phishing kit that has ranked among the most active in terms of both attacks and related samples for several years. That said, Tycoon relies on a different infrastructure (mainly es-ru-es domain chains) and implements distinct client-side code, including its obfuscation and exfiltration techniques.
To track and assess this phishing activity, the framework was designated Salty 2FA, a name inspired by its “salted” payloads, which consistently helped distinguish its code from other kits during analysis. More importantly, a unique threat name was required, one easier to work with than YetAnotherPhishkitActivity2FA, and “Salty 2FA” struck the right balance of clarity and memorability.
Check potential overlaps between Salty 2FA and Storm-1575/1747
Analysis of phishing emails, their content themes, and pre-filled victim email addresses (automatically inserted via the #email anchor in URLs) made it possible to identify the targets of this campaign, including affected countries and industries.
Observed targets include:
| Country / Region of the Organization | Industry |
|---|---|
| USA / Worldwide (India) | Metallurgy |
| USA / LATAM | Financial |
| Greece | Telecom |
| Germany / Worldwide | Chemicals / Polymers |
| Spain | Energy (solar panels) |
| Spain | Energy |
| USA | Real estate development |
| Switzerland / Worldwide | Logistics |
| USA | Healthcare |
| USA | Financial |
| USA | IT consulting / Staffing |
| USA | Environmental services |
| Canada / France | IT |
| USA | Government |
| UK / Worldwide | Consulting / Financial |
| Italy | Industrial (packaging, automation) |
| UK | Construction / Infrastructure |
| USA / Worldwide | Logistics |
| USA / Worldwide | Logistics |
| USA | Oil and gas |
| USA | Financial / Insurance |
| UK | Real estate |
| USA | Chemicals / Packaging |
| USA | Consulting / Financial |
| USA | Data management / Storage |
| USA | Automotive accessories |
| USA | Construction / Contractors |
| USA | Education |
| USA | Financial |
Common phishing email lures included:
Additional IOCs extracted from SPF records in email headers:
Activity timeline:
Based on data from the ANY.RUN Sandbox and TI, activity resembling Salty 2FA began gaining momentum in June 2025, although it is possible that early or “raw” variants of the kit, or samples similar to it, were already being deployed as early as March–April 2025.
Confirmed activity attributed to Salty 2FA has been observed since late July 2025 and continues to this day, generating dozens of new public analysis sessions in the Sandbox every day.
Basic indicators such as domain names (hashes are not applicable here due to constant obfuscation and code mutation) can be useful for threat hunting and expanding the threat landscape. In some cases, they may even lead to detections. However, for phishing kits like Salty 2FA, these indicators are generally unreliable for long-term or consistent detection.
Threat detection specialists and engineers instead need to identify behavioral patterns that remain consistent across samples, even when those samples appear completely different at first glance.
Any recurring clue, whether it is a particular chain of TLD zones in domain names, distinctive URL structures, unusual web page headers, or a characteristic set of resources loaded from legitimate CDNs, contributes to the behavioral profile of a PhaaS framework. These recurring traits allow analysts to track and detect it over time without relying on volatile details such as email hashes or specific phishing domains.
With solutions like ANY.RUN‘s Interactive Sandbox, analysts can observe phishing kits in real time, uncover hidden behaviors, and distinguish between similar frameworks. By focusing on behavioral patterns rather than fragile indicators, it becomes possible to track evolving PhaaS activity more reliably, while also enjoying a smoother, less resource-heavy investigation process.
The ecosystem of Phishing-as-a-Service (PhaaS) platforms is constantly evolving. Existing kits adapt their attack methods, while new players emerge, some entirely brand-new, others reimagined versions of tools once used by well-known threat actors.
The analyzed framework, Salty 2FA, shares certain traits with Storm-1575, the group behind the Dadsec platform. However, a deeper examination revealed too many unique characteristics to reliably attribute it to any of the known threats, such as Tycoon2FA, Sneaky2FA, Mamba2FA, Gabagool, or EvilProxy.
With its ability to distribute phishing payloads at scale, maintain dynamic infrastructure, intercept and process most known 2FA authentication methods beyond simple credentials, and manage a complex communication model between phishing pages and C2 servers, Salty 2FA stands on par with the “major” kits in today’s phishing landscape.
For SOC teams triaging phishing-related incidents, it is critical to quickly and accurately confirm the malicious nature of collected artifacts and correlate them with the threat actor likely to be targeting their organization.
ANY.RUN’s Interactive Sandbox enables security professionals worldwide to detect and analyze threats like Salty 2FA by replicating victim interactions and tracking execution chains in real time, while leveraging behavior-based detection to expose previously unknown samples and indicators.
See how Salty 2FA and other emerging phishing kits unfold in real time. ANY.RUN’s Interactive Sandbox lets you safely detonate samples, follow execution chains, and uncover hidden IOCs in seconds.
Request 14-day trial for your SOC →
https://app.any.run/tasks/91e777dd-603b-47e4-ad8f-96e8bddf2cba
https://app.any.run/tasks/7d8e3a4d-5226-40b9-9e94-0f833c784abc
https://app.any.run/tasks/a601b5c4-c178-4a8e-b941-230636d11a1c
The post Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
A majority of workers also think AI could improve their work-life balance. But there are a few caveats.
Latest news – Read More
TPG Telecom has disclosed a cybersecurity incident after discovering unauthorized access to an iiNet order management system.
The post Australia’s TPG Telecom Investigating iiNet Hack appeared first on SecurityWeek.
SecurityWeek – Read More
An attacker is breaking into Linux systems via a widely abused 2-year-old vulnerability in Apache ActiveMQ, installing malware and then patching the flaw.
darkreading – Read More
Al-Tahery Al-Mashriky of the Yemen Cyber Army has been accused of hacking into and defacing many websites as part of hacktivist campaigns.
The post Hacktivist Sentenced to 20 Months of Prison in UK appeared first on SecurityWeek.
SecurityWeek – Read More
The UK’s South Yorkshire Police lost 96,000 bodycam videos in a data transfer mishap, impacting 126 cases. Poor…
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
Bragg Gaming Group says hackers accessed its internal systems over the weekend, but did not affect its operations.
The post Gambling Tech Firm Bragg Discloses Cyberattack appeared first on SecurityWeek.
SecurityWeek – Read More
Cars these days are effectively computers on wheels — making them targets for cybercriminals: theft, unauthorized activation of on-board equipment, remote braking and steering, and spying on drivers and passengers are all perfectly doable by the bad guys. But carrying out such attacks often requires either physical access to the vehicle or remote access to its telematics systems (that is, hijacking communications with the carmaker’s server over the cellular network). However, a recent study by PCA Cyber Security describes a new hacking method that targets the car’s infotainment system via Bluetooth. The four vulnerabilities in question — collectively named PerfektBlue — are unlikely to lead to widespread car thefts or hacks, but it’s still worth knowing about them and exercising caution.
If your car was made within the last 10 years, no doubt it lets you connect your smartphone via Bluetooth to make hands-free calls or listen to music. The infotainment system is a part of the head unit, and it uses a built-in Bluetooth chip and special software to work. The software of choice for many carmakers is OpenSynergy Blue SDK. According to its developers, Blue SDK is used in 350 million vehicles made by Ford, Mercedes-Benz, Skoda, Volkswagen, and others.
PCA Cyber Security discovered four vulnerabilities in Blue SDK (CVE-2024-45431, CVE-2024-45432, CVE-2024-45433, CVE-2024-45434) which, when used together, could allow an attacker to run malicious code in the system. To do so, they’d need to be connected to the car via Bluetooth, which means pairing a device. If successful, the attacker can send malicious commands to the car using the Audio/Video Remote Control Profile (AVCRP) for Bluetooth. This causes an error in the head unit’s operating system, giving the hacker the same Bluetooth permissions as the carmaker’s software. Armed with these permissions, the attacker can theoretically track the vehicle’s location, eavesdrop through the car’s built-in microphones, as well as steal data from the head unit, such as the victim’s address book. Depending on the digital architecture of the car, the CAN bus for communication between electronic control units (ECUs) may get compromised — allowing an intruder to take over essential functions such as braking.
How to spot and prevent this attack? This depends on how Bluetooth is implemented in your particular vehicle. In some rare cases, the in-car infotainment system may not require any driver/passenger confirmation at all — leaving Bluetooth open to third-party connections. If so, there’s no way to stop an attack (!). Most cars however require the driver to confirm a connection to a new device, so a driver will see an unexpected connection request. If the request is denied, the attack will fail. The car may even automatically deny connection if the driver has not explicitly enabled pairing mode in the settings. If that applies to your car, attackers will have a job on their hands.
How to determine if your car is vulnerable? Unfortunately, makers tend not to disclose information about vehicle components — let alone the software inside them. Therefore, the only reliable way is to contact a branded dealer or specialized car service where they can check the head unit and advise on whether new firmware is available that eliminates the vulnerabilities. The researchers themselves experimented (and successfully exploited the vulnerabilities) on the head units of a Volkswagen ID.4 (infotainment system: MEB ICAS3), a Mercedes-Benz (NTG6) and a Skoda Superb (MIB3).
How to protect your car and yourself? The best advice is to update the head unit firmware to a patched version. Although OpenSynergy released software updates back in September 2024, these must first be applied by the manufacturer of the head unit, and only then by the carmaker. The latter must also distribute the new firmware across its dealer network. Therefore, some vulnerable cars may still be lacking new firmware.
The second reliable method of protection is to disable in-car Bluetooth.
What’s the attack range? With standard Bluetooth hardware, the attack range is limited to 10 meters, but special amplifiers (range extenders) can extend this to 50–100 meters. If a vehicle is equipped with 4G cellular network technology, then after the first phase of the attack, which requires Bluetooth, threat actors can theoretically maintain control over the car via the cellular network.
Is it true the engine must be on for the attack to work? This limitation was reported by Volkswagen, but in practice almost all cars allow you to turn on the infotainment system together with Bluetooth while the ignition is off. Therefore, a running engine is not an attack precondition.
What should carmakers do to improve protection against such attacks? Car manufacturers should adopt the Secure by Design approach. Kaspersky, together with manufacturers of head units and automotive electronics, is creating a line of Cyber Immune solutions based on KasperskyOS that keep the system protected and running even if a vulnerable component is attacked. But given the long development and testing cycles in the automotive industry, it will be several more years before Cyber Immune cars hit the roads.
More case studies of car hacking through vulnerabilities in electronic systems:
Kaspersky official blog – Read More
Have I Been Pwned has analyzed the information made public by the hackers who recently targeted Allianz Life.
The post 1.1 Million Unique Records Identified in Allianz Life Data Leak appeared first on SecurityWeek.
SecurityWeek – Read More