The most trusted news from Europe
Provided by AGP
ANY.RUN Discovers a New Salty2FA and Tycoon2FA Phishing Hybrid Targeting Enterprises
DUBAI, DUBAI, UNITED ARAB EMIRATES, December 2, 2025 /EINPresswire.com/ -- ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has identified a new hybrid phishing framework that merges two major Phishing-as-a-Service (PhaaS) kits: Salty2FA and Tycoon2FA. This discovery reveals a significant shift in the 2FA-focused phishing and raises new questions about the operators behind these kits.
𝗢𝘃𝗲𝗿𝘃𝗶𝗲𝘄 𝗼𝗳 𝘁𝗵𝗲 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗔𝘁𝘁𝗮𝗰𝗸
Following an abrupt drop in Salty2FA activity, ANY.RUN began seeing samples that combine Salty’s early stages with Tycoon2FA’s later payloads. The consistent overlap in indicators and behavior confirms that recent phishing campaigns are now running a unified chain built from both frameworks
Key findings include:
• Hybrid payloads observed: Samples showed Salty2FA’s initial stages followed by Tycoon2FA’s execution chain almost line-for-line.
• Fallback behavior identified: When Salty domains failed with SERVFAIL, the payload switched to Tycoon2FA hosting and delivery infrastructure.
• Cross-kit indicators detected: Shared IOCs, overlapping TTPs, and matched detection rules confirmed the presence of both kits within single sessions.
• Potential operator link: The overlap aligns with earlier assessments pointing to Storm-1747, known operators of Tycoon2FA, suggesting shared control or cooperation behind both kits.
• Impact on attribution: The merging of client-side code complicates traditional kit-level attribution and requires updated detection logic.
• Operational shift expected: More cross-kit blending is likely, meaning defenders should prepare for phishing campaigns that move between frameworks mid-execution.
For a deeper look at the hybrid samples, full code comparisons, and guidance for SOC teams, visit the ANY.RUN blog.
𝗛𝗼𝘄 𝗧𝗵𝗶𝘀 𝗛𝘆𝗯𝗿𝗶𝗱 𝗔𝗳𝗳𝗲𝗰𝘁𝘀 𝗦𝗢𝗖 𝗧𝗲𝗮𝗺𝘀
The unified Salty2FA–Tycoon2FA workflow means phishing incidents may shift frameworks mid-execution. This complicates attribution and weakens traditional signatures. SOC teams should monitor both kits together, emphasize behavioral detection, and watch for fallback payloads that bridge one framework to the other.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
