A new Phishing-as-a-Service (PhaaS) framework dubbed Salty 2FA has been discovered targeting industries in the US and EU. It uses a unique domain pattern combining .com subdomains with .ru domains and employs a multi-stage execution chain to resist detection. The kit can bypass multiple 2FA methods, including push, SMS, and voice. Victims span global industries such as finance, telecom, energy, consulting, logistics, and education. Static IOCs are unreliable for detection; instead, behavioral patterns must be identified. The framework shares traits with Storm-1575 but has distinct characteristics setting it apart from known threats like Tycoon2FA or EvilProxy. It demonstrates sophisticated capabilities in distributing phishing payloads, maintaining dynamic infrastructure, and managing complex communication between phishing pages and C2 servers. Author: AlienVault
Related Tags:
behavioral detection
domain pattern
storm-1575
Salty 2FA
2fa bypass
phaas
Switzerland
France
Construction
Associated Indicators:
innovationsteams.com
http://marketplace24ei.ru//
http://telephony.nexttradeitaly.com/SSSuWBTmYwu/
http://marketplace24ei.ru/790628.php
153.127.234.4
153.127.234.5
191.96.207.129