{
	"id": "f3a7256b-5914-489a-9382-a67ff48608be",
	"created_at": "2026-04-06T00:11:28.253769Z",
	"updated_at": "2026-04-10T03:36:23.19616Z",
	"deleted_at": null,
	"sha1_hash": "e3cd9859ceb78a286f574e14633fa2b8c18a9c1d",
	"title": "Salty2FA \u0026 Tycoon2FA: Hybrid Phishing Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 104082,
	"plain_text": "Salty2FA \u0026 Tycoon2FA: Hybrid Phishing Threat\r\nBy raptur3\r\nArchived: 2026-04-05 18:19:56 UTC\r\n Phishing kits usually have distinct signatures in their delivery methods, infrastructure, and client-side code, which makes\r\nattribution fairly predictable. But recent samples began showing traits from two different kits at once, blurring those\r\ndistinctions. \r\nThat’s exactly what ANY.RUN analysts saw with Salty2FA and Tycoon2FA: a sudden drop in Salty activity, the appearance\r\nof Tycoon indicators inside Salty-linked chains, and eventually single payloads carrying code from both frameworks. This\r\noverlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more\r\nroom to slip past early detection. \r\nLet’s examine how this hybrid emerged, why it signals a shift in 2FA phishing, and what measures defenders should take in\r\nresponse. \r\nKey Takeaways \r\nSalty2FA activity collapsed abruptly in late October 2025, dropping from hundreds of weekly uploads\r\nto ANY.RUN’s Interactive Sandbox to just a few dozen. \r\nNew samples began showing overlapping indicators from both Salty2FA and Tycoon2FA, including shared\r\nIOCs, TTPs, and detection rule triggers. \r\nCode-level analysis confirmed hybrid payloads: early stages matched Salty2FA, while later stages reproduced\r\nTycoon2FA’s execution chain almost line-for-line. \r\nSalty2FA infrastructure showed signs of operational failure, forcing samples to fall back to Tycoon-based hosting\r\nand payload delivery. \r\nThe overlap aligns with earlier hypotheses suggesting a possible connection to Storm-1747, who are known\r\noperators of Tycoon2FA. \r\nAttribution remains essential: Distinguishing between these “2FA” phishing kits helps\r\nanalysts maintain accurate hunting hypotheses and track operator behavior. \r\nDefenders should update detection logic to account for scenarios where Salty2FA and Tycoon2FA appear within\r\nthe same campaign or even a single payload. \r\nMore cross-kit overlap is likely, meaning future phishing campaigns may blend infrastructures, payloads, and TTPs\r\nacross frameworks. \r\nPart 1: Numbers Don’t Lie – A Sudden Drop in Salty2FA Activity \r\nIt all started around the end of October 2025, when the number of the ANY.RUN sandbox submissions showing activity\r\nlinked to Salty2FA dropped sharply compared to previous periods. \r\nWeekly phishing reports (see the company’s X posts) show that, despite the usual fluctuations in overall upload volume, the\r\naverage number of Salty2FA-related analysis sessions consistently stayed in the range of several hundred per week. \r\nHowever, once November began, the decline became dramatic: By November 11, 2025, Salty2FA had fallen to the bottom\r\nof the weekly threat rankings, with only 51 submissions, compared to its typical 250+ per week. \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 1 of 12\n\nFig.1: Salty2FA activity chart \r\nAlong with indicators of compromise (IOCs) and hunting rules, the ANY.RUN sandbox’s network block previously\r\ntriggered a near-constant alert tied to Salty-specific HTTP activity. \r\nFig.2: Last sandbox analyses showing detection of Salty2FA TTPs \r\nThis refers to the Suricata rule sid:85002719. If we filter Public submissions for analysis sessions where this rule fired, the\r\nmost recent match dates back to 2025-11-01: \r\nCheck recent analysis session \r\nThe first assumption was obvious: the detection logic became outdated, the framework received an update, and analysts\r\nsimply hadn’t refreshed the signatures in time. But what about infrastructure indicators or domains?  \r\nWhile IOCs sit lower on the Pyramid of Pain than Tools/TTP coverage, they are easy to track at scale and often remain in\r\nuse long enough to provide meaningful visibility. They often remain active for some time, leaving repeated traces in the\r\ndata. These recurring indicators make it easier for analysts to track the threat, update its context, and perform wider hunting\r\nto uncover new related domains, behaviors, and activity patterns. \r\nThe plan was simple: search for recent analysis sessions tagged with the threat name in ANY.RUN’s Threat\r\nIntelligence Lookup, examine changes in the kit’s behavior and client-side code, and then update the detection methods: \r\nthreatName:”salty2fa” \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 2 of 12\n\nFig.3:  TI Lookup provides a complete overview of the latest Salty2FA attacks  \r\nBut then things became even more unusual. In almost every analysis executed after November 1, the samples were either\r\ncompletely non-functional (examples 1, 2, 3) or behaved in ways that didn’t align with Salty2FA at all. \r\nFor example, one analysis session showed the use of an ASP.NET CDN, which is not typical for this kit. It started to look as\r\nif someone had flipped a switch and taken a significant part of the framework’s infrastructure offline.  \r\nA shutdown, maybe? Not exactly. \r\nAlongside this decline, analysts also began seeing more sessions where the verdict\r\nincluded both Salty2FA and Tycoon2FA; two phishing kits that offer similar capabilities but differ in how they’re built\r\nand operated. \r\nAnd this didn’t resemble a simple misattribution. The Tycoon2FA indicators were supported by long-validated detection\r\nlogic, including rules that flag DGA-generated domains tied to the kit’s fast-flux infrastructure. \r\nCheck analysis session with Salty2FA and Tycoon \r\nFig.4: Suricata detection showing Tycoon indicators inside a Salty2FA analysis session \r\nThis raised another hypothesis: a possible merging of infrastructure between the operators behind these PhaaS platforms. To\r\nverify it, we took another look at the JavaScript code used in the phishing pages.  \r\nThe results turned out to be very interesting! \r\nPart 2: When Two Kits Become One: A Deep Look at the Hybrid Payload \r\nTo understand what changed inside this new wave of submissions, we compared the code to earlier versions of both kits. For\r\nreference, the previous analyses are available here: \r\nSalty2FA \r\nTycoon2FA \r\nWith these baselines in mind, let’s take a closer look at the following analysis session: \r\nCheck analysis session \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 3 of 12\n\nFig.5: ANY.RUN’s Sandbox exposes phishing attempts in seconds \r\nThe activity begins with the phishing page hosted on Cloudflare Pages Dev; a platform intended for front-end development\r\nand static site hosting, but one that threat actors frequently abuse due to how easy it is to deploy content there. \r\nA closer look reveals several familiar artifacts: “motivational quotes” embedded in the markup and class names generated\r\nusing a simple “word + number” pattern. These elements closely resemble the older (and certainly not\r\nharmless) Salty2FA codebase: \r\nFig.6: Salty2FA “Quotes” \r\nFig.7: Salty2FA class names \r\nScrolling a bit further down, we see the trampoline code responsible for retrieving and loading the next payload stage into\r\nthe DOM; a sequence identical to the older Salty implementation.  \r\nBut here’s the interesting part: the code contains comments noting that the initial payload may fail to load, in which case the\r\nscript should fetch the payload from an alternative URL. That fallback URL is written directly into the code with no\r\nobfuscation whatsoever. \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 4 of 12\n\nFig.8: Trampoline code in an older Salty sample \r\nFig.9: Trampoline code in the new Salty sample \r\nAfter decoding the function argument, we get the address hxxps[://]omvexe[.]shop//; an IOC associated with Salty2FA.\r\nHowever, the payload will never be retrieved. When the script attempts to resolve the domain name, the DNS response\r\nis SERVFAIL, which differs from NXDOMAIN (non-existent domain). \r\nSERVFAIL indicates an issue on the server side; for example, incorrect NS records or delegation problems where the\r\nresolver cannot determine which authoritative DNS server is responsible for the domain. \r\nFig.10: Salty2FA domain resolution errors \r\nIn other words, the Salty infrastructure is experiencing issues, and the script switches to a fallback plan, loading the page\r\nfrom the hardcoded secondary address. \r\nAfter the initial failure, the script switches to a direct request to hxxps[://]4inptv[.]1otyu7944x8[.]workers[.]dev/, which\r\ndelivers the next stage. \r\nThe first part of this stage contains obfuscated anti-analysis checks, implemented through Base64 decoding followed by\r\nan eval() call. \r\nThe second part is obfuscated using a Base64-XOR technique and contains the next portion of the payload: \r\nFig.11: Payload from the “alternative” execution path \r\nAfter the code above runs, the page content is replaced, and new DOM elements are injected to mimic Microsoft’s official\r\nauthentication page. The script also reinstates several common defense mechanisms; for example, blocking keyboard\r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 5 of 12\n\nshortcuts that open DevTools and performing execution-timing checks designed to detect debugging attempts using\r\nbreakpoints. \r\nFig.12: Blocking DevTools keyboard shortcuts \r\nWhat’s more interesting is that traces of Salty2FA are still present here; in particular, the familiar “salted” source code\r\ncomments: \r\nFig.13: Salty2FA traces inside the payload’s source code \r\nAt the bottom of the page, there is a two-line script that once again executes Base64-decoded code via eval(): \r\nFig.14: Another obfuscated code snippet \r\nFinally, we hit the plot twist: the next stage loads code that mirrors the last steps of the Tycoon2FA execution\r\nchain almost line for line. The variable values, the order of functions, the way each component is implemented; all of it\r\nmatches what earlier analyses and reports have already documented for this PhaaS platform. \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 6 of 12\n\nHere are some of the clearest similarities between this sample and Tycoon:  \r\nFig.15: Variable set with predefined values \r\nFig.16: Data-encryption function with hardcoded IV/key \r\nFig.17: Function for encoding stolen data as binary octets \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 7 of 12\n\nFig.18: Dynamic URL routing using RandExp patterns \r\nFig.19: POST request to a server using a characteristic DGA-generated domain name \r\nIt was also noted that some test data was not fully removed from the code.\r\nSeveral sections appear to be entirely commented out, as if the phishing kit operator was making quick edits or testing new\r\nfunctionality but didn’t have time to finish refining it. \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 8 of 12\n\nFig.20: Test data inside the code \r\nFig.21: Fully commented-out function \r\nFig.22: Disabled IP logging inside one of the 2FA-handling routines \r\nTaken together, this provides clear evidence that a single phishing campaign, and, more interestingly, a\r\nsingle sample, contains traces of both Salty2FA and Tycoon, with Tycoon serving as a fallback payload once the Salty\r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 9 of 12\n\ninfrastructure stopped working for reasons that are still unclear. \r\nSo, what does the appearance of this kind of hybrid in the wild mean for PhaaS attribution, for the operators behind these\r\nframeworks, and for phishing threat hunting more broadly? Could this point to multiple groups working together within the\r\nsame operation, especially given earlier assumptions that Storm-1747 (the Tycoon operators) might also be connected to\r\nSalty2FA? Or does it suggest that the major PhaaS kits may ultimately be run by the same people? \r\nPart 3: Are All These “Some2FA” Frameworks Really the Same? \r\nEven though forensic work occasionally uncovers samples that include “a little bit of everything,” proper attribution\r\nbetween different phishing-kit families still matters. Being able to tell one kit from another ensures analysts don’t lose the\r\nunique traces that belong to a specific framework and don’t appear anywhere else. Those unique markers allow TI and\r\nThreat Hunting teams to build and test focused hypotheses, because trying to hunt under the umbrella of “all phishing\r\nattacks in the world” simply doesn’t work. \r\nClear attribution also helps teams collect and share fresh threat intelligence, write detection rules that map to the upper\r\nlayers of the Pyramid of Pain, and keep those rules effective for as long as possible. \r\nAttribution becomes even more valuable when you look at how it helps track shifts in the behavior and motivation of the\r\ngroups running these kits. With Salty2FA, for example, there has already been speculation that Storm-1747 may be\r\nresponsible for maintaining, or even creating, the framework. If that’s true, then the known TTPs, victim profiles, and\r\noperational patterns associated with Tycoon2FA would also apply to attacks involving Salty2FA. That overlap can\r\nsignificantly shorten detection and response times. \r\nIt also leads to a practical expectation: if the activity of one kit suddenly drops off, defenders should be ready for a surge in\r\nanother kit that’s likely controlled by the same operators. That means updating detection logic, running new threat-hunting\r\nsweeps, carrying out security audits and awareness training, and reviewing incident-response playbooks that reflect Storm-1747’s known TTPs. \r\nHow Should SOC Teams Respond to This Shift? \r\nFor SOC teams, the appearance of Salty2FA–Tycoon2FA hybrids calls for a shift in how these campaigns are detected,\r\ncorrelated, and investigated. When a phishing kit can fall back to a different framework mid-execution, defenders need to\r\nadapt their processes accordingly. \r\n1. Treat Salty2FA and Tycoon2FA as part of one threat cluster: The overlap in infrastructure, indicators, and execution\r\nstages means detections tied to one kit may surface activity from the other. Correlation rules and enrichment pipelines\r\nshould consider both families together. \r\n2. Build hunting hypotheses that account for fallback payloads: If Salty infrastructure becomes unavailable, the same\r\ncampaign may pivot into Tycoon2FA without leaving a clear break. Threat hunting should look for these transitions to avoid\r\nmissing supporting evidence. \r\n3. Rely more on behavior than static IOCs: Hybrid kits weaken simple signature-based workflows. DOM manipulation\r\npatterns, execution-stage logic, DGA activity, and fast-flux domains remain more stable than standalone indicators. \r\n4. Refresh IR playbooks to reflect mixed execution chains: Playbooks should include scenarios where multiple\r\nframeworks appear in the same campaign, or where an incident involves a sequence of payloads from different kits. \r\n5. Expect faster TTP propagation: If Storm-1747 is indeed behind both frameworks, changes observed in Tycoon2FA may\r\nquickly appear in Salty2FA as well. SOC teams should monitor these shifts to stay ahead of detection gaps. \r\nIn short, the rise of hybrid 2FA phishing kits means defenders should prepare for campaigns that operate more flexibly, more\r\nmodularly, and with a higher tolerance for infrastructure failures; traits that align with increasingly mature threat groups. \r\nSupporting Detection and Response with ANY.RUN \r\nANY.RUN provides SOC teams with the visibility and speed needed to keep up with hybrid phishing kits. With interactive\r\nanalysis and real-time intelligence in one workflow, SOC analysts can validate attribution, tune detections, and respond with\r\nconfidence: \r\nFast investigation of complex threats: Analysts see initial malicious activity in about 60 seconds in 90% of cases,\r\neven for multi-stage phishing kits. \r\nImmediate access to fresh IOCs: ANY.RUN’s Threat Intelligence Feeds aggregate newly observed domains, URLs,\r\nIPs, and artifacts from 15,000 organizations and a community of more than 600,000 analysts worldwide, providing\r\nearly visibility into indicators. \r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 10 of 12\n\nDeep inspection of mixed execution chains: The interactive sandbox gives full visibility into each stage of the\r\nattack. \r\nOne-click enrichment with TI Lookup: Analysts can instantly view historical use, related samples, and broader\r\nactivity patterns around any indicator. \r\nReliable correlation signals: Shared domains, DGA patterns, and reused client-side code\r\nbecome immediately visible across public and private submissions. \r\nTogether, these capabilities give SOC analysts a clearer, faster way to deal with hybrid phishing campaigns. They help teams\r\nspot changes early, run more focused hunts, and respond before attackers manage to regain traction. \r\nConclusion \r\nIn this analysis, we reviewed a case where payloads from Salty2FA and Tycoon2FA appeared together, following a sharp\r\ndecline in Salty2FA activity. This kind of overlap may indicate operational issues on the Salty side, or, just as plausibly,\r\nsuggest that both frameworks are operated by the same group, namely Storm-1747. \r\nGoing forward, we should expect to see more overlap in indicators of compromise, TTPs, and victim organizations across\r\nphishing campaigns involving these kits. For that reason, defenders should revisit their detection logic and develop hunting\r\nhypotheses that account for traces of both Salty and Tycoon appearing within the same context. \r\nAbout ANY.RUN \r\nANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions used by security teams\r\naround the world. The service combines real-time sandboxing with a rich intelligence ecosystem that includes TI Feeds, TI\r\nLookup, and public malware submissions. \r\nMore than 500,000 analysts and 15,000 organizations rely on ANY.RUN to speed up investigations, validate TTPs, collect\r\nfresh IOCs, and understand emerging threats through live, behavior-based analysis. \r\nBy giving defenders an interactive view of how malware behaves from the very first second of execution, ANY.RUN helps\r\nteams detect attacks faster, make informed decisions, and strengthen their overall security posture. \r\nExperience how ANY.RUN’s solutions can power your SOC: start 14-day trial \r\nIndicators of Compromise \r\n1otyu7944x8[.]workers[.]dev \r\nxm65lwf0pr2e[.]workers[.]dev \r\ndiogeneqc[.]pages[.]dev \r\nstoozucha[.]sa[.]com \r\nomvexe[.]shop \r\nlapointelegal-portail[.]pages[.]dev \r\nlathetai[.]sa[.]com \r\nReferences \r\nhttps://app.any.run/tasks/46352ebf-7ee1-4d74-9850-2cdc6f6f0a49 \r\nhttps://app.any.run/tasks/ccf7d689-7926-495d-b37f-d509536ff42b \r\nhttps://intelligence.any.run/analysis/lookup#\r\n{%22query%22:%22threatName:%5C%22salty2fa%5C%22%20AND%20threatName:%5C%22tycoon%5C%22%20AND%20domainName:%5C\r\nrapture3\r\nraptur3\r\nNetwork Analyst at ANY.RUN | + posts\r\nNetwork Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive\r\ntech research.\r\nNetwork Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive\r\ntech research.\r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 11 of 12\n\nSource: https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nhttps://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025/"
	],
	"report_names": [
		"salty2fa-tycoon2fa-hybrid-phishing-2025"
	],
	"threat_actors": [
		{
			"id": "a46eb3b5-b482-4dd1-9fad-25477d77dbeb",
			"created_at": "2026-02-04T02:00:03.710492Z",
			"updated_at": "2026-04-10T02:00:03.9523Z",
			"deleted_at": null,
			"main_name": "Storm-1747",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-1747",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434288,
	"ts_updated_at": 1775792183,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3cd9859ceb78a286f574e14633fa2b8c18a9c1d.pdf",
		"text": "https://archive.orkl.eu/e3cd9859ceb78a286f574e14633fa2b8c18a9c1d.txt",
		"img": "https://archive.orkl.eu/e3cd9859ceb78a286f574e14633fa2b8c18a9c1d.jpg"
	}
}