{"id":6058,"date":"2025-12-03T16:23:29","date_gmt":"2025-12-03T16:23:29","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6058"},"modified":"2025-12-03T16:23:29","modified_gmt":"2025-12-03T16:23:29","slug":"hybrid-2fa-phishing-kits-are-making-attacks-harder-to-detect","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6058","title":{"rendered":"Hybrid 2FA phishing kits are making attacks harder to detect"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Some 2FA-phishing attacks are becoming significantly harder to spot as threat actors blend two previously distinct phishing-as-a-service (PhaaS) kits: Salty2FA and Tycoon2FA, into a single hybrid strain.<\/p>\n<p>Researchers at Any.Run warn that the hybrid is already bypassing detection rules tuned to either kit alone. Alerts that once reliably caught Salty2FA or Tycoon2FA activity are now going quiet, leaving security teams blind to <a href=\"https:\/\/www.csoonline.com\/article\/3535222\/mfa-adoption-is-catching-up-but-is-not-quite-there.html\">MFA<\/a>-bypass attacks that previously triggered obvious signatures.<\/p>\n<p>The researchers\u2019 <a href=\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-tycoon2fa-hybrid-phishing-2025\/\">code-level analysis confirmed hybrid payloads<\/a>, they said in a blog post. \u201cEarly stages matched Salty2FA, while later stages reproduced Tycoon2FA\u2019s execution chain almost line-for-line,\u201d they wrote. \u201cThis overlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to slip past early detection.\u201d<\/p>\n<p>Both Salty2FA and Tycoon2FA are multi-factor-authentication-bypassing kits that capture user credentials and session data through multi-stage, deceptive logic flows.<\/p>\n<p>Any.Run advised security leaders not to rely on static indicators as the hybrid execution flows they observed can only be spotted by closely watching the behavior patterns and fallback routines of the new strain.<\/p>\n<h2 class=\"wp-block-heading\">Tycoon revived a faltering Salty<\/h2>\n<p>According to the researchers, the emergence of this hybrid phishing strain coincides with a sharp drop in pure Salty2FA activity. By November 2025, Salty2FA-related submissions to Any.Run\u2019s sandbox <a href=\"https:\/\/x.com\/anyrun_app\/status\/1988139884796600506\">plummeted<\/a> from hundreds per week to just a handful (51 in total).<\/p>\n<p>While it looked like the framework was being abandoned, it was just morphing to fall back to Tycoon2FA whenever its original infrastructure ran into issues. \u201cOne analysis showed the use of ASP.NET CDN, which is not typical for Salty2FA kit,\u201d the researchers said. \u201cIt started to look as if someone had flipped a switch and taken a significant part of the framework\u2019s infrastructure offline.\u201d<\/p>\n<p>But rather than a total shut down, samples soon began throwing detections for both Salty2FA and Tycoon2FA. Eventually, the hybrid payloads started with familiar Salty elements including code obfuscation, \u201ctrampoline\u201d JavaScript, and domain patterns, and then shifted into Tycoon2FA\u2019s execution chain including DGA-based domains and Adversary-in-the-Middle (<a href=\"https:\/\/www.csoonline.com\/article\/3604557\/how-to-defend-microsoft-networks-from-adversary-in-the-middle-attacks.html\">AiTM<\/a>) behavior.<\/p>\n<p>The researchers said the overlap will complicate signature-based detection, and rules tuned to Salty or Tycoon alone may now miss the hybrid entirely.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Defending against the two-pronged attack<\/h2>\n<p>For defenders, this means attribution becomes murkier, hunting hypotheses weaker, and earlier detection far harder. Any.Run warned that reliance on static indicators of compromise such as domains and URLs is no longer sufficient; they now need to watch behavior patterns, fallback routines, and hybrid execution flows for signs of campaign activity.<\/p>\n<p>\u201cIf Salty infrastructure becomes unavailable, the same campaign may pivot into Tycoon2FA without leaving a clear break,\u201d the researchers noted. \u201cThreat hunting should look for those transitions to avoid missing supporting evidence.\u201d<\/p>\n<p>The rise of hybrid 2FA phishing kits should prepare defenders for campaigns that operate more flexibly, more modularly, and with a higher tolerance for infrastructure failure, the researchers said.<\/p>\n<p>Until recently, the Salty2FA campagn had been in <a href=\"https:\/\/www.csoonline.com\/article\/4053744\/phishing-kit-salty2fa-washes-away-confidence-in-mfa.html\">full swing<\/a>, breaching MFA protections with a mix of advanced tactics, including cloaking within trusted platforms like <a href=\"https:\/\/www.csoonline.com\/article\/4003056\/new-phishing-campaign-hijacks-clipboard-via-fake-captcha-for-malware-delivery.html#:~:text=Cloudflare%20Turnstile%20interface\">Cloudflare Turnstile<\/a>. Its merging with Tycoon2FA is a serious threat, considering how the latter is already <a href=\"https:\/\/www.csoonline.com\/article\/3850783\/11-ways-cybercriminals-are-making-phishing-more-potent-than-ever.html?utm=hybrid_search#:~:text=89%25%20of%20observed%20PhaaS\">blamed<\/a> for almost 90% of recent PhaaS incidents.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Some 2FA-phishing attacks are becoming significantly harder to spot as threat actors blend two previously distinct phishing-as-a-service (PhaaS) kits: Salty2FA and Tycoon2FA, into a single hybrid strain. Researchers at Any.Run warn that the hybrid is already bypassing detection rules tuned to either kit alone. Alerts that once reliably caught Salty2FA or Tycoon2FA activity are now [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6059,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6058","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6058"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6058"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6058\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6059"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}