216.73.216.169

Salty 2FA: Undetected PhaaS Hitting US and EU Industries

· Published 19/08/2025 17:08 · Modified 19/08/2025 21:49

Export JSON

Essential information

Published
19/08/2025 17:08
Modified
19/08/2025 21:49
Tags
2025-08-19 2fa bypass behavioral detection domain pattern multi-stage execution phaas salty 2fa storm-1575
Related entities
1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 18 others

Description

A new Phishing-as-a-Service () framework dubbed has been discovered targeting industries in the US and EU. It uses a unique combining .com subdomains with .ru domains and employs a chain to resist detection. The kit can bypass multiple 2FA methods, including push, SMS, and voice. Victims span global industries such as finance, telecom, energy, consulting, logistics, and education. Static IOCs are unreliable for detection; instead, behavioral patterns must be identified. The framework shares traits with but has distinct characteristics setting it apart from known threats like Tycoon2FA or EvilProxy. It demonstrates sophisticated capabilities in distributing phishing payloads, maintaining dynamic infrastructure, and managing complex communication between phishing pages and C2 servers.

External references