{
  "name": "Salty2FA & Tycoon2FA: Hybrid Phishing Threat",
  "slug": "salty2fa-tycoon2fa-hybrid-phishing-threat",
  "description": "A new hybrid phishing threat combining elements of Salty2FA and Tycoon2FA has emerged, blurring the lines between distinct phishing kits. Analysis reveals a sudden drop in Salty2FA activity, followed by the appearance of samples containing code from both frameworks. The hybrid shows signs of Salty2FA infrastructure failure, forcing a fallback to Tycoon-based hosting and payload delivery. This overlap complicates attribution and weakens kit-specific detection rules. The emergence of this hybrid suggests a possible connection to Storm-1747, known operators of Tycoon2FA. Defenders are advised to update detection logic, expect more cross-kit overlap, and prepare for campaigns with increased flexibility and resilience to infrastructure failures.",
  "published": "2025-12-02T20:13:43+00:00",
  "created_at": "2025-12-02T20:13:43+00:00",
  "modified_at": "2025-12-21T17:19:11+00:00",
  "created_at_opencti": "2025-12-02T20:13:43+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-02",
    "2fa",
    "attribution",
    "detection",
    "phishing",
    "salty2fa",
    "tycoon2fa"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:20438e3de9af9e39",
        "name": "Tycoon2FA",
        "slug": "tycoon2fa"
      },
      {
        "id": "legacy:malware:7bcfb6957d8e3fb1",
        "name": "Salty2FA",
        "slug": "salty2fa"
      }
    ],
    "intrusion_sets": [
      {
        "id": "36e71c95-1e4f-44e2-b5fa-1e949beaf719",
        "name": "Storm-1747",
        "slug": "storm-1747"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e",
        "name": "T1185"
      },
      {
        "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf",
        "name": "T1584"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "ef72da1d-2eaa-4d94-8913-06978609cfb4",
        "name": "T1608.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "28548897-8b18-4095-97e8-1732f52e9316",
        "name": "T1102.003"
      },
      {
        "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd",
        "name": "T1588.001"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "omvexe.shop"
      },
      {
        "id": "",
        "name": "lapointelegal-portail.pages.dev"
      },
      {
        "id": "",
        "name": "stoozucha.sa.com"
      },
      {
        "id": "",
        "name": "xm65lwf0pr2e.workers.dev"
      },
      {
        "id": "",
        "name": "lathetai.sa.com"
      },
      {
        "id": "",
        "name": "diogeneqc.pages.dev"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/692f56875686d63e093cc378",
    "https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025"
  ]
}