Salty 2FA: Undetected PhaaS Hitting US and EU Industries

Description

A new Phishing-as-a-Service (PhaaS) framework dubbed Salty 2FA has been discovered targeting industries in the US and EU. It uses a unique domain pattern combining .com subdomains with .ru domains and employs a multi-stage execution chain to resist detection. The kit can bypass multiple 2FA methods, including push, SMS, and voice. Victims span global industries such as finance, telecom, energy, consulting, logistics, and education. Static IOCs are unreliable for detection; instead, behavioral patterns must be identified. The framework shares traits with Storm-1575 but has distinct characteristics setting it apart from known threats like Tycoon2FA or EvilProxy. It demonstrates sophisticated capabilities in distributing phishing payloads, maintaining dynamic infrastructure, and managing complex communication between phishing pages and C2 servers.