Salty2FA & Tycoon2FA: Hybrid Phishing Threat

Dec. 3, 2025, 11:30 a.m.

Description

A new hybrid phishing threat combining elements of Salty2FA and Tycoon2FA has emerged, blurring the lines between distinct phishing kits. Analysis reveals a sudden drop in Salty2FA activity, followed by the appearance of samples containing code from both frameworks. The hybrid shows signs of Salty2FA infrastructure failure, forcing a fallback to Tycoon-based hosting and payload delivery. This overlap complicates attribution and weakens kit-specific detection rules. The emergence of this hybrid suggests a possible connection to Storm-1747, known operators of Tycoon2FA. Defenders are advised to update detection logic, expect more cross-kit overlap, and prepare for campaigns with increased flexibility and resilience to infrastructure failures.

External References

https://any.run/cybersecurity-blog/salty2fa-tycoon2fa-hybrid-phishing-2025
https://otx.alienvault.com/pulse/692f56875686d63e093cc378
Tags
phishing
2fa
detection
tycoon2fa
salty2fa
attribution
2025-12-02

Date

  • Created: Dec. 2, 2025, 9:13 p.m.
  • Published: Dec. 2, 2025, 9:13 p.m.
  • Modified: Dec. 3, 2025, 11:30 a.m.

Indicators

  • lathetai.sa.com
  • lapointelegal-portail.pages.dev
  • stoozucha.sa.com
  • diogeneqc.pages.dev
  • xm65lwf0pr2e.workers.dev
Download all indicators here!

Attack Patterns

  • Salty2FA
  • Tycoon2FA
  • Storm-1747