The Salty2FA & Tycoon2FA hybrid phishing threat represents a novel evolution in phishing kit operations, where two previously distinct phishing frameworks have merged to form a more resilient and flexible attack vector. Salty2FA and Tycoon2FA are phishing kits designed to bypass two-factor authentication (2FA) protections by capturing credentials and 2FA tokens. Recent analysis shows a marked decline in Salty2FA activity, coinciding with the emergence of hybrid samples containing code from both kits. This suggests Salty2FA’s infrastructure suffered failures, prompting operators to fallback on Tycoon2FA’s hosting and payload delivery mechanisms. This hybridization blurs the lines between the two kits, complicating attribution efforts and rendering existing detection rules less effective, as they were typically kit-specific. The threat actor behind this hybrid is likely Storm-1747, a group historically associated with Tycoon2FA campaigns. The hybrid phishing campaigns employ multiple domains (e.g., omvexe.shop, xm65lwf0pr2e.workers.dev) to host phishing pages that mimic legitimate login portals to steal credentials and 2FA tokens. The attack techniques align with MITRE ATT&CK tactics such as phishing (T1566), credential access (T1078), and command and scripting interpreter use (T1059.007). The hybrid approach increases operational resilience, allowing attackers to maintain phishing campaigns despite infrastructure disruptions. Defenders are advised to update detection logic to recognize cross-kit indicators, monitor suspicious domains, and anticipate more sophisticated phishing campaigns that can dynamically switch infrastructure. No known exploits in the wild or CVSS scores exist for this threat, but its medium severity rating reflects moderate risk due to phishing’s inherent social engineering nature and the challenge of detecting hybrid kits.

For European organizations, this hybrid phishing threat poses a significant risk to credential and 2FA token security, potentially enabling unauthorized access to sensitive systems and data. The blending of two phishing kits increases the likelihood of successful phishing attempts by evading traditional detection mechanisms, leading to higher compromise rates. Organizations relying heavily on 2FA for securing user accounts may face increased exposure as attackers specifically target these protections. The operational resilience of the hybrid kits means phishing campaigns can persist despite takedown efforts or infrastructure failures, prolonging exposure. Financial institutions, government agencies, and enterprises with high-value digital assets in Europe are particularly at risk due to their reliance on 2FA and the attractiveness of their data. The threat complicates incident response and attribution, potentially delaying mitigation and increasing damage. Additionally, the use of multiple domains and cloud-based hosting (e.g., workers.dev, pages.dev) challenges traditional domain-blocking strategies. Overall, the threat could lead to credential theft, account takeover, data breaches, and financial fraud impacting European entities.

1. Update phishing detection rules to incorporate indicators from both Salty2FA and Tycoon2FA kits, focusing on hybrid code signatures and behavioral patterns. 2. Implement advanced email filtering and URL analysis tools capable of detecting cross-kit phishing domains and payloads, including those hosted on cloud platforms like workers.dev and pages.dev. 3. Monitor and block known malicious domains associated with this threat (e.g., omvexe.shop, xm65lwf0pr2e.workers.dev) at the network perimeter and DNS level. 4. Enhance user awareness training emphasizing the risks of sophisticated phishing that targets 2FA mechanisms, including recognizing suspicious login flows and domain anomalies. 5. Deploy multi-layered authentication methods beyond SMS or app-based 2FA, such as hardware tokens or biometric factors, to reduce reliance on vulnerable 2FA types. 6. Employ threat intelligence feeds to stay updated on emerging hybrid phishing campaigns and adjust defenses accordingly. 7. Conduct regular phishing simulation exercises tailored to hybrid phishing tactics to improve organizational readiness. 8. Establish rapid incident response protocols for suspected credential compromise, including forced password resets and session invalidation. 9. Collaborate with cloud service providers to identify and take down malicious hosted content swiftly. 10. Use anomaly detection on authentication logs to identify unusual login patterns indicative of credential theft.