Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries
Summary:
Security analysts at ANY.RUN uncovered details of a new Phishing-as-a-Service (PhaaS) framework, dubbed “Salty 2FA,” which has been used to target victims in the US and EU, residing in various sectors, including finance, telecom, energy, consulting, logistics, and education. Salty 2FA is typically delivered via emails using lures pertaining to fake voice messages, document access requests, and billing statements. These emails lead to phishing pages, mainly designed to harvest Microsoft 365 credentials. According to researchers, Salty 2FA employs a unique domain pattern that pairs .com subdomains with .ru domains, which consistently appear across observed samples and contribute to its unique behavioral signature. The PhaaS kit is also capable of bypassing several 2FA methods including push notifications, SMS, voice calls, and app-generated one-time passwords, providing actors easy access to targeted accounts.
Security Officer Comments:
The earliest samples of Salty 2FA were deployed as early as March-April 2025. Salty 2FA IOCs uncovered by ANY.RUN show overlaps with activity from known threat actors like Storm-1575 or Storm-1747. However, the phishing kit’s unique architecture, obfuscation techniques, and infrastructure suggest it is a distinct and evolving threat. Salty 2FA incorporates a modular design, allowing it to dynamically adjust based on a victim’s actions and authentication setup. This makes the kit highly adaptable and difficult to track through static indicators like hashes or single-use domain names. It also blocks keyboard shortcuts that open debugging tools such as DevTools to evade analysis. Data stolen from victims, such as credentials is typically exfiltrated to servers using .ru domains. Notably, the data is encrypted using the Base64 + XOR technique, effectively bypassing detections in place.
Suggested Corrections:
How to Spot Salty 2FABasic indicators such as domain names (hashes are not applicable here due to constant obfuscation and code mutation) can be useful for threat hunting and expanding the threat landscape. In some cases, they may even lead to detections. However, for phishing kits like Salty 2FA, these indicators are generally unreliable for long-term or consistent detection.
Threat detection specialists and engineers instead need to identify behavioral patterns that remain consistent across samples, even when those samples appear completely different at first glance.
Any recurring clue, whether it is a particular chain of TLD zones in domain names, distinctive URL structures, unusual web page headers, or a characteristic set of resources loaded from legitimate CDNs, contributes to the behavioral profile of a PhaaS framework. These recurring traits allow analysts to track and detect it over time without relying on volatile details such as email hashes or specific phishing domains.
Link(s):
https://any.run/cybersecurity-blog/salty2fa-technical-analysis/
Security analysts at ANY.RUN uncovered details of a new Phishing-as-a-Service (PhaaS) framework, dubbed “Salty 2FA,” which has been used to target victims in the US and EU, residing in various sectors, including finance, telecom, energy, consulting, logistics, and education. Salty 2FA is typically delivered via emails using lures pertaining to fake voice messages, document access requests, and billing statements. These emails lead to phishing pages, mainly designed to harvest Microsoft 365 credentials. According to researchers, Salty 2FA employs a unique domain pattern that pairs .com subdomains with .ru domains, which consistently appear across observed samples and contribute to its unique behavioral signature. The PhaaS kit is also capable of bypassing several 2FA methods including push notifications, SMS, voice calls, and app-generated one-time passwords, providing actors easy access to targeted accounts.
Security Officer Comments:
The earliest samples of Salty 2FA were deployed as early as March-April 2025. Salty 2FA IOCs uncovered by ANY.RUN show overlaps with activity from known threat actors like Storm-1575 or Storm-1747. However, the phishing kit’s unique architecture, obfuscation techniques, and infrastructure suggest it is a distinct and evolving threat. Salty 2FA incorporates a modular design, allowing it to dynamically adjust based on a victim’s actions and authentication setup. This makes the kit highly adaptable and difficult to track through static indicators like hashes or single-use domain names. It also blocks keyboard shortcuts that open debugging tools such as DevTools to evade analysis. Data stolen from victims, such as credentials is typically exfiltrated to servers using .ru domains. Notably, the data is encrypted using the Base64 + XOR technique, effectively bypassing detections in place.
Suggested Corrections:
How to Spot Salty 2FABasic indicators such as domain names (hashes are not applicable here due to constant obfuscation and code mutation) can be useful for threat hunting and expanding the threat landscape. In some cases, they may even lead to detections. However, for phishing kits like Salty 2FA, these indicators are generally unreliable for long-term or consistent detection.
Threat detection specialists and engineers instead need to identify behavioral patterns that remain consistent across samples, even when those samples appear completely different at first glance.
Any recurring clue, whether it is a particular chain of TLD zones in domain names, distinctive URL structures, unusual web page headers, or a characteristic set of resources loaded from legitimate CDNs, contributes to the behavioral profile of a PhaaS framework. These recurring traits allow analysts to track and detect it over time without relying on volatile details such as email hashes or specific phishing domains.
Link(s):
https://any.run/cybersecurity-blog/salty2fa-technical-analysis/