ANY.RUN Discovers a New Salty2FA and Tycoon2FA Phishing Hybrid Targeting Enterprises
DUBAI, DUBAI, UNITED ARAB EMIRATES, December 2, 2025 /EINPresswire.com/ -- ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has identified a new hybrid phishing framework that merges two major Phishing-as-a-Service (PhaaS) kits: Salty2FA and Tycoon2FA. This discovery reveals a significant shift in the 2FA-focused phishing and raises new questions about the operators behind these kits.
๐ข๐๐ฒ๐ฟ๐๐ถ๐ฒ๐ ๐ผ๐ณ ๐๐ต๐ฒ ๐ก๐ฒ๐ ๐ฃ๐ต๐ถ๐๐ต๐ถ๐ป๐ด ๐๐๐๐ฎ๐ฐ๐ธ
Following an abrupt drop in Salty2FA activity, ANY.RUN began seeing samples that combine Saltyโs early stages with Tycoon2FAโs later payloads. The consistent overlap in indicators and behavior confirms that recent phishing campaigns are now running a unified chain built from both frameworks
Key findings include:
โข Hybrid payloads observed: Samples showed Salty2FAโs initial stages followed by Tycoon2FAโs execution chain almost line-for-line.
โข Fallback behavior identified: When Salty domains failed with SERVFAIL, the payload switched to Tycoon2FA hosting and delivery infrastructure.
โข Cross-kit indicators detected: Shared IOCs, overlapping TTPs, and matched detection rules confirmed the presence of both kits within single sessions.
โข Potential operator link: The overlap aligns with earlier assessments pointing to Storm-1747, known operators of Tycoon2FA, suggesting shared control or cooperation behind both kits.
โข Impact on attribution: The merging of client-side code complicates traditional kit-level attribution and requires updated detection logic.
โข Operational shift expected: More cross-kit blending is likely, meaning defenders should prepare for phishing campaigns that move between frameworks mid-execution.
For a deeper look at the hybrid samples, full code comparisons, and guidance for SOC teams, visit the ANY.RUN blog.
๐๐ผ๐ ๐ง๐ต๐ถ๐ ๐๐๐ฏ๐ฟ๐ถ๐ฑ ๐๐ณ๐ณ๐ฒ๐ฐ๐๐ ๐ฆ๐ข๐ ๐ง๐ฒ๐ฎ๐บ๐
The unified Salty2FAโTycoon2FA workflow means phishing incidents may shift frameworks mid-execution. This complicates attribution and weakens traditional signatures. SOC teams should monitor both kits together, emphasize behavioral detection, and watch for fallback payloads that bridge one framework to the other.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
