Salty2FA and Tycoon2FA: The rise of hybrid phishing

Phishing kits typically have distinctive signatures in their delivery methods and infrastructure, making attribution easier. However, analysts have recently observed an overlap between two phishing kits such as Salty2FA and Tycoon2FA, marking a significant change that complicates detection.

ANY.RUN observed a sudden drop in Salty2FA activity, followed by the appearance of Tycoon2FA indicators within Salty attack chains. Finally, unique payloads were detected that combined code from both frameworks. This convergence weakens kit-specific detection rules and gives threat actors more leeway to evade early detection.

Key Points

  • Salty2FA Collapse: Salty2FA activity decreased dramatically in late October 2025, dropping from hundreds of weekly submissions to the ANY.RUN sandbox to just a few dozen.
  • Indicator Overlay: New samples began showing overlapping indicators from Salty2FA and Tycoon2FA, including TTPs and shared detection rules.
  • Hybrid Payloads: Code analysis confirmed hybrid payloads: early stages matched Salty2FA, while later stages reproduced the Tycoon2FA execution chain almost line by line.
  • Infrastructure Failure: Salty2FA’s infrastructure showed signs of operational failure, forcing samples to resort to Tycoon-based hosting and payload delivery.
  • Link to Storm-1747: The overlap aligns with previous hypotheses suggesting a possible connection to Storm-1747, a group known for operating Tycoon2FA.

The Decline of Salty2FA and the Hybrid Rise

In late October 2025, submissions to the ANY.RUN sandbox related to Salty2FA plummeted. The Salty-specific Suricata rule sid:85002719 stopped firing on new samples after November 1st. When investigating the drop in activity, analysts noted that many samples became non-functional or used unusual infrastructure, such as ASP.NET CDN.

The most notable thing was that, simultaneously, sessions were detected that returned verdicts for Salty2FA and Tycoon2FA, two kits that were believed to be different. Tycoon2FA flags, including Domain Generation Algorithm (DGA)-generated domains linked to its fast-flux infrastructure, were activated in samples purportedly from Salty.

Detailed Hybrid Payload Analysis

Code analysis of the new samples revealed the hybrid nature of the attack. The execution process began with a phishing page containing Salty2FA artifacts, such as embedded “motivational quotes” and class names generated with Salty patterns.

The page code included a “springboard” that attempted to retrieve the next stage of the payload from a domain associated with Salty2FA (hxxps[://]omvexe[.]shop//). However, DNS analysis showed that Salty’s domain was failing with a SERVFAIL error, indicating a problem on the server side.

Due to this bug, the Salty script switched to a backup plan, loading the next stage from an alternate address. This second stage contained code that replicated the final steps of the Tycoon2FA execution chain. Similarities to Tycoon included:

  • Predefined variable values.
  • Data encryption functions with coded IV/key.
  • Feature to encode stolen data as binary octets.
  • Dynamic URL routing using RandExp patterns.
  • POST requests to a server using a DGA-generated domain name.

The presence of commented code and test data in the hybrid payload suggests that operators were making quick edits or testing functionality without fully refining the code.

Implications for Detection and Response

The emergence of hybrid phishing kits like Salty2FA-Tycoon2FA complicates traditional attribution and detection. If Storm-1747 is responsible for both frameworks, Tycoon2FA TTPs and victim profiles would also be applied to Salty2FA attacks, which could shorten detection and response times if security teams are prepared.

Recommendations for SOC Teams:

  1. Treat as Threat Cluster: Consider Salty2FA and Tycoon2FA as part of the same threat cluster. Correlation rules and enrichment pipelines should consider both families together.
  2. Backup Payload Scenarios: Develop threat hunting scenarios that consider transitioning from Salty to Tycoon when the Salty infrastructure fails.
  3. Prioritize Behavior: Instead of relying on simple static IOCs, focus on DOM manipulation patterns, execution stage logic, DGA activity, and fast-flux domains, which tend to be more stable.
  4. Update IR Playbooks: Include scenarios in incident response playbooks where multiple frameworks or payload sequences from different kits coexist.
  5. Anticipate Rapid Propagation of TTPs: Monitor changes observed in Tycoon2FA, as they could be quickly replicated in Salty2FA, allowing SOC teams to get ahead of detection gaps.

In short, the rise of hybrid phishing kits means defenders must prepare for more flexible, modular, and infrastructure-fault tolerant campaigns, characteristic of increasingly mature threat groups.

References

Commitment Indicators:

  • 1otyu7944x8[.]workers[.]dev
  • xm65lwf0pr2e[.]workers[.]dev
  • diogeneqc[.]pages[.]dev
  • stoozucha[.]sa[.]com
  • omvexe[.]shop
  • lapointelegal-portail[.]pages[.]dev
  • lathetai[.]sa[.]com

Sample Analysis: