August 2025 has marked a significant evolution in cybercrime tactics, with threat actors deploying increasingly sophisticated phishing frameworks and social engineering techniques that are successfully bypassing traditional security defenses.
Security researchers at ANY.RUN has identified three major campaign families that represent a fundamental shift in how cybercriminals approach credential theft and system compromise: the multi-stage Tycoon2FA phishing framework, ClickFix-delivered Rhadamanthys stealer operations, and the emergence of Salty2FA, a new Phishing-as-a-Service (PhaaS) platform linked to the notorious Storm-1575 group.
These campaigns demonstrate an alarming trend toward highly targeted, multi-layered attacks that combine advanced evasion techniques with psychological manipulation to defeat both automated security systems and human vigilance.
Unlike traditional mass phishing attempts, these sophisticated frameworks specifically target high-value accounts in government, financial, and critical infrastructure sectors.
Tycoon2FA: Seven-Stage Phishing Chain
The Tycoon2FA campaign represents a paradigm shift in phishing sophistication, employing a seven-stage execution chain that systematically defeats automated security tools while exhausting human targets.
This framework has emerged as one of the most effective credential harvesting operations observed in 2025, specifically targeting government agencies, military installations, and major financial institutions across the United States, the United Kingdom, Canada, and Europe.
The attack methodology begins with carefully crafted voicemail-themed phishing emails that initiate a complex redirection chain. Victims are guided through multiple validation screens, including Cloudflare Turnstile CAPTCHAs and “press-and-hold” anti-bot checks, before reaching the final Microsoft login spoofing panel. Each stage serves dual purposes: filtering out automated analysis tools while building psychological commitment from human targets.
Analysis data reveals that 26% of Tycoon2FA campaigns specifically target banking sector employees, indicating deliberate focus on high-value financial credentials rather than opportunistic credential harvesting.
The framework’s selectivity extends to government and military personnel, where single compromised accounts can provide access to classified systems and sensitive national security information.
With ANY.RUN’s Automated Interactivity features a seven-stage execution flow that operates as follows: initial phishing email delivery, fake PDF attachment download, embedded hyperlink activation, Cloudflare CAPTCHA challenge, manual interaction verification, email validation requirement, and finally, credential harvesting through spoofed authentication panels.
This methodology effectively defeats signature-based detection systems while requiring sustained human engagement that builds trust and reduces suspicion.
Identify cyber threats and empower SOC Performance with Cutting-edge Tools => Get Started
ClickFix Evolution
The ClickFix technique has evolved significantly beyond its original NetSupport RAT and AsyncRAT delivery mechanisms, now serving as a sophisticated vector for deploying advanced information stealers like Rhadamanthys.
This evolution represents a concerning escalation in both technical complexity and evasion capabilities, combining social engineering psychology with advanced malware deployment techniques.
Recent campaigns utilize ClickFix flows to deliver Rhadamanthys stealer through Microsoft Installer (MSI) packages that execute silently in memory, bypassing traditional file-based detection systems with ANY.RUN Sandbox, we can see how the Rhadamanthys was delivered via ClickFix.
The attack chain employs anti-virtual machine checks to evade sandbox analysis while establishing TLS connections directly to IP addresses, circumventing DNS monitoring and domain reputation systems.
| Stage | Technique | MITRE ATT&CK ID | Evasion Method |
|---|---|---|---|
| Initial Delivery | ClickFix Social Engineering | T1566 | Human Interaction Required |
| Installation | MSI Silent Execution | T1218.007 | In-Memory Processing |
| Evasion | Anti-VM Detection | T1497.001 | Environment Analysis |
| Communication | Direct IP TLS | T1071.001 | DNS Bypass |
| Payload Delivery | PNG Steganography | T1027.003 | Visual Obfuscation |
The most sophisticated aspect of these campaigns involves steganography-based payload delivery through compromised PNG image files.
Attackers embed additional malware components within image data, allowing secondary payload deployment while appearing as legitimate graphic content to security scanners. This technique effectively bypasses content inspection systems that focus on executable file types.
Threat actors have also implemented self-signed TLS certificates with deliberately mismatched Issuer/Subject fields, creating unique network artifacts while maintaining encrypted communication channels.
These certificates serve dual purposes: avoiding commercial certificate authority oversight while providing distinctive hunting signatures for advanced threat detection teams.
Salty2FA: Next-Generation PhaaS Framework
The discovery of Salty2FA represents perhaps the most significant development in phishing infrastructure evolution, introducing a comprehensive Phishing-as-a-Service platform capable of bypassing virtually all current multi-factor authentication implementations.
First identified in June 2025, this framework has rapidly expanded to target Microsoft 365 accounts across multiple continents, with particular focus on North American and European enterprise environments.
Salty2FA derives its name from distinctive source code “salting” techniques that disrupt both static analysis tools and manual reverse engineering efforts.
The framework implements adversary-in-the-middle capabilities that can intercept push notifications from mobile authentication applications, SMS-based one-time passwords, and even two-way voice authentication calls. This comprehensive 2FA bypass capability represents a fundamental threat to current enterprise authentication strategies.
Infrastructure analysis reveals consistent patterns in Salty2FA deployment, utilizing compound subdomain structures paired with Russian top-level domains for command and control operations.
The framework utilizes chained server architectures, which provide resilient communication channels but complicate attribution and takedown efforts.
Attribution evidence suggests connections between Salty2FA and the Storm-1575 threat group, previously responsible for the Dadsec phishing kit operations. Here is the example of an analysis session, Salty2FA behavior download, and an actionable report.
However, infrastructure overlaps also indicate potential relationships with Storm-1747, the group behind Tycoon2FA campaigns. These connections suggest possible collaboration between previously distinct threat actors or evolution within existing criminal organizations.
- Financial services and insurance organizations
- Energy production and manufacturing facilities
- Healthcare systems and telecommunications providers
- Government agencies, educational institutions, and logistics networks
These campaign developments represent a fundamental shift in cybercriminal capabilities, moving beyond opportunistic attacks toward sustained, targeted operations against high-value institutional targets.
The sophistication demonstrated in multi-stage evasion, advanced steganography, and comprehensive 2FA bypass techniques indicates significant investment in research and development within criminal organizations.
Traditional security approaches focused on signature-based detection and static analysis prove inadequate against these evolved threats.
The combination of human psychological manipulation with advanced technical evasion creates attack vectors that require behavioral analysis, interactive sandbox environments, and continuous threat intelligence integration for effective detection and response.
Organizations must implement layered security strategies that combine advanced behavioral analytics, interactive malware analysis capabilities, and comprehensive threat intelligence integration.
The shift toward PhaaS models suggests that these sophisticated techniques will become increasingly accessible to lower-skilled threat actors, thereby significantly expanding the overall threat landscape.
Security teams should prioritize the development of detection rules based on behavioral indicators rather than static IOCs, as these campaigns demonstrate rapid infrastructure turnover and evasion technique evolution.
Integrate ANY.RUN solutions to interact with malware in the sandbox => Start Your Free Trial
Source link
