A new type of phishing attack that combines two different phishing kits: Salty2FA and Tycoon2FA. This marks a significant change in the Phishing-as-a-Service (PhaaS) landscape.
While phishing kits typically maintain unique signatures in their code and delivery mechanisms, recent campaigns targeting enterprise users have begun deploying payloads that combine elements from both frameworks.
This convergence complicates attribution efforts and suggests a potential operational merger or collaboration between the threat actors behind these sophisticated tools.
The Collapse of Salty2FA
The discovery follows a dramatic decline in standalone Salty2FA activity observed in late 2025, according to an analysis by ANY.RUN, submissions of Salty2FA samples to their interactive sandbox dropped precipitously from hundreds of weekly uploads to fewer than 50 by early November.
Coinciding with this drop, analysts detected a wave of “hybrid” samples where Salty2FA’s infrastructure appeared to fail, triggering a fallback mechanism that retrieved Tycoon2FA payloads instead.
Code-level analysis by ANY.RUN revealed that these hybrid payloads begin with Salty2FA’s traditional “trampoline” scripts, which load the next stage of the attack.
However, when the primary Salty2FA domains failed to resolve (returning DNS SERVFAIL errors), the scripts executed a hardcoded fallback command, fetching malicious content from Tycoon2FA infrastructure.
This seamless handoff indicates that the operators anticipated infrastructure instability and engineered a redundancy using a rival or partner kit.
The overlap in tactics, techniques, and procedures (TTPs) strengthens the hypothesis that both kits may be operated by the same threat group, tracked by Microsoft as Storm-1747.
Storm-1747 has long been associated with Tycoon2FA, a kit known for bypassing multifactor authentication (MFA) via adversary-in-the-middle (AiTM) techniques.
The newly observed hybrid samples replicate Tycoon2FA’s execution chain almost line-for-line in their later stages, including specific variable naming conventions and data encryption methods.
This structural similarity suggests that Salty2FA may not be an independent competitor but rather another tool in Storm-1747’s arsenal, potentially used for different targeting profiles or as a testing ground for new evasion features.
For security operations centers (SOCs), the blurring of lines between Salty2FA and Tycoon2FA requires an updated defense strategy. Reliance on static indicators of compromise (IOCs) for a single kit is no longer sufficient, as a campaign might pivot from one framework to another mid-execution.
Experts recommend treating these kits as a single threat cluster. Defenders should correlate alerts involving Salty2FA’s initial delivery vectors, such as HTML trampoline files, with Tycoon2FA’s known network behaviors, including traffic to DGA-generated domains and fast-flux infrastructure.
By unifying detection logic for both families, organizations can better detect these resilient, multi-stage attacks before credentials are stolen.
Detect phishing threats in under 60 seconds with ANY.RUN’s Sandbox in your SOC => Sign up now
