Enhancing Enterprise Security: The Impact of ClickFix and Multi-Stage Phishing Frameworks on Cyber Defense Strategies

August 2025 has witnessed a significant evolution in cybercrime tactics, with threat actors employing increasingly sophisticated phishing frameworks and social engineering techniques that successfully bypass traditional security defences. Security researchers at ANY.RUN have identified three major campaign families that signify a fundamental shift in how cybercriminals approach credential theft and system compromise: the multi-stage Tycoon2FA phishing framework, ClickFix-delivered Rhadamanthys stealer operations, and the emergence of Salty2FA, a new Phishing-as-a-Service (PhaaS) platform linked to the notorious Storm-1575 group. These campaigns illustrate an alarming trend towards highly targeted, multi-layered attacks that combine advanced evasion techniques with psychological manipulation to defeat both automated security systems and human vigilance. Unlike traditional mass phishing attempts, these sophisticated frameworks specifically target high-value accounts in government, financial, and critical infrastructure sectors.

The Tycoon2FA campaign represents a paradigm shift in phishing sophistication, employing a seven-stage execution chain that systematically defeats automated security tools while exhausting human targets. This framework has emerged as one of the most effective credential harvesting operations observed in 2025, specifically targeting government agencies, military installations, and major financial institutions across the United States, the United Kingdom, Canada, and Europe. The attack methodology begins with carefully crafted voicemail-themed phishing emails that initiate a complex redirection chain. Victims are guided through multiple validation screens, including Cloudflare Turnstile CAPTCHAs and “press-and-hold” anti-bot checks, before reaching the final Microsoft login spoofing panel. Each stage serves dual purposes: filtering out automated analysis tools while building psychological commitment from human targets. Analysis data reveals that 26% of Tycoon2FA campaigns specifically target banking sector employees, indicating a deliberate focus on high-value financial credentials rather than opportunistic credential harvesting. 

Categories: Phishing Frameworks, Credential Theft, Targeted Cyber Attacks 

Tags: Cybercrime, Phishing, Social Engineering, Credential Theft, Tycoon2FA, Multi-Stage Attacks, Psychological Manipulation, Phishing-as-a-Service, Evasion Techniques, Targeted Campaigns