Salty2FA phishing campaign with staged Aha.io lures
Campaign
Summary
Hide ▲
Show ▼
The Salty2FA phishing campaign is using staged login infrastructure and MFA simulation to make fraudulent sign-in pages look legitimate and harder for defenders to block. On Sept. 3, 2025, attackers registered a trial account on Aha.io to impersonate a business and seed the first lure. The operation then pushed users toward a OneDrive sharing page and a Cloudflare Turnstile checkpoint before the fake authentication flow. Its rotating subdomains, dynamic branding, and anti-debugging controls show a mature phishing setup built to evade detection across multiple sectors.
Related Happenings
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 03.03.2026 13:10
Last: 03.03.2026 13:10
Sources 1
About this happening:
**Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Timeline
-
09.09.2025 18:50 1 articles · 8mo ago
Salty2FA operators register an Aha.io trial account to impersonate an undisclosed business
Initial DisclosureAttackers registered a trial account on Aha.io on Sept. 3, 2025 to impersonate a known but undisclosed business, then used the registration to quickly deploy a OneDrive sharing page with a link that lured users into a fake document-sharing flow.
Show sources
- Salty2FA Takes Phishing Kits to Enterprise Level — www.darkreading.com — 09.09.2025 18:50
-
09.09.2025 18:50 2 articles · 8mo ago
Salty2FA phishing kit adds rotating subdomains, dynamic branding, and anti-debugging defenses
Technical Analysis UpdateOntinue's analysis describes Salty2FA phishing infrastructure that rotates subdomains per session, stages the initial attack vector on legitimate platforms, dynamically matches corporate branding to victim email domains, imitates six MFA methods, and uses geo-blocking, ASN/IP filtering, and JavaScript-based anti-debugging to hinder detection.
Show sources
- Salty2FA Takes Phishing Kits to Enterprise Level — www.darkreading.com — 09.09.2025 18:50
- Salty2FA Takes Phishing Kits to Enterprise Level — www.darkreading.com — 09.09.2025 18:50