Salty2FA phishing campaign targeting US and EU enterprises
Campaign
Summary
Hide ▲
Show ▼
Salty2FA is an active phishing-as-a-service campaign that is bypassing 2FA and targeting US and EU enterprises, raising the risk of credential theft and account takeover. The operation has been seen across sectors including finance, energy, and telecom. It uses a multi-stage execution chain and Cloudflare checks to evade defenses and harvest credentials plus verification codes. Activity gained momentum in June 2025 and confirmed campaigns have continued since late July.
Related Happenings
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...
DPRK-linked cryptoasset theft campaign continuing into 2026
Campaign
First: 03.04.2026 11:35
Last: 03.04.2026 11:35
Sources 1
About this happening:
The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
DPRK-linked cryptoasset theft campaign continuing into 2026
CampaignAbout this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
Tycoon2FA phishing campaign resumes after takedown
Campaign
First: 23.03.2026 18:05
Last: 23.03.2026 18:05
Sources 1
About this happening:
**Tycoon2FA** has resumed a **broad phishing campaign** after a **major takedown**, and it is again **compromising email accounts** while **bypassing MFA**. The operation uses **a...
Tycoon2FA phishing campaign resumes after takedown
CampaignAbout this happening: **Tycoon2FA** has resumed a **broad phishing campaign** after a **major takedown**, and it is again **compromising email accounts** while **bypassing MFA**. The operation uses **a...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
Campaign
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
SloppyLemming spear-phishing campaign targeting Pakistan and Bangladesh
CampaignAbout this happening: The **SloppyLemming** campaign is using **spear-phishing**, **PDF lures**, and **macro-enabled Excel documents** to target **government entities and critical infrastructure operat...
UNK_AcademicFlare Microsoft 365 device code phishing campaign
Campaign
First: 19.12.2025 19:54
Last: 19.12.2025 19:54
Sources 1
About this happening:
The **UNK_AcademicFlare** phishing campaign is actively stealing **Microsoft 365** credentials through **device code authentication** abuse, creating **account takeover** risk for...
UNK_AcademicFlare Microsoft 365 device code phishing campaign
CampaignAbout this happening: The **UNK_AcademicFlare** phishing campaign is actively stealing **Microsoft 365** credentials through **device code authentication** abuse, creating **account takeover** risk for...
Timeline
-
10.09.2025 11:00 2 articles · 8mo ago
ANY.RUN uncovers Salty2FA phishing kit targeting US and EU enterprises
Initial DisclosureResearchers at ANY.RUN identified Salty2FA, a phishing-as-a-service kit that bypasses push, SMS, and voice-based 2FA and has been seen in campaigns across the US and EU. The activity was reported as gaining momentum in June 2025, with confirmed campaigns active since late July, and it has targeted enterprise sectors including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, and metallurgy. The kit uses a multi-stage execution chain, Microsoft-branded login pages, and Cloudflare checks to harvest credentials and verification codes, creating a direct risk of account takeover.
Show sources
- Watch Out for Salty2FA: New Phishing Kit Targeting US and EU Enterprises — thehackernews.com — 10.09.2025 11:00
- Watch Out for Salty2FA: New Phishing Kit Targeting US and EU Enterprises — thehackernews.com — 10.09.2025 11:00