{"id":15459,"date":"2025-08-19T13:32:41","date_gmt":"2025-08-19T13:32:41","guid":{"rendered":"\/cybersecurity-blog\/?p=15459"},"modified":"2025-08-20T05:59:38","modified_gmt":"2025-08-20T05:59:38","slug":"salty2fa-technical-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/","title":{"rendered":"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0"},"content":{"rendered":"\n<p>Today, phishing accounts for the majority of all cyberattacks. The availability of low-cost, easy-to-use <a href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA<\/a>, EvilProxy, and Sneaky2FA only makes the problem worse.&nbsp;<\/p>\n\n\n\n<p>These services are actively maintained by their operators; new evasion techniques are regularly added, and the multi-layered infrastructure behind the phishing kits continues to evolve and expand.&nbsp;<\/p>\n\n\n\n<p>But beyond these established players in the PhaaS market, the <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> team sometimes comes across phishing campaigns that use tools unlike anything we\u2019ve seen before.&nbsp;<\/p>\n\n\n\n<p>One such example is a framework we\u2019ve dubbed <strong>Salty 2FA<\/strong>, whose execution chain and infrastructure have not previously been documented. <\/p>\n\n\n\n<p>Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials. It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s dive deeper into how Salty 2FA works.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Salty 2FA is a newly discovered PhaaS framework<\/strong>, with overlaps to Storm-1575\/1747 but distinct enough to stand apart.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It uses a&nbsp;<strong>unique domain pattern<\/strong>&nbsp;(.com subdomains paired with .ru domains) and unfolds in a&nbsp;<strong>multi-stage execution chain<\/strong>&nbsp;designed to resist detection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The kit can&nbsp;<strong>bypass multiple 2FA methods<\/strong>&nbsp;(push, SMS, voice), giving attackers access beyond stolen credentials.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Victims span global industries<\/strong>&nbsp;including finance, telecom, energy, consulting, logistics, and education.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Static IOCs are unreliable<\/strong>; detection requires spotting&nbsp;<strong>behavioral patterns<\/strong>&nbsp;that persist across samples.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ANY.RUN\u2019s interactive sandbox<\/strong>&nbsp;was essential in mapping its execution flow and exposing its infrastructure in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Discovery of Salty 2FA&nbsp;<\/h2>\n\n\n\n<p>During phishing campaign hunting, several <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox sessions<\/a> were identified that had not yet been flagged as malicious. At first glance, they showed familiar traits: Cloudflare Turnstile, a fake Microsoft login page, and unknown domains.\u00a0<\/p>\n\n\n\n<p>Check analysis sessions:&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/91e777dd-603b-47e4-ad8f-96e8bddf2cba\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Analysis session 1<\/a>\u00a0<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7d8e3a4d-5226-40b9-9e94-0f833c784abc\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Analysis session 2<\/a>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-1024x580.png\" alt=\"\" class=\"wp-image-15497\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-1024x580.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty-740x419.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/phishkit_salty.png 1848w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis of the phishkit inside ANY.RUN&#8217;s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>What stood out in these cases was the domain infrastructure. In the IOCs section of the sessions, a pattern became clear: the consistent use of compound domains in \u201c.com\u201d zones (e.g., .com.de, .it.com) in combination with domains registered under the .ru TLD. The phishing pages themselves also followed a recurring format, embedding \u201c.com\u201d subdomains within a pattern of &lt;sub_domain&gt;.&lt;main_domain&gt;.??.com.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"214\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image1-1.png\" alt=\"\" class=\"wp-image-15522\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image1-1.png 378w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image1-1-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image1-1-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image1-1-270x153.png 270w\" sizes=\"(max-width: 378px) 100vw, 378px\" \/><figcaption class=\"wp-element-caption\"><em>Suspicious domain combination<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The URI paths hosting the phishing content also appeared unusual. While they initially looked randomly generated and unrelated, further inspection suggested they might share commonalities worth examining.&nbsp;<\/p>\n\n\n\n<p>With this hypothesis in mind, a query was run in <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktotilookup#{%22query%22:%22domainName:%5C%22*.*.??.com$%5C%22%20AND%20domainName:%5C%22.ru$%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;*.*.??.com$&#8221; AND domainName:&#8221;.ru$&#8221;<\/a>\u00a0<\/p>\n\n\n\n<p>The results confirmed that this domain pairing is indeed a recurring element tied to phishing activity. Moreover, it highlighted that this indicator had not yet been fully integrated into the detection system, leaving a potential coverage gap.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"917\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-1024x917.png\" alt=\"\" class=\"wp-image-15475\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-1024x917.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-300x269.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-768x688.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-370x331.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-270x242.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-335x300.png 335w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3-740x663.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image2-3.png 1379w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Hypothesis validation in ANY.RUN\u2019s TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The initial results left some uncertainty. In addition to the incomplete detection coverage at the time of analysis, the sample included tasks with potential <strong>true negative<\/strong> verdicts, as well as tasks tagged under different categories. These ranged from generic phishing labels to Tycoon and EvilProxy; campaigns that had not previously demonstrated the observed behavior (the .??.com + .ru domain combination).&nbsp;<\/p>\n\n\n\n<p>To reduce ambiguity, the query was refined with contextual filters, focusing on specific resources such as requests to Cloudflare.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEnrich IOCs with live attack data in TI Lookup <br> from threat analyses across <span class=\"highlight\">15K SOCs\u00a0<\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=salty&#038;utm_term=190825&#038;utm_content=linktotilookup\" target=\"_blank\" rel=\"noopener\">\nTry TI Lookup now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>The updated TI query produced much clearer results, confirming that this activity is almost certainly tied to a distinct phishing operation. However, it cannot yet be definitively attributed to any of the known actors.&nbsp;<\/p>\n\n\n\n<p><strong>Refined TI query:<\/strong>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktotilookup#{%22query%22:%22domainName:%5C%22*.*.??.com$%5C%22%20AND%20domainName:%5C%22a.nel.cloudflare.com%5C%22%20AND%20domainName:%5C%22challenges.cloudflare.com%5C%22%20AND%20NOT%20domainName:%5C%22cdnjs.cloudflare.com%5C%22%20AND%20domainName:%5C%22.ru$%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;*.*.??.com$&#8221; AND domainName:&#8221;a.nel.cloudflare.com&#8221; AND domainName:&#8221;challenges.cloudflare.com&#8221; AND NOT domainName:&#8221;cdnjs.cloudflare.com&#8221; AND domainName:&#8221;.ru$&#8221;<\/a>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"737\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-1024x737.png\" alt=\"\" class=\"wp-image-15476\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-1024x737.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-300x216.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-768x553.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-1536x1106.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-370x266.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-270x194.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3-740x533.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image3-3.png 1706w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Refined TI Lookup query<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After a quick review of the external indicators, the next step was to examine the <strong>client-side code<\/strong> used in this phishing campaign to better understand its functionality and capabilities.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Technical Deep Dive: Execution Chain&nbsp;<\/h2>\n\n\n\n<p>To capture decrypted traffic and analyze the payload step by step, a similar session was rerun with <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitm-proxy-fake-net\/\" target=\"_blank\" rel=\"noreferrer noopener\">the MITM proxy<\/a> enabled.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/a601b5c4-c178-4a8e-b941-230636d11a1c\/?utm_source=anyrunsubstack&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktoservice?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">Check analysis session with MITM enabled<\/a>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-1024x567.png\" alt=\"\" class=\"wp-image-15504\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-1536x850.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/salty_2_sandbox-1.png 1878w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis of a phishing page inside ANY.RUN&#8217;s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>When the page loads from parochially[.]frankfurtwebs[.]com[.]de, a small \u201ctrampoline\u201d JavaScript executes. It initializes the Cloudflare Turnstile widget, runs the associated checks, and returns a cf_response token. After that validation, the server delivers the HTML that initiates the main <strong>execution chain<\/strong>.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect threats faster with ANY.RUN\u2019s Interactive Sandbox \n <br> See full attack chain in seconds <span class=\"highlight\">for immediate response <\/span>\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=salty&#038;utm_term=190825&#038;utm_content=linktotiplans#register\" target=\"_blank\" rel=\"noopener\">\nGet started now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Stage 1: Obfuscated Entry Script&nbsp;<\/h3>\n\n\n\n<p>The source code contains comment inserts with <em>inspiring quotes<\/em>. These do not affect functionality but act as filler \u201cnoise,\u201d making static analysis more challenging.&nbsp;<\/p>\n\n\n\n<p>A small JavaScript snippet contains an obfuscated function designed to decode the address of the next stage, retrieve it, decode it in the same way, and then write the result into the DOM of the current page.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"285\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-1024x285.png\" alt=\"\" class=\"wp-image-15477\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-1024x285.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-300x83.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-768x213.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-1536x427.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-2048x569.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-370x103.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-270x75.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image4-2-740x206.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Stage 1: obfuscated code<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Decoding the value lPwICAQHzsPDAfUG\/\/kIBAD19\/nGyPn9wgYJw8M= reveals the URL of the next payload:&nbsp;<br>hxxps[:\/\/]marketplace24ei[.]ru\/\/&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 2: Encrypted Payload and Fake Login Page&nbsp;<\/h3>\n\n\n\n<p>After loading and decoding the payload, the result is a large HTML page\u2014again padded with non-functional \u201cnoise\u201d just like the previous stage\u2014with an obfuscated JavaScript snippet at the end.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"487\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-1024x487.png\" alt=\"\" class=\"wp-image-15478\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-1024x487.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-768x365.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-1536x731.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-370x176.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-270x128.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3-740x352.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image5-3.png 1908w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fragment of Stage 2 payload<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>A quick search through the HTML for &lt;input&gt; tags revealed several matches. One stood out:&nbsp;<\/p>\n\n\n\n<p><strong>&lt;input hidden id=&#8221;lessen&#8221; value=&#8221;aHR0cHM6Ly9tYXJrZXRwbGFjZTI0ZWkucnUvNzkwNjI4LnBocA&#8221;&gt;<\/strong>&nbsp;<\/p>\n\n\n\n<p>Decoding the Base64 value exposes another URL that becomes relevant later:&nbsp;<\/p>\n\n\n\n<p>hxxps[:\/\/]marketplace24ei[.]ru\/790628[.]php&nbsp;<\/p>\n\n\n\n<p>Comparing the HTML source to the session\u2019s runtime behavior also shows that the attacker obfuscates the page text itself. For example, the string:&nbsp;<\/p>\n\n\n\n<p><em>&#8220;Because you&#8217;re accessing sensitive info, you need to verify your password.&#8221;<\/em>&nbsp;<\/p>\n\n\n\n<p>appears obfuscated in the code rather than in plain text.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"206\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-1024x206.png\" alt=\"\" class=\"wp-image-15479\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-1024x206.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-300x60.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-768x155.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-1536x309.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-370x74.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-270x54.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2-740x149.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image6-2.png 1854w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Source code of the fake Microsoft login page<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"494\" height=\"389\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image72-1.png\" alt=\"\" class=\"wp-image-15514\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image72-1.png 494w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image72-1-300x236.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image72-1-370x291.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image72-1-270x213.png 270w\" sizes=\"(max-width: 494px) 100vw, 494px\" \/><figcaption class=\"wp-element-caption\"><em>What the victim sees in the browser<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 3: Client-Side Logic and Anti-Analysis Mechanisms&nbsp;<\/h3>\n\n\n\n<p>All of the logic for switching between page states, as well as the collection and exfiltration of user input, is handled by the previously mentioned JavaScript code.&nbsp;<\/p>\n\n\n\n<p>After deobfuscating this script, we can walk through its key technical details and capabilities.&nbsp;<\/p>\n\n\n\n<p>To begin with, nearly all of the front-end logic relies on calls to page elements through jQuery. The identifiers for these elements are generated dynamically, making analysis more difficult. In addition, the element IDs themselves are encoded using a combination of Base64 and XOR with a fixed generated value, which must be decoded through a dedicated routine.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1-1024x577.png\" alt=\"\" class=\"wp-image-15481\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1-740x417.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image8-1.png 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Procedure for decoding page element IDs<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"49\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1-1024x49.png\" alt=\"\" class=\"wp-image-15482\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1-1024x49.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1-300x14.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1-768x36.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1-370x18.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1-270x13.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1-740x35.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image9-1.png 1475w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Managing web page elements with jQuery (decoded values)<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The phishing payload also includes several basic defense mechanisms commonly seen in such campaigns:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Blocking keyboard shortcuts that open debugging tools (e.g., DevTools).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Measuring execution time when a debugger is triggered and halting further activity if a delay is detected, which may indicate the code is running in a controlled or lab environment.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For exfiltration of the victim\u2019s input, the data is \u201cencrypted\u201d using the same Base64 + XOR technique. This time, however, the key parameter is derived from the victim\u2019s session identifier.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 4: Data Exfiltration and Server Interaction&nbsp;<\/h3>\n\n\n\n<p>The stolen data is sent to servers using .ru domains from the observed cluster, with endpoints following the format:&nbsp;<\/p>\n\n\n\n<p>\/&lt;5-6_digits&gt;.php&nbsp;<\/p>\n\n\n\n<p>The data itself is encoded and placed in the request= parameter of the POST request, while the decoding key (along with the victim\u2019s session ID) is stored in the session= parameter.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"248\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10-1024x248.png\" alt=\"\" class=\"wp-image-15483\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10-1024x248.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10-300x73.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10-768x186.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10-370x90.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10-270x65.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10-740x179.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image10.png 1316w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Encoding procedure for exfiltrated data using the session key<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Using a POST request captured in the session as an example, the data can be examined by applying the same encoding routine in reverse:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11-1024x604.png\" alt=\"\" class=\"wp-image-15484\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11-1024x604.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11-740x437.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image11.png 1234w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>POST request containing stolen data<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Utilize the following CyberChef recipe to decode the data: <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=URL_Decode(true)From_Base64(%27A-Za-z0-9%2B\/%3D%27,true,false)XOR(%7B%27option%27:%27UTF8%27,%27string%27:%27b17be01b20c089141058415728fd66ff%27%7D,%27Standard%27,false)&amp;input=R1JOWUVrY0tFeFpBUlFZU0ZCdFVXUk1LRjFWZFdsQjNVMW9GU2xWWkMwUWY&amp;oeol=VT\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/gchq.github.io\/CyberChef\/#recipe=URL_Decode(true)From_Base64(%27A-Za-z0-9%2B\/%3D%27,true,false)XOR(%7B%27option%27:%27UTF8%27,%27string%27:%27b17be01b20c089141058415728fd66ff%27%7D,%27Standard%27,false)&amp;input=R1JOWUVrY0tFeFpBUlFZU0ZCdFVXUk1LRjFWZFdsQjNVMW9GU2xWWkMwUWY&amp;oeol=VT<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"460\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12-1024x460.png\" alt=\"\" class=\"wp-image-15485\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12-1024x460.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12-300x135.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12-768x345.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12-370x166.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12-270x121.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12-740x332.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image12.png 1242w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Example of decrypted stolen data<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 5: Multi-State 2FA Handling&nbsp;<\/h3>\n\n\n\n<p>In response to the POST request, the server returns a JSON object. The value of the response field depends on the current state of the phishing page; that is, on which opcode was specified when the data was submitted.&nbsp;<\/p>\n\n\n\n<p>Analysis of the code revealed several possible states of the phishing page, along with the data structures transmitted to the attacker as the page transitions between these states.&nbsp;<\/p>\n\n\n\n<p>The identified states are as follows:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-249\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"6\"\n           data-rows=\"13\"\n           data-wpID=\"249\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        State #\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        State Name\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Function\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Trigger\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"E1\"\n                    data-col-index=\"4\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Data Sent (decoded)\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"F1\"\n                    data-col-index=\"5\"\n                    data-row-index=\"0\"\n                    style=\" width:16.666666666667%;                    padding:10px;\n                    \"\n                    >\n                                        Data Received (decoded)\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Initial state\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prompts victim to enter email\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        When the phishing login page first loads\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E2\"\n                    data-col-index=\"4\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        n\/a\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F2\"\n                    data-col-index=\"5\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        n\/a\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Switch to password page state\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prompts for password\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        When the victim enters a valid email\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E3\"\n                    data-col-index=\"4\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;true&quot;,&quot;em&quot;:&lt;victim_email&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F3\"\n                    data-col-index=\"5\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;status&gt;, &quot;banner&quot;:&lt;b64 company banner&gt;, &quot;background&quot;:&lt;b64 company background&gt;, &quot;boilerPlateText&quot;:&lt;company welcome text&gt;, &quot;token&quot;:&lt;token&gt;, &quot;ho&quot;:&lt;true\/false&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Switch to \u201cStay signed in\u201d state\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prompts \u201cStay signed in?\u201d\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        When the victim enters a valid password\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E4\"\n                    data-col-index=\"4\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {\"op\":\"bk\"}\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F4\"\n                    data-col-index=\"5\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        n\/a\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Switch to \u201cIncorrect password\u201d state\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Prompts \u201cAccount locked \/ incorrect password\u201d\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        When the victim enters an empty or invalid password\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E5\"\n                    data-col-index=\"4\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        n\/a\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F5\"\n                    data-col-index=\"5\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        n\/a\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Switch to \u201c2FA\u201d state\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Initiates 2FA handling\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D6\"\n                    data-col-index=\"3\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        When the victim\u2019s account has 2FA enabled\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E6\"\n                    data-col-index=\"4\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;ne&quot;,&quot;em&quot;:&lt;victim_email&gt;,&quot;px&quot;:&lt;victim_password&gt;,&quot;sec&quot;:&lt;token from #2&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F6\"\n                    data-col-index=\"5\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool\/int&gt;, &quot;sec&quot;:&lt;token&gt;, &quot;method&quot;:&lt;desired 2FA method&gt;, &quot;token&quot;:&lt;token&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Switch to \u201cProcess 2FA method\u201d state\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Processes the chosen 2FA method\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D7\"\n                    data-col-index=\"3\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        After state #5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E7\"\n                    data-col-index=\"4\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;m&quot;:&lt;method from #5&gt;,&quot;token&quot;:&lt;token from #5&gt;,&quot;op&quot;:&quot;ver&quot;,&quot;sec&quot;:&lt;sec from #5&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F7\"\n                    data-col-index=\"5\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool&gt;, &quot;type&quot;:&lt;from 'one' to 'six'&gt;, &quot;otp&quot;:&lt;otp value&gt;, &quot;token&quot;:&lt;token&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6.1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Phone App Notification 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Handles phone app push notifications\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D8\"\n                    data-col-index=\"3\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        After state #6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E8\"\n                    data-col-index=\"4\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;Vx&quot;,&quot;token&quot;:&lt;token from #6&gt;,&quot;service&quot;:&quot;a&quot;,&quot;sec&quot;:&lt;sec from #5&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F8\"\n                    data-col-index=\"5\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6.2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Phone App OTP 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Handles OTP from phone app\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D9\"\n                    data-col-index=\"3\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        After state #6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E9\"\n                    data-col-index=\"4\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;Vx&quot;,&quot;token&quot;:&lt;token from #6&gt;,&quot;service&quot;:&quot;c&quot;,&quot;otc&quot;:&lt;otp&gt;,&quot;sec&quot;:&lt;sec from #5&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F9\"\n                    data-col-index=\"5\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool&gt;, &quot;newToken&quot;:&lt;token&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6.3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        OneWaySMS 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Handles one-way SMS OTP\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D10\"\n                    data-col-index=\"3\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        After state #6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E10\"\n                    data-col-index=\"4\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;Vx&quot;,&quot;token&quot;:&lt;token from #6&gt;,&quot;service&quot;:&quot;b&quot;,&quot;otc&quot;:&lt;otp&gt;,&quot;sec&quot;:&lt;sec from #5&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F10\"\n                    data-col-index=\"5\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool&gt;, &quot;newTokenn&quot;:&lt;token&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6.4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TwoWayVoiceMobile 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C11\"\n                    data-col-index=\"2\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Handles mobile voice call 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D11\"\n                    data-col-index=\"3\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        After state #6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E11\"\n                    data-col-index=\"4\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;Vx&quot;,&quot;token&quot;:&lt;token from #6&gt;,&quot;service&quot;:&quot;d&quot;,&quot;sec&quot;:&lt;sec from #5&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F11\"\n                    data-col-index=\"5\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool&gt;, &quot;calltoken&quot;:&lt;token&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6.5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TwoWayVoiceOffice 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C12\"\n                    data-col-index=\"2\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Handles office phone voice call 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D12\"\n                    data-col-index=\"3\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        After state #6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E12\"\n                    data-col-index=\"4\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;Vx&quot;,&quot;token&quot;:&lt;token from #6&gt;,&quot;service&quot;:&quot;e&quot;,&quot;sec&quot;:&lt;sec from #5&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F12\"\n                    data-col-index=\"5\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool&gt;, &quot;newtokenoff&quot;:&lt;token&gt;}                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6.6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Companion Apps Notification 2FA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C13\"\n                    data-col-index=\"2\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Handles companion app push notifications\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D13\"\n                    data-col-index=\"3\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        After state #6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"E13\"\n                    data-col-index=\"4\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;op&quot;:&quot;Vx&quot;,&quot;token&quot;:&lt;token from #6&gt;,&quot;service&quot;:&quot;o&quot;,&quot;sec&quot;:&lt;sec from #5&gt;}                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"F13\"\n                    data-col-index=\"5\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        {&quot;status&quot;:&lt;bool&gt;}                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-249'>\ntable#wpdtSimpleTable-249{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-249 td, table.wpdtSimpleTable249 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"844\" height=\"791\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image13.png\" alt=\"\" class=\"wp-image-15486\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image13.png 844w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image13-300x281.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image13-768x720.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image13-370x347.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image13-270x253.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/image13-740x694.png 740w\" sizes=\"(max-width: 844px) 100vw, 844px\" \/><figcaption class=\"wp-element-caption\"><em>Code snippet handling the 2FA authentication method&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Capabilities and Evasion Techniques&nbsp;<\/h2>\n\n\n\n<p>Based on the complexity of its infrastructure, such as the use of multiple domains across specific TLDs, including a dedicated domain for data exfiltration, the presence of evasion techniques, and its extensive functionality (credential validation, handling multiple 2FA methods, and intercepting OTP codes), this campaign appears to represent a <strong>new PhaaS framework<\/strong>. Its behavioral patterns differ from those of the major players in the phishing ecosystem, such as Tycoon, EvilProxy, and others.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Is it Storm-1575 or Storm-1747?&nbsp;<\/h2>\n\n\n\n<p>At the time of initial research, no clear evidence was found to indicate who operates or develops this phishing kit, how the attackers obtain access (e.g., whether they purchase software), or any distinctive technical traits that would link it to other known kits.&nbsp;<\/p>\n\n\n\n<p>After updating detection methods and re-hunting indicators in the ANY.RUN Sandbox and TI, some overlap in IOCs (specifically domains) emerged with activity tracked as <strong>Storm-1575<\/strong> and <strong>Storm-1747<\/strong>.&nbsp;<\/p>\n\n\n\n<p><strong>Storm-1575<\/strong> is associated with the PhaaS platform <em>Dadsec<\/em> and is presumed to be its developer. However, Dadsec activity has not been observed recently, and attribution boundaries for Storm-1575 remain unclear.&nbsp;<\/p>\n\n\n\n<p><strong>Storm-1747<\/strong>, on the other hand, is well known for <em>Tycoon 2FA<\/em>\u2014a state-of-the-art phishing kit that has ranked among the most active in terms of both attacks and related samples for several years. That said, Tycoon relies on a different infrastructure (mainly es-ru-es domain chains) and implements distinct client-side code, including its obfuscation and exfiltration techniques.&nbsp;<\/p>\n\n\n\n<p>To track and assess this phishing activity, the framework was designated <strong>Salty 2FA, <\/strong>a name inspired by its \u201csalted\u201d payloads, which consistently helped distinguish its code from other kits during analysis. More importantly, a unique threat name was required, one easier to work with than <em>YetAnotherPhishkitActivity2FA, <\/em>and \u201cSalty 2FA\u201d struck the right balance of clarity and memorability.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%20AND%20threatName:%5C%22storm????%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">Check potential overlaps between Salty 2FA and Storm-1575\/1747<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Salty 2FA Targets and Activity Timeline&nbsp;<\/h2>\n\n\n\n<p>Analysis of phishing emails, their content themes, and pre-filled victim email addresses (automatically inserted via the #email anchor in URLs) made it possible to identify the targets of this campaign, including affected countries and industries.&nbsp;<\/p>\n\n\n\n<p><strong>Observed targets include:<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-250\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"30\"\n           data-wpID=\"250\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Country \/ Region of the Organization\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Industry\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA \/ Worldwide (India)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Metallurgy\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA \/ LATAM\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Financial\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Greece\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Telecom\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Germany \/ Worldwide\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Chemicals \/ Polymers\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Spain\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Energy (solar panels)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Spain\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Energy\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Real estate development\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Switzerland \/ Worldwide\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Logistics\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Healthcare\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Financial\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        IT consulting \/ Staffing\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Environmental services\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Canada \/ France\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        IT\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Government\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        UK \/ Worldwide\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Consulting \/ Financial\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Italy\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Industrial (packaging, automation)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A18\"\n                    data-col-index=\"0\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        UK\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B18\"\n                    data-col-index=\"1\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Construction \/ Infrastructure\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A19\"\n                    data-col-index=\"0\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA \/ Worldwide\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B19\"\n                    data-col-index=\"1\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Logistics\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A20\"\n                    data-col-index=\"0\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA \/ Worldwide\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B20\"\n                    data-col-index=\"1\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Logistics\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A21\"\n                    data-col-index=\"0\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B21\"\n                    data-col-index=\"1\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Oil and gas\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A22\"\n                    data-col-index=\"0\"\n                    data-row-index=\"21\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B22\"\n                    data-col-index=\"1\"\n                    data-row-index=\"21\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Financial \/ Insurance\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A23\"\n                    data-col-index=\"0\"\n                    data-row-index=\"22\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        UK\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B23\"\n                    data-col-index=\"1\"\n                    data-row-index=\"22\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Real estate\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A24\"\n                    data-col-index=\"0\"\n                    data-row-index=\"23\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B24\"\n                    data-col-index=\"1\"\n                    data-row-index=\"23\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Chemicals \/ Packaging\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A25\"\n                    data-col-index=\"0\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B25\"\n                    data-col-index=\"1\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Consulting \/ Financial\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A26\"\n                    data-col-index=\"0\"\n                    data-row-index=\"25\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B26\"\n                    data-col-index=\"1\"\n                    data-row-index=\"25\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Data management \/ Storage\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A27\"\n                    data-col-index=\"0\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B27\"\n                    data-col-index=\"1\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Automotive accessories\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A28\"\n                    data-col-index=\"0\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B28\"\n                    data-col-index=\"1\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Construction \/ Contractors\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A29\"\n                    data-col-index=\"0\"\n                    data-row-index=\"28\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B29\"\n                    data-col-index=\"1\"\n                    data-row-index=\"28\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Education\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A30\"\n                    data-col-index=\"0\"\n                    data-row-index=\"29\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        USA\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B30\"\n                    data-col-index=\"1\"\n                    data-row-index=\"29\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Financial\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-250'>\ntable#wpdtSimpleTable-250{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-250 td, table.wpdtSimpleTable250 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>Common phishing email lures included:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cVoice message was left\u2026\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cAccess full document\u2026\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cPayroll amendment\u2026\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cRequest for Proposal\u2026\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cBid invitation\u2026\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cBilling Statement\u2026\u201d&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Additional IOCs extracted from SPF records in email headers:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>153[.]127[.]234[.]4&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>51[.]89[.]33[.]171&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>191[.]96[.]207[.]129&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>153[.]127[.]234[.]5&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>izumi[@]yurikamome[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Activity timeline:<\/strong>&nbsp;<\/p>\n\n\n\n<p>Based on data from the ANY.RUN Sandbox and TI, activity resembling Salty 2FA began gaining momentum in <strong>June 2025<\/strong>, although it is possible that early or \u201craw\u201d variants of the kit, or samples similar to it, were already being deployed as early as <strong>March\u2013April 2025<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Confirmed activity attributed to Salty 2FA has been observed since <strong>late July 2025<\/strong> and continues to this day, generating dozens of new public analysis sessions in the Sandbox every day.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Spot Salty 2FA&nbsp;<\/h2>\n\n\n\n<p>Basic indicators such as domain names (hashes are not applicable here due to constant obfuscation and code mutation) can be useful for threat hunting and expanding the threat landscape. In some cases, they may even lead to detections. However, for phishing kits like Salty 2FA, these indicators are generally unreliable for long-term or consistent detection.&nbsp;<\/p>\n\n\n\n<p>Threat detection specialists and engineers instead need to identify <strong>behavioral patterns<\/strong> that remain consistent across samples, even when those samples appear completely different at first glance.&nbsp;<\/p>\n\n\n\n<p>Any recurring clue, whether it is a particular chain of TLD zones in domain names, distinctive URL structures, unusual web page headers, or a characteristic set of resources loaded from legitimate CDNs, contributes to the behavioral profile of a PhaaS framework. These recurring traits allow analysts to track and detect it over time without relying on volatile details such as email hashes or specific phishing domains.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detect and Distinguish Similar Emerging Threats in Seconds&nbsp;<\/h2>\n\n\n\n<p>With solutions like <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&#8216;s Interactive Sandbox, analysts can observe phishing kits in real time, uncover hidden behaviors, and distinguish between similar frameworks. By focusing on behavioral patterns rather than fragile indicators, it becomes possible to track evolving PhaaS activity more reliably, while also enjoying a smoother, less resource-heavy investigation process.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Real-time visibility<\/strong> into phishing execution chains and payload delivery.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IOC enrichment<\/strong> with domains, infrastructure elements, and threat behavior insights linked to wider campaigns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster investigations<\/strong> with reduced manual workload and clearer insights.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Seamless collaboration<\/strong> between analysts through shared interactive sessions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>The ecosystem of Phishing-as-a-Service (PhaaS) platforms is constantly evolving. Existing kits adapt their attack methods, while new players emerge, some entirely brand-new, others reimagined versions of tools once used by well-known threat actors.&nbsp;<\/p>\n\n\n\n<p>The analyzed framework, <strong>Salty 2FA<\/strong>, shares certain traits with <strong>Storm-1575<\/strong>, the group behind the Dadsec platform. However, a deeper examination revealed too many unique characteristics to reliably attribute it to any of the known threats, such as <a href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon2FA<\/a>, Sneaky2FA, Mamba2FA, Gabagool, or EvilProxy.&nbsp;<\/p>\n\n\n\n<p>With its ability to distribute phishing payloads at scale, maintain dynamic infrastructure, intercept and process most known 2FA authentication methods beyond simple credentials, and manage a complex communication model between phishing pages and C2 servers, <strong>Salty 2FA stands on par with the \u201cmajor\u201d kits<\/strong> in today\u2019s phishing landscape.&nbsp;<\/p>\n\n\n\n<p>For SOC teams triaging phishing-related incidents, it is critical to quickly and accurately confirm the malicious nature of collected artifacts and correlate them with the threat actor likely to be targeting their organization.&nbsp;<\/p>\n\n\n\n<p><strong>ANY.R<\/strong>UN\u2019s <a href=\"https:\/\/any.run\/features\/\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> enables security professionals worldwide to detect and analyze threats like Salty 2FA by replicating victim interactions and tracking execution chains in real time, while leveraging behavior-based detection to expose previously unknown samples and indicators.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Try It Yourself&nbsp;<\/h3>\n\n\n\n<p>See how Salty 2FA and other emerging phishing kits unfold in real time. ANY.RUN\u2019s Interactive Sandbox lets you safely detonate samples, follow execution chains, and uncover hidden IOCs in seconds.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request 14-day trial for your SOC \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Gathered IOCs&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Domains&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>innovationsteams[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>marketplace24ei[.]ru&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nexttradeitaly[.]it[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>frankfurtwebs[.]com[.]de&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">URLs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]telephony[.]nexttradeitaly[.]com\/SSSuWBTmYwu\/&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]parochially[.]frankfurtwebs[.]com[.]de\/ps6VzZb\/&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]marketplace24ei[.]ru\/\/&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]marketplace24ei[.]ru\/790628[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">E-mail extracted IOCs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>153[.]127[.]234[.]4&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>51[.]89[.]33[.]171&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>191[.]96[.]207[.]129&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>153[.]127[.]234[.]5&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>izumi [at] yurikamome[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Sandbox Sessions&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/91e777dd-603b-47e4-ad8f-96e8bddf2cba\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/91e777dd-603b-47e4-ad8f-96e8bddf2cba<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7d8e3a4d-5226-40b9-9e94-0f833c784abc\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/7d8e3a4d-5226-40b9-9e94-0f833c784abc<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/a601b5c4-c178-4a8e-b941-230636d11a1c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/a601b5c4-c178-4a8e-b941-230636d11a1c<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TI Lookup Search Queries&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22*.*.??.com$%5C%22%20AND%20domainName:%5C%22challenges.cloudflare.com%5C%22%20AND%20NOT%20domainName:%5C%22cdnjs.cloudflare.com%5C%22%20AND%20domainName:%5C%22code.jquery.com%5C%22%20AND%20domainName:%5C%22.ru$%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22domainName:%5C%22*.*.??.com$%5C%22%20AND%20domainName:%5C%22challenges.cloudflare.com%5C%22%20AND%20NOT%20domainName:%5C%22cdnjs.cloudflare.com%5C%22%20AND%20domainName:%5C%22code.jquery.com%5C%22%20AND%20domainName:%5C%22.ru$%5C%22%22,%22dateRange%22:180}<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktolookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%22,%22dateRange%22:180}<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=salty&amp;utm_term=190825&amp;utm_content=linktolookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%20AND%20threatName:%5C%22storm*%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/intelligence.any.run\/analysis\/lookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%20AND%20threatName:%5C%22storm*%5C%22%22,%22dateRange%22:180}<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, phishing accounts for the majority of all cyberattacks. The availability of low-cost, easy-to-use Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA, EvilProxy, and Sneaky2FA only makes the problem worse.&nbsp; These services are actively maintained by their operators; new evasion techniques are regularly added, and the multi-layered infrastructure behind the phishing kits continues to evolve and expand.&nbsp; But [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":15488,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34,40],"class_list":["post-15459","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Dive deeper into malware analysis of a PhaaS framework discovered by ANY.RUN&#039;s experts: Salty2FA, targeting industries in the USA and EU.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"raptur3\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/\"},\"author\":{\"name\":\"raptur3\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0\",\"datePublished\":\"2025-08-19T13:32:41+00:00\",\"dateModified\":\"2025-08-20T05:59:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/\"},\"wordCount\":2723,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/\",\"name\":\"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-08-19T13:32:41+00:00\",\"dateModified\":\"2025-08-20T05:59:38+00:00\",\"description\":\"Dive deeper into malware analysis of a PhaaS framework discovered by ANY.RUN's experts: Salty2FA, targeting industries in the USA and EU.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"raptur3\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\"caption\":\"raptur3\"},\"description\":\"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Dive deeper into malware analysis of a PhaaS framework discovered by ANY.RUN's experts: Salty2FA, targeting industries in the USA and EU.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/","twitter_misc":{"Written by":"raptur3","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/"},"author":{"name":"raptur3","@id":"https:\/\/any.run\/"},"headline":"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0","datePublished":"2025-08-19T13:32:41+00:00","dateModified":"2025-08-20T05:59:38+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/"},"wordCount":2723,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/","name":"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-08-19T13:32:41+00:00","dateModified":"2025-08-20T05:59:38+00:00","description":"Dive deeper into malware analysis of a PhaaS framework discovered by ANY.RUN's experts: Salty2FA, targeting industries in the USA and EU.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"raptur3","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","caption":"raptur3"},"description":"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15459"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=15459"}],"version-history":[{"count":30,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15459\/revisions"}],"predecessor-version":[{"id":15533,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15459\/revisions\/15533"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/15488"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=15459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=15459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=15459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}