{"id":15633,"date":"2025-08-26T11:18:13","date_gmt":"2025-08-26T11:18:13","guid":{"rendered":"\/cybersecurity-blog\/?p=15633"},"modified":"2025-08-26T11:18:14","modified_gmt":"2025-08-26T11:18:14","slug":"cyber-attacks-august-2025","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/","title":{"rendered":"Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA"},"content":{"rendered":"\n<p>Phishing kits and stealers didn\u2019t slow down this August, and neither did we. ANY.RUN analysts tracked some of the month\u2019s most dangerous campaigns, from a <strong>7-stage Tycoon2FA phishing chain<\/strong> to <strong>Rhadamanthys delivered via ClickFix<\/strong>, and the discovery of <strong>Salty2FA, a brand-new PhaaS framework linked to Storm-1575<\/strong>.&nbsp;<\/p>\n\n\n\n<p>All were analyzed inside <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s Interactive Sandbox<\/strong><\/a>, revealing full execution chains, decrypted traffic, and behavior missed by static tools. Combined with <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a>, these insights help SOC teams turn raw IOCs into actionable detection rules and cut investigation time when it matters most.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s explore how these attacks worked, what they targeted, and the insights SOC teams can take away.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tycoon2FA: New 7-Stage Phishing Attack Beats Top Security Systems&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1950910894826758276\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Post on X<\/strong><\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts uncovered a <strong>multi-stage <\/strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Tycoon2FA campaign<\/strong><\/a> that takes phishing beyond the usual fake login page. Instead, it runs victims through a <strong>seven-step execution chain<\/strong> packed with CAPTCHAs, button-hold checks, and validation screens; each designed to wear down humans and outsmart automated security tools. By the time the final phishing panel appears, most defenses have already failed.&nbsp;<\/p>\n\n\n\n<p>Unlike mass phishing kits that cast a wide net, <strong>Tycoon2FA is highly selective<\/strong>. It goes after accounts that unlock access to <strong>critical systems and sensitive data<\/strong>, not just ordinary inboxes.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"440\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-1024x440.png\" alt=\"\" class=\"wp-image-15643\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-1024x440.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-300x129.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-768x330.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-1536x660.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-370x159.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-270x116.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31-740x318.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.40.31.png 1672w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Key industries targeted by Tycoon2FA<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Recent campaigns have zeroed in on <strong>government and military agencies<\/strong>, as well as <strong>financial institutions<\/strong> ranging from global banks to regional insurers. Activity has been observed across the <strong>US, UK, Canada, and Europe<\/strong>, where a single stolen login can cause major financial losses or even disrupt national operations.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN data shows that <strong>26% of Tycoon2FA cases analyzed in our sandbox involved the banking sector; <\/strong>clear evidence that attackers are deliberately aiming at high-value targets.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7-Stage Execution Flow Exposed inside ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>In a recent ANY.RUN analysis, Tycoon2FA unfolded in this order:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f21e7c8b-abe8-4df5-b124-b6240354cb80\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check Real Case: Multi-Stage Tycoon2FA Attack<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-1024x1024.jpeg\" alt=\"\" class=\"wp-image-15645\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-1024x1024.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-300x300.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-150x150.jpeg 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-768x768.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-1536x1536.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-70x70.jpeg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-370x370.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-270x270.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg-740x740.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GxMHHE2W4AAxRpg.jpeg 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Execution chain of multi-stage Tycoon2FA campaign<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Phishing email link \u2192<\/strong> The attack begins with a voicemail-themed phishing email containing a malicious link to lure the victim.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>PDF attachment \u2192<\/strong> Clicking the link triggers a fake PDF download, masking the next redirection step.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Link inside PDF \u2192<\/strong> The PDF itself hides another embedded hyperlink, pushing the victim deeper into the chain.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Cloudflare Turnstile CAPTCHA \u2192<\/strong> A CAPTCHA challenge filters out automated scanners by requiring human interaction.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>\u201cPress &amp; Hold\u201d anti-bot check \u2192<\/strong> A second verification forces a hold-and-release gesture, further blocking automation.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"6\" class=\"wp-block-list\">\n<li><strong>Email validation page \u2192<\/strong> The victim is asked to \u201cverify\u201d their email, confirming they are real and a worthwhile target.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"7\" class=\"wp-block-list\">\n<li><strong>Final phishing panel \u2192<\/strong> At the end, a fake Microsoft login page is revealed, ready to steal the victim\u2019s credentials.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>With <strong>ANY.RUN\u2019s <\/strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/automated-interactivity-stage-two\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Automated Interactivity<\/strong><\/a>, analysts can replicate each click and CAPTCHA, exposing the entire chain in minutes. This delivers not just IOCs, but also <strong>behavioral indicators that SOC teams can fold directly into detection rules and SOAR playbooks<\/strong>, reducing investigation time and keeping attacks like Tycoon2FA from slipping through.&nbsp;<\/p>\n\n\n\n<p>See decrypted traffic and examine the full threat context: <a href=\"https:\/\/app.any.run\/tasks\/5c1bbaee-7c3c-443b-8d4a-dcd4f89fddac\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon2FA Analysis Session<\/a>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-1024x552.png\" alt=\"\" class=\"wp-image-15646\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-1024x552.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-768x414.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-1536x828.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-2048x1104.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-370x199.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-270x145.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.47.40-740x399.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Detailed analysis of Tycoon 2FA attack inside ANY.RUN\u2019s Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Check out the following TI Lookup search query to track Tycoon campaigns and adjust detection rules accordingly: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22tycoon%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;tycoon&#8221;<\/a>\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-1024x553.png\" alt=\"\" class=\"wp-image-15647\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-1024x553.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-768x414.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-1536x829.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-2048x1105.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.55.11-740x399.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN Sandbox analyses with Tycoon&nbsp;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Gathered IOCs:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>*[.]filecloudonline[.]com&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>vnositel-bg[.]com&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>culturabva[.]es&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>spaijo[.]es&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dvlhpbxlmmi[.]es&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pyfao[.]es&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Rhadamanthys Stealer Delivered via ClickFix with PNG Steganography&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1955260801968672841\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Post on X<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n\n\n\n<p>A new wave of phishing campaigns shows how attackers are pairing <strong>ClickFix social engineering flows<\/strong> with advanced malware families. This time, the target is <a href=\"https:\/\/any.run\/malware-trends\/rhadamanthys\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Rhadamanthys Stealer<\/strong><\/a><strong>;&nbsp;<\/strong> a C++ infostealer known for extensive data theft capabilities and advanced evasion.&nbsp;<\/p>\n\n\n\n<p>Earlier ClickFix campaigns primarily deployed <strong>NetSupport RAT<\/strong> or <a href=\"https:\/\/any.run\/malware-trends\/asyncrat\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>AsyncRAT<\/strong><\/a>. The switch to Rhadamanthys signals a step up in <strong>stealth and payload sophistication<\/strong>, as threat actors blend <a href=\"https:\/\/any.run\/cybersecurity-blog\/what-is-a-social-engineering-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>social engineering<\/strong><\/a><strong> and technical obfuscation<\/strong> to bypass defenses.&nbsp;<\/p>\n\n\n\n<p>In the observed case inside ANY.RUN sandbox, a <strong>phishing domain initiates a ClickFix flow<\/strong> (MITRE T1566), leading the user to download and execute a malicious MSI payload.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/a101654d-70f9-40a5-af56-1a8361b4ceb0\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View real case with Rhadamanthys delivered via ClickFix<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-1024x570.png\" alt=\"\" class=\"wp-image-15648\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-1536x854.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-2048x1139.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-06.56.24-740x412.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ClickFix flow analyzed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The chain unfolds as:&nbsp;<\/p>\n\n\n\n<p><strong>ClickFix \u27a1\ufe0f msiexec \u27a1\ufe0f EXE file \u27a1\ufe0f compromised system file \u27a1\ufe0f PNG-stego payload<\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-768x1024.jpeg\" alt=\"\" class=\"wp-image-15649\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-768x1024.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-225x300.jpeg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-1152x1536.jpeg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-1536x2048.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-370x493.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-270x360.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO-740x987.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyJ7VRZXoAAvUjO.jpeg 1800w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Detailed Rhadamanthys attack chain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>The MSI is executed silently in memory (T1218.007) and installs Rhadamanthys into a disguised directory under the user profile.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anti-VM checks (T1497.001) are performed to evade analysis.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A compromised system file initiates TLS connections directly to IPs, bypassing DNS monitoring.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attackers use <strong>self-signed TLS certificates with mismatched Issuer\/Subject fields<\/strong>, leaving unique hunting artifacts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Additional payloads are delivered via an obfuscated PNG using <a href=\"https:\/\/any.run\/cybersecurity-blog\/steganography-in-malware-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>steganography<\/strong><\/a><strong> (T1027.003)<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>To stop Rhadamanthys, SOC teams need to look beyond static IOCs. Detecting <strong>ClickFix flows and steganography payloads<\/strong> requires behavioral visibility, while <strong>TLS anomaly hunting<\/strong> helps expose the mismatched certificates attackers use for covert traffic.&nbsp;&nbsp;<\/p>\n\n\n\n<p>With <strong>ANY.RUN\u2019s Interactive Sandbox<\/strong>, analysts can replicate user actions, uncover hidden execution in memory, and turn these insights into <strong>actionable rules and automated response playbooks<\/strong>, cutting investigation time and strengthening SOC workflows.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet <span class=\"highlight\">instant access<\/span> to ANY.RUN\u2019s live threat analysis\u00a0&nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=major_attacks_august_25&#038;utm_term=260825&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Track similar campaigns in TI Lookup and enrich <a href=\"https:\/\/x.com\/hashtag\/IOCs?src=hashtag_click\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> with live attack data from threat investigations across <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\" target=\"_blank\" rel=\"noreferrer noopener\">15K SOCs<\/a>:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22clickfix%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;clickfix&#8221;<\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22rhadamanthys%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;rhadamanthys&#8221;<\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktotilookup#{%22query%22:%22(threatName:%5C%22clickfix%5C%22%20OR%20threatName:%5C%22susp-clipboard%5C%22)%20AND%20threatName:%5C%22netsupport%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">(threatName:&#8221;clickfix&#8221; OR threatName:&#8221;susp-clipboard&#8221;) AND threatName:&#8221;netsupport&#8221;<\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktotilookup#{%22query%22:%22(threatName:%5C%22clickfix%5C%22%20OR%20threatName:%5C%22susp-clipboard%5C%22)%20AND%20threatName:%5C%22asyncrat%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">(threatName:&#8221;clickfix&#8221; OR threatName:&#8221;susp-clipboard&#8221;) AND threatName:&#8221;asyncrat&#8221;<\/a>\u00a0<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-1024x568.png\" alt=\"\" class=\"wp-image-15655\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-2048x1137.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.17.41-740x411.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN Sandbox analyses with ClickFix social engineering flows<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong><em>IOCs for the threat detection and research<\/em><\/strong>&nbsp;<\/td><\/tr><tr><td><em>&#8211; 84.200[.]80.8&nbsp;<\/em><br><em>&#8211; 179.43[.]141.35<\/em><br>&#8211; <em>194.87[.]29.253<\/em><br>&#8211; <em>flaxergaurds[.]com<\/em><br><em>&#8211; temopix[.]com<\/em><br>&#8211; <em>zerontwoposh[.]live<\/em><br>&#8211; <em>loanauto[.]cloud<\/em><br>&#8211; <em>wetotal[.]net<\/em>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Salty2FA: New Phishing Framework from Storm-1575 Targeting US and EU&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1955985342722371879\" target=\"_blank\" rel=\"noreferrer noopener\">Post on X<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Detailed breakdown of Salty2FA<\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts uncovered <strong>Salty2FA<\/strong>, a new <strong>Phishing-as-a-Service (PhaaS)<\/strong> framework engineered to bypass nearly all known 2FA methods. First spotted in June 2025, it has since evolved into an active campaign targeting <strong>Microsoft 365 accounts<\/strong> across the <strong>US, Canada, Europe, and global holdings<\/strong>.&nbsp;<\/p>\n\n\n\n<p>The kit is named for its distinctive <strong>\u201csalting\u201d of source code<\/strong>, a tactic that disrupts both static and manual analysis. It unfolds through a <strong>multi-stage execution chain<\/strong> delivered via phishing emails and links (MITRE T1566). Infrastructure relies on a recurring pattern: <strong>compound .??.com subdomains paired with .ru domains (T1583)<\/strong>, supported by chained servers and resilient C2 communication (T1071.001).&nbsp;<\/p>\n\n\n\n<p>Salty2FA also implements <strong>adversary-in-the-middle techniques (T1557)<\/strong>, enabling it to intercept phone app push notifications, OTP codes, SMS messages, and even two-way voice calls. This gives attackers access well beyond stolen credentials.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-1024x1024.jpeg\" alt=\"\" class=\"wp-image-15650\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-1024x1024.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-300x300.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-150x150.jpeg 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-768x768.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-1536x1536.jpeg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-70x70.jpeg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-370x370.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-270x270.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7-740x740.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/GyUOTOSX0AkiwJ7.jpeg 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Salty2FA phishing kit execution chain<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Attribution and Targets&nbsp;<\/h3>\n\n\n\n<p>Infrastructure and IOCs overlap with the <strong>Storm-1575<\/strong> group, the actor behind the <strong>Dadsec phishing kit<\/strong>, though some traits suggest possible ties to Storm-1747 (Tycoon2FA). Whatever its origin, Salty2FA remains a distinct framework, now actively deployed against industries including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finance and Insurance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Energy and Manufacturing&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Healthcare and Telecom&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Government, Education, and Logistics&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Salty2FA proves that modern PhaaS is about <strong>persistent, adaptive frameworks built to evade detection<\/strong>. Static IOCs alone are unreliable; spotting this threat requires <strong>behavioral analysis of its execution chain<\/strong> and continuous monitoring of domain patterns.&nbsp;<\/p>\n\n\n\n<p>With <strong>ANY.RUN\u2019s Interactive Sandbox<\/strong>, analysts can replicate user interaction to reveal hidden flows and extract high-fidelity indicators. Combined with <strong>TI Lookup queries<\/strong>, SOC teams can track evolving Salty2FA infrastructure, enrich detection logic, and <strong>cut MTTR by acting before intrusions escalate<\/strong>.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7d8e3a4d-5226-40b9-9e94-0f833c784abc\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check an example of analysis session<\/a> to examine Salty2FA behavior, download actionable report, and collect IOCs.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-1024x554.png\" alt=\"\" class=\"wp-image-15651\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-1024x554.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-768x415.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-1536x830.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-2048x1107.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-07.48.51-740x400.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Microsoft page exposed inside ANY.RUN\u2019s Sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Further investigate Salty2FA, track campaigns, and enrich IOCs with live attack data using TI Lookup:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;salty2fa&#8221;<\/a>\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktotilookup#{%22query%22:%22threatName:%5C%22salty2fa%5C%22%20and%20threatName:%5C%22storm1575%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;salty2fa&#8221; and threatName:&#8221;storm1575&#8243;<\/a>\u00a0<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"590\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-1024x590.png\" alt=\"\" class=\"wp-image-15652\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-1024x590.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-768x443.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-1536x885.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-2048x1181.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-370x213.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/08\/Screenshot-2025-08-26-at-08.03.37-740x427.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN Sandbox analyses with Salty2FA<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Gathered IOCs:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>innovationsteams[.]com&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>marketplace24ei[.]ru&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>nexttradeitaly[.]it[.]com&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>frankfurtwebs[.]com[.]de&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>hxxps[:\/\/]telephony[.]nexttradeitaly[.]com\/SSSuWBTmYwu\/&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>hxxps[:\/\/]parochially[.]frankfurtwebs[.]com[.]de\/ps6VzZb\/&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>hxxps[:\/\/]marketplace24ei[.]ru\/\/&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>hxxps[:\/\/]marketplace24ei[.]ru\/790628[.]php&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>153[.]127[.]234[.]4&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>51[.]89[.]33[.]171&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>191[.]96[.]207[.]129&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>153[.]127[.]234[.]5&nbsp;<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>izumi [at] yurikamome[.]com<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-july-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">View July\u2019s top threats analysis to spot recurring tactics and compare how attacker trends evolved month to month<\/a>\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Equip Your SOC to Outpace Threat Actors&nbsp;<\/h2>\n\n\n\n<p>This month\u2019s attacks show how far phishing kits and stealers have evolved; from <strong>multi-stage deception chains<\/strong> to <strong>ClickFix flows with steganography<\/strong>. Stopping them takes more than static IOCs; it demands <strong>behavioral visibility and live threat intelligence<\/strong>.&nbsp;<\/p>\n\n\n\n<p>With <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s Interactive Sandbox<\/strong><\/a>, SOC teams can replicate real user actions, expose hidden payloads, and cut investigation time from hours to minutes. Paired with <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a>, analysts can track infrastructure, enrich detection rules, and feed high-fidelity data into SIEMs, SOARs, and XDR workflows.&nbsp;<\/p>\n\n\n\n<p>In practice, this delivers <strong>faster triage, reduced MTTR, and stronger defenses against evolving threats,<\/strong> all with intelligence that scales across the business.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than <strong>15,000 organizations worldwide,<\/strong> from banking and healthcare to telecom, retail, and technology, build stronger cybersecurity operations and respond to threats with confidence.&nbsp;<\/p>\n\n\n\n<p>Built for speed and clarity, our solutions combine interactive malware analysis with real-time threat intelligence, giving SOC teams the visibility they need to cut investigation time and stop attacks earlier.&nbsp;<\/p>\n\n\n\n<p>Integrate ANY.RUN\u2019s Threat Intelligence suite into your workflows to reduce investigation time, prevent costly breaches, and strengthen long-term resilience. &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=major_attacks_august_25&amp;utm_term=260825&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\">Sign up with your business email to get started<\/a>&nbsp;<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phishing kits and stealers didn\u2019t slow down this August, and neither did we. ANY.RUN analysts tracked some of the month\u2019s most dangerous campaigns, from a 7-stage Tycoon2FA phishing chain to Rhadamanthys delivered via ClickFix, and the discovery of Salty2FA, a brand-new PhaaS framework linked to Storm-1575.&nbsp; All were analyzed inside ANY.RUN\u2019s Interactive Sandbox, revealing full [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":15637,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-15633","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Major August 2025 Cyber Attacks Your SOC Can&#039;t Ignore<\/title>\n<meta name=\"description\" content=\"Explore how top attacks like Tycoon2FA, Rhadamanthys and\u00a0Salty2FA unraveled in August 2025 and what insights SOC teams can take away.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA\",\"datePublished\":\"2025-08-26T11:18:13+00:00\",\"dateModified\":\"2025-08-26T11:18:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/\"},\"wordCount\":1669,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/\",\"name\":\"Major August 2025 Cyber Attacks Your SOC Can't Ignore\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-08-26T11:18:13+00:00\",\"dateModified\":\"2025-08-26T11:18:14+00:00\",\"description\":\"Explore how top attacks like Tycoon2FA, Rhadamanthys and\u00a0Salty2FA unraveled in August 2025 and what insights SOC teams can take away.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Major August 2025 Cyber Attacks Your SOC Can't Ignore","description":"Explore how top attacks like Tycoon2FA, Rhadamanthys and\u00a0Salty2FA unraveled in August 2025 and what insights SOC teams can take away.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA","datePublished":"2025-08-26T11:18:13+00:00","dateModified":"2025-08-26T11:18:14+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/"},"wordCount":1669,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/","url":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/","name":"Major August 2025 Cyber Attacks Your SOC Can't Ignore","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-08-26T11:18:13+00:00","dateModified":"2025-08-26T11:18:14+00:00","description":"Explore how top attacks like Tycoon2FA, Rhadamanthys and\u00a0Salty2FA unraveled in August 2025 and what insights SOC teams can take away.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Major Cyber Attacks in August 2025: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15633"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=15633"}],"version-history":[{"count":8,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15633\/revisions"}],"predecessor-version":[{"id":15659,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/15633\/revisions\/15659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/15637"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=15633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=15633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=15633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}