A phishing campaign leveraging the Salty2FA kit has been uncovered by cybersecurity researchers, revealing advanced techniques that highlight the growing professionalism of cybercrime operations.
The kit demonstrates a high degree of technical innovation, with layered defenses designed to bypass traditional detection.
Researchers from the Ontinue Cyber Defence Center identified several methods that set this campaign apart:
-
Session-based subdomain rotation that assigns unique domains per victim session
-
Abuse of legitimate platforms such as Aha[.]io for staging phishing lures
-
Corporate branding replication that customizes login pages with company-specific logos and colors
-
Integration of Cloudflare’s Turnstile to block automated analysis and filter out security vendor traffic
This combination of tactics makes the operation particularly effective at deceiving users while complicating forensic investigation.
“Salty2FA is another reminder that phishing has matured into enterprise-grade operations, complete with advanced evasion tactics and convincing MFA simulations,” said Brian Thornton, senior sales engineer at Zimperium.
“By exploiting trusted platforms and mimicking corporate portals, attackers are blurring the lines between real and fraudulent traffic.”
The campaign employs a layered structure that begins with redirects designed to mimic legitimate .com.de domains. Victims encounter Cloudflare protections before being funneled to a credential harvesting portal.
Each stage introduces new barriers to automated analysis, culminating in fraudulent login pages customized with the victim’s corporate identity.
Testing confirmed that industries including healthcare, finance, technology, energy and automotive were all targeted. By tailoring branding to the victim’s domain, the attackers maximize social engineering success.
“This isn’t your classic scam aimed at the elderly; this is aimed at sophisticated targets with real layered security,” said Trey Ford, chief strategy and trust officer at Bugcrowd.
“The capabilities here are aimed at defeating in sequence – evasion, branding, platform usage and sophistication in design and deployment.”
The kit also employs obfuscated JavaScript to block browser developer tools, detect debugging delays and enforce infinite loops when analysis is attempted. Additionally, critical strings are XOR-encrypted and decrypted only at runtime, hiding operational logic from static inspection.
Network analysis further revealed cross-domain traffic between multiple infrastructure nodes, a design intended to distribute risk and evade takedowns.
While attribution remains unclear, the systematic approach suggests an organized threat group. Analysts note that reliance on conventional indicators, such as misspellings or unencrypted sites, is no longer reliable when phishing portals mimic legitimate authentication systems down to the pixel.
“Salty2FA marks the arrival of phishing 2.0 – attacks engineered to bypass the very safeguards organizations once trusted,” said Shane Barney, CISO at Keeper Security.
“Multi-factor authentication is no longer a guarantee of safety when adversaries can intercept the most common verification methods.”
Nicole Carignan, senior vice president at Darktrace, added: “Despite increased focus on email security, organizations and their employees continue to be plagued by successful phishing attempts […]. Organizations cannot rely on employees to be the last line of defense against these attacks.”
The findings underscore the need for stronger user awareness, as well as updated defensive strategies that account for dynamic, multi-layered threats.
