Hybrid 2FA phishing kits are making attacks harder to detect

Some 2FA-phishing attacks are becoming significantly harder to spot as threat actors blend two previously distinct phishing-as-a-service (PhaaS) kits: Salty2FA and Tycoon2FA, into a single hybrid strain.

Researchers at Any.Run warn that the hybrid is already bypassing detection rules tuned to either kit alone. Alerts that once reliably caught Salty2FA or Tycoon2FA activity are now going quiet, leaving security teams blind to MFA-bypass attacks that previously triggered obvious signatures.

The researchers’ code-level analysis confirmed hybrid payloads, they said in a blog post. “Early stages matched Salty2FA, while later stages reproduced Tycoon2FA’s execution chain almost line-for-line,” they wrote. “This overlap marks a meaningful shift; one that weakens kit-specific rules, complicates attribution, and gives threat actors more room to slip past early detection.”

Both Salty2FA and Tycoon2FA are multi-factor-authentication-bypassing kits that capture user credentials and session data through multi-stage, deceptive logic flows.

Any.Run advised security leaders not to rely on static indicators as the hybrid execution flows they observed can only be spotted by closely watching the behavior patterns and fallback routines of the new strain.

Tycoon revived a faltering Salty

According to the researchers, the emergence of this hybrid phishing strain coincides with a sharp drop in pure Salty2FA activity. By November 2025, Salty2FA-related submissions to Any.Run’s sandbox plummeted from hundreds per week to just a handful (51 in total).

While it looked like the framework was being abandoned, it was just morphing to fall back to Tycoon2FA whenever its original infrastructure ran into issues. “One analysis showed the use of ASP.NET CDN, which is not typical for Salty2FA kit,” the researchers said. “It started to look as if someone had flipped a switch and taken a significant part of the framework’s infrastructure offline.”

But rather than a total shut down, samples soon began throwing detections for both Salty2FA and Tycoon2FA. Eventually, the hybrid payloads started with familiar Salty elements including code obfuscation, “trampoline” JavaScript, and domain patterns, and then shifted into Tycoon2FA’s execution chain including DGA-based domains and Adversary-in-the-Middle (AiTM) behavior.

The researchers said the overlap will complicate signature-based detection, and rules tuned to Salty or Tycoon alone may now miss the hybrid entirely.

Defending against the two-pronged attack

For defenders, this means attribution becomes murkier, hunting hypotheses weaker, and earlier detection far harder. Any.Run warned that reliance on static indicators of compromise such as domains and URLs is no longer sufficient; they now need to watch behavior patterns, fallback routines, and hybrid execution flows for signs of campaign activity.

“If Salty infrastructure becomes unavailable, the same campaign may pivot into Tycoon2FA without leaving a clear break,” the researchers noted. “Threat hunting should look for those transitions to avoid missing supporting evidence.”

The rise of hybrid 2FA phishing kits should prepare defenders for campaigns that operate more flexibly, more modularly, and with a higher tolerance for infrastructure failure, the researchers said.

Until recently, the Salty2FA campagn had been in full swing, breaching MFA protections with a mix of advanced tactics, including cloaking within trusted platforms like Cloudflare Turnstile. Its merging with Tycoon2FA is a serious threat, considering how the latter is already blamed for almost 90% of recent PhaaS incidents.