Salty2FA: Multi-Stage Evasion in Modern Phishing

Summary

The Ontinue Cyber Defence Center has discovered an ongoing sophisticated phishing campaign employing the Salty2FA phishing kit, revealing several notable technical innovations that demonstrate the evolving landscape of modern phishing operations. This research documents emerging evasion techniques that represent the continuous development in phishing kit capabilities and operational sophistication.

Key Discoveries:

• Session-Based Rotating Subdomains – The observed subdomain rotation involves using new subdomains for each session request.
• Aha Platform Abuse – Abusing legitimate platforms, with similar aha[.]io URLs to stage the initial vector for the Phishing attack
• Sophisticated defence evasion techniques – Use Cloudflare features with Turnstile to block specific ASNs and perform anti-debugging analysis.
• Dynamic Corporate Branding – The phishing kit implements automated theming functionality that parses victim email domains and applies corresponding corporate branding (logos, colors, styling). Testing across healthcare, financial services, technology, energy, and automotive sectors confirmed broad cross-industry targeting with customized visual profiles for each sector, enhancing social engineering effectiveness through familiar corporate interfaces.

Threat Actor Attribution

At the time of analysis, no definitive attribution to a specific threat actor has been established for this phishing campaign. While the infrastructure and techniques observed share similarities with documented threat actor operations, insufficient evidence exists to make a confirmed attribution assessment.

Current evidence consists primarily of tactical, technical, and procedural (TTP) similarities rather than definitive infrastructure overlap or unique operational signatures. The sophistication level and systematic approach suggest an established threat actor or organized cybercriminal operation, but specific identification requires additional intelligence correlation.

Initial Access Vector

So from our analysis we discovered a very recent registration within Aha[.]io where the threat actor has created an account and quickly deployed a OneDrive sharing like page with a link to click in the center. This is not something that is normal, we see this across the board from different Phishing campaigns.

• Account Creation: September 3, 2025 (extremely recent)
• Account Status: Trial/unpaid (typical of throwaway operations)
• Content Type: Shared knowledge base document

The webpage frame contains all the PI information from the threat actor’s registration, providing a clearer picture. Since the threat actor is impersonating a known business, we have redacted this information for now.

Figure 1 – Phishing Lure

Multi-stage Infrastructure

The interesting aspect is where things become engaging. We are all aware that phishing and phishing kits frequently utilise Turnstile from Cloudflare, and here we find ourselves once more!

Stage 1: Initial Redirect

• URL: https[:]//cloudnestde[.]com[.]de/ZSVL5u7zun5/
• Domain Strategy: .com.de TLD combination for legitimacy spoofing

Stage 2: Anti-Analysis Protection

• URL: https://[SUBDOMAIN].cloudnestde.com.de/ZSVL5u7zun5/
• Protection: CloudFlare Turnstile captcha
• Function: Filter automated security tools and sandboxes

Figure 2 – Turnstile

Stage 3: Credential Harvester

• URL Pattern: https://[SUBDOMAIN].cloudnestde.com.de/[HEX-SEGMENTS]/
• Example: /beee2a615f-9a544899af565835dc-8da96ba5668-3e4b5f5b16-b23a8e63c90-99da754fd-17a312ff/
• Purpose: Final credential harvesting page

Figure 3 – Credential Harvester

The phishing kit implements dynamic branding functionality to enhance social engineering effectiveness. Technical analysis reveals the malicious infrastructure maintains a corporate theme database that automatically customizes fraudulent login interfaces based on victim email domains.

The mechanism operates by parsing the domain portion of entered email addresses and applying pre-configured visual themes. As demonstrated in the captured sample, entering name@company[.]com triggers AMD corporate branding elements including authentic logos, color schemes, and corporate styling. This domain-to-theme mapping creates convincing replicas of legitimate corporate authentication portals.

Further testing across multiple industry sectors including healthcare, financial services, technology, energy, and automotive confirmed the phishing kit’s broad targeting strategy. Corporate domains from each tested sector triggered customized branding, indicating the threat actors have developed extensive visual profiles across diverse industries rather than focusing on specific verticals.

Defence Evasion Techniques

Recent phishing kits employ geo-blocking and IP filtering to evade analysis. Threat actors configure their sites to block traffic from known security vendor IP ranges and cloud providers where sandboxes typically operate. When SOC teams attempt to analyze URLs from corporate networks, they encounter connection errors. This requires analysts to use residential VPNs or alternative IP addresses to successfully access and analyze the malicious content.

As shown in the image below, I am blocked from accessing the final page, which is the credential harvester, making decision-making more confusing.

Figure 4 – IP Filtering

Session-Based Subdomain Rotation

While initially appearing to be traditional Domain Generation Algorithm (DGA) implementation, analysis reveals this represents an evolution beyond classic malware C2 patterns. Rather than time-seeded random generation, this infrastructure employs session-triggered assignment from pre-computed dictionary-based subdomain pools. This session-based rotation technique, while sharing DGA principles, demonstrates a significant evolution in application, moving from persistent malware communication to real-time phishing evasion. If you look at some of the subdomains in the images on this blog, you will have noticed the subdomains are different each screenshot.

Figure 5 – Session-Based Subdomain Rotation

Technical Deep Dive

JavaScript-Based Anti-Debugging Implementation

The Salty2FA phishing kit employs sophisticated client-side protection mechanisms designed to prevent security researchers from analyzing the malicious code. The implementation includes multiple layers of defense that activate when developer tools are detected.

Keyboard Event Blocking The kit intercepts common developer tool shortcuts and prevents their execution

This blocks F12, Ctrl+Shift+I (Inspector), Ctrl+Shift+J (Console), Ctrl+Shift+C (Element Selector), Ctrl+U (View Source), and Ctrl+S (Save Page).

Figure 6 – Keyboard Event Blocking

Performance-Based Debugger Detection The kit uses timing analysis to detect when debugging tools are active.

Figure 7 – Performance-Based Debugger Detection

When developer tools are open, the debugger statement causes execution to pause, creating a measurable delay. If this delay exceeds 100ms, the code triggers an infinite loop of debugger breakpoints, effectively crashing the analysis session.

Console Detection Through Object Property Access The kit employs a clever technique using image objects with getter properties:

Figure 8 – Console Detection Through Object Property Access

Code Obfuscation and String Encryption

XOR encryption for string obfuscation. Critical strings are encrypted using a static key and decoded at runtime.

Figure 9 – XOR Encryption

Multi-Factor Authentication Simulation

The phishing kit supports six distinct 2FA methods, each with dedicated UI flows.

Figure 10 – MFA Simulation

• SMS Authentication (SMS) – Text message verification
• Authenticator Apps (OTP) – TOTP code entry
• Phone Calls (CALL) – Voice verification
• Push Notifications (PUSH) – Mobile app approval
• Backup Codes (COD) – Recovery code entry
• Hardware Tokens (PUSHOFF) – Physical device authentication

Network Traffic Analysis: Real-Time Infrastructure Communication

The network analysis provides concrete evidence of Salty2FA’s sophisticated infrastructure design in action. During live analysis, we captured several revealing HTTP requests that demonstrate the kit’s operational complexity.

Cross-Domain Communication Pattern

One particularly interesting request shows communication from home-b38[.]cloudnestde[.]com[.]de to marketmagnet[.]ru:

GET hxxps[:]//marketmagnet[.]ru/
  Host: home-b38[.]cloudnestde[.]com[.]de
Status: 200 OK
Content-Length: 71807 bytes
Server: cloudflare

This traffic pattern reveals several key aspects of the campaign’s infrastructure:

Subdomain Validation

The “home-b38” subdomain confirms the session-based rotation system described earlier. Each victim session receives a unique subdomain identifier, making traditional blocking approaches ineffective.

Multi-Domain Architecture

The request to marketmagnet[.]ru from a cloudnestde[.]com[.]de subdomain indicates a distributed infrastructure spanning multiple domains. This cross-domain communication likely serves multiple purposes:

• Fetching victim-specific configuration data
• Loading additional JavaScript payloads or corporate branding assets
• Exfiltrating captured credentials to different collection points

The Bigger Picture

Beneath these active defenses lies layer upon layer of code obfuscation. Every string, every function name, every meaningful identifier has been scrambled through a custom XOR encryption scheme. The kit uses a hardcoded key (684c985a29c67596b5e66d6028bdad6d) to decrypt critical strings at runtime, making static analysis nearly impossible without first understanding the decryption mechanism.

What makes this particularly insidious is how the obfuscation integrates with the kit’s operational functionality. Corporate branding rules, authentication flow logic, and server communication all of it hidden behind this cryptographic wall. An analyst who manages to bypass the anti-debugging measures still faces the daunting task of reverse-engineering the entire obfuscation scheme.

The integration of anti-analysis techniques, dynamic infrastructure, and behavioral psychology creates a formidable opponent that challenges traditional detection and response methodologies. For security teams, this evolution demands equally sophisticated countermeasures and a fundamental rethinking of how we approach phishing threat intelligence.

Conclusion

We’re seeing phishing operations mature into something that resembles legitimate software development. Salty2FA demonstrates how cybercriminals now approach infrastructure with the same methodical planning that enterprises use for their own systems.

What makes this particularly concerning is how these techniques blur the line between legitimate and malicious traffic. When phishing kits implement proper HTTPS, pass security challenges, and mirror authentic corporate interfaces down to the pixel, traditional detection methods struggle. Users can’t rely on the usual warning signs when everything appears legitimate.

For defenders, this creates fundamental challenges between static and dynamic analysis. They must use online sandboxes to assess domains and URLs, ensuring that key decision-making is enforced. Relying solely on online tools is insufficient; hands-on analysis is sometimes necessary to confirm activity.

The practical reality is that user education becomes more critical as technical controls become less reliable. When legitimate-looking sites can harvest credentials through convincing multi-factor authentication flows, human judgment often becomes the last line of defense.

Indicators of Compromise

Please view the GitHub repository for a list of indicators. https://github.com/ontinue-research/threat-intel-iocs/blob/main/Public/2025-09-05-IOCs-Salty2FA.md