New Salty2FA Phishing Kit Bypasses MFA and Clones Login Pages – Source:hackread.com

A new, sophisticated phishing kit, Salty2FA, is using advanced tactics to bypass MFA and mimic trusted brands. Read expert analysis on how these “Phishing 2.0” attacks are challenging traditional security defences.

A new era of cyberattacks has emerged, led by a phishing kit so advanced it mimics the development practices of legitimate software companies. In new research shared exclusively with Hackread.com, the Ontinue Cyber Defence Centre has revealed a sophisticated phishing campaign leveraging a new framework known as Salty2FA, demonstrating a dramatic evolution in phishing tactics that evades the most advanced security defences.

The campaign begins with a deceptive email that leads victims to a fake document-sharing page hosted on a legitimate platform, Aha.io. This account was, reportedly, created on September 3, 2025, and was running on a free trial basis.

This initial lure is designed to exploit a user’s trust in a well-known service. Upon clicking, they get exposed to a multi-stage attack chain. This process includes a Cloudflare Turnstile captcha, a security feature meant to stop bots, that ironically filters out automated security tools and sandboxes, making it harder for defenders to analyse the threat.

Interestingly, the phishing kit’s infrastructure is built to evade traditional blocking methods. It uses session-based rotating subdomains, so a new, unique address is created for each new victim, making it very difficult for security teams to track and block the malicious site.

The Art of Impersonation

In their report, Ontinue researchers noted that the attackers have mastered the art of impersonation. The Salty2FA kit automatically customises fraudulent login pages based on a victim’s email domain. This “dynamic corporate branding” functionality creates an authentic-looking replica of a company’s login portal, complete with its logo, colours, and styling.

The research confirmed this broad targeting across industries like healthcare, finance, technology, and energy, representing a systematic approach to enhancing social engineering efforts.

To make matters worse, the kit even simulates six different types of multi-factor authentication, including SMS, authenticator apps, and phone calls. This convinces victims they are on a real, secure site, as the kit bypasses a critical security layer. The malware also employs complex code obfuscation and anti-debugging techniques to hinder security researchers.

The Bigger Picture

While the sophistication of this campaign suggests an established criminal group is behind it, the researchers could not definitively link the attack to a specific threat actor. The evidence consists of similar tactics and techniques, not unique digital fingerprints or infrastructure, which shows just how skilled these attackers are at concealing their identity.

Researchers believe that this campaign is part of a larger trend that highlights a growing crisis in cybersecurity. According to new data from Menlo Security, browser-based phishing attacks have seen a 140% increase compared to 2023, with zero-hour phishing attacks that exploit vulnerabilities before they are patched, rising by 130% in the same period. This rise shows how advanced phishing kits are getting past standard security tools, leaving user awareness as the main defence.

Several security experts have analysed this new threat and shared their insights with Hackread.com. Nicole Carignan, Senior Vice President, Security & AI Strategy, and Field CISO at Darktrace, pointed out that many security tools fail to recognise new threats. She stressed that organisations can’t rely on employees as the last line of defence. Instead, they must use machine-learning tools that can build a profile of normal user activity to “accurately recognise suspicious activity.”

Jason Soroko, Senior Fellow at Sectigo, explained that not all multi-factor authentication is created equal. He clarified that while MFA raises the difficulty for attackers, weak forms that rely on “shared secrets,” such as a one-time password, can be just as vulnerable to fake authentication pages as regular passwords. He emphasised that education and awareness are crucial for bolstering MFA’s effectiveness.