Overview
- Ontinue publicly detailed Salty2FA on Sept. 9, while ANY.RUN reports ongoing campaigns since late July with activity ramping from June across multiple industries.
- Salty2FA automates company-specific login clones, rotates unique subdomains per session, and simulates push, SMS, and voice-based MFA to capture credentials and codes.
- Attack chains begin with trusted-service lures, including a fake Aha.io document page tied to a free-trial account created Sept. 3, before passing through Cloudflare Turnstile checks.
- The kit employs obfuscated JavaScript, anti-debugging logic, XOR-encrypted strings, and distributed cross-domain infrastructure to hinder analysis and frustrate takedowns.
- Attribution remains unresolved, and experts recommend sandboxing suspicious emails, emphasizing behavioral and ML-based detection, and favoring phishing-resistant MFA over SMS or voice.