Defending against the two-pronged attack
For defenders, this means attribution becomes murkier, hunting hypotheses weaker, and earlier detection far harder. Any.Run warned that reliance on static indicators of compromise such as domains and URLs is no longer sufficient; they now need to watch behavior patterns, fallback routines, and hybrid execution flows for signs of campaign activity.
“If Salty infrastructure becomes unavailable, the same campaign may pivot into Tycoon2FA without leaving a clear break,” the researchers noted. “Threat hunting should look for those transitions to avoid missing supporting evidence.”
The rise of hybrid 2FA phishing kits should prepare defenders for campaigns that operate more flexibly, more modularly, and with a higher tolerance for infrastructure failure, the researchers said.
