August 2025 has marked a significant evolution in cybercrime tactics, with threat actors deploying increasingly sophisticated phishing frameworks and social engineering techniques that are successfully bypassing traditional security defenses.
Security researchers at ANY.RUN has identified three major campaign families that represent a fundamental shift in how cybercriminals approach credential theft and system compromise: the multi-stage Tycoon2FA phishing framework, ClickFix-delivered Rhadamanthys stealer operations, and the emergence of Salty2FA, a new Phishing-as-a-Service (PhaaS) platform linked to the notorious Storm-1575 group.
These campaigns demonstrate an alarming trend toward highly targeted, multi-layered attacks that combine advanced evasion techniques with psychological manipulation to defeat both automated security systems and human vigilance.
Unlike traditional mass phishing attempts, these sophisticated frameworks specifically target high-value accounts in government, financial, and critical infrastructure sectors.
Tycoon2FA: Seven-Stage Phishing Chain
The Tycoon2FA campaign represents a paradigm shift in phishing sophistication, employing a seven-stage execution chain that systematically defeats automated security tools while exhausting human targets.
This framework has emerged as one of the most effective credential harvesting operations observed in 2025, specifically targeting government agencies, military installations, and major financial institutions across the United States, the United Kingdom, Canada, and Europe.
The attack methodology begins with carefully crafted voicemail-themed phishing emails that initiate a complex redirection chain. Victims are guided through multiple validation screens, including Cloudflare Turnstile CAPTCHAs and “press-and-hold” anti-bot checks, before reaching the final Microsoft login spoofing panel. Each stage serves dual purposes: filtering out automated analysis tools while building psychological commitment from human targets.
Tycoon2FA seven-stage phishing execution chain
Analysis data reveals that 26% of Tycoon2FA campaigns specifically target banking sector employees, indicating deliberate focus on high-value financial credentials rather than opportunistic credential harvesting.
The framework’s selectivity extends to government and military personnel, where single compromised accounts can provide access to classified systems and sensitive national security information.
With ANY.RUN’s Automated Interactivity features a seven-stage execution flow that operates as follows: initial phishing email delivery, fake PDF attachment download, embedded hyperlink activation, Cloudflare CAPTCHA challenge, manual interaction verification, email validation requirement, and finally, credential harvesting through spoofed authentication panels.
Phishing exposure through a deceptive voice message download prompt.
This methodology effectively defeats signature-based detection systems while requiring sustained human engagement that builds trust and reduces suspicion.
Identify cyber threats and empower SOC Performance with Cutting-edge Tools => Get Started
ClickFix Evolution
The ClickFix technique has evolved significantly beyond its original NetSupport RAT and AsyncRAT delivery mechanisms, now serving as a sophisticated vector for deploying advanced information stealers like Rhadamanthys.
This evolution represents a concerning escalation in both technical complexity and evasion capabilities, combining social engineering psychology with advanced malware deployment techniques.
Recent campaigns utilize ClickFix flows to deliver Rhadamanthys stealer through Microsoft Installer (MSI) packages that execute silently in memory, bypassing traditional file-based detection systems with ANY.RUN Sandbox, we can see how the Rhadamanthys was delivered via ClickFix.
Rhadamanthys malware delivery vector via ClickFix, illustrating the malicious code execution and payload extraction process.
The attack chain employs anti-virtual machine checks to evade sandbox analysis while establishing TLS connections directly to IP addresses, circumventing DNS monitoring and domain reputation systems.
StageTechniqueMITRE ATT&CK IDEvasion MethodInitial DeliveryClickFix Social EngineeringT1566Human Interaction RequiredInstallationMSI Silent ExecutionT1218.007In-Memory ProcessingEvasionAnti-VM DetectionT1497.001Environment AnalysisCommunicationDirect IP TLST1071.001DNS BypassPayload DeliveryPNG SteganographyT1027.003Visual Obfuscation
The most sophisticated aspect of these campaigns involves steganography-based payload delivery through compromised PNG image files.
Attackers embed additional malware components within image data, allowing secondary payload deployment while appearing as legitimate graphic content to security scanners. This technique effectively bypasses content inspection systems that focus on executable file types.
Threat actors have also implemented self-signed TLS certificates with deliberately mismatched Issuer/Subject fields, creating unique network artifacts while maintaining encrypted communication channels.
These certificates serve dual purposes: avoiding commercial certificate authority oversight while providing distinctive hunting signatures for advanced threat detection teams.
Salty2FA: Next-Generation PhaaS Framework
The discovery of Salty2FA represents perhaps the most significant development in phishing infrastructure evolution, introducing a comprehensive Phishing-as-a-Service platform capable of bypassing virtually all current multi-factor authentication implementations.
First identified in June 2025, this framework has rapidly expanded to target Microsoft 365 accounts across multiple continents, with particular focus on North American and European enterprise environments.
Salty2FA derives its name from distinctive source code “salting” techniques that disrupt both static analysis tools and manual reverse engineering efforts.
The framework implements adversary-in-the-middle capabilities that can intercept push notifications from mobile authentication applications, SMS-based one-time passwords, and even two-way voice authentication calls. This comprehensive 2FA bypass capability represents a fundamental threat to current enterprise authentication strategies.
Salty2FA phishing kit execution chain
Infrastructure analysis reveals consistent patterns in Salty2FA deployment, utilizing compound subdomain structures paired with Russian top-level domains for command and control operations.
The framework utilizes chained server architectures, which provide resilient communication channels but complicate attribution and takedown efforts.
Attribution evidence suggests connections between Salty2FA and the Storm-1575 threat group, previously responsible for the Dadsec phishing kit operations. Here is the example of an analysis session, Salty2FA behavior download, and an actionable report.
Phishing attempt targeting Microsoft login credentials.
However, infrastructure overlaps also indicate potential relationships with Storm-1747, the group behind Tycoon2FA campaigns. These connections suggest possible collaboration between previously distinct threat actors or evolution within existing criminal organizations.
Financial services and insurance organizations
Energy production and manufacturing facilities
Healthcare systems and telecommunications providers
Government agencies, educational institutions, and logistics networks
These campaign developments represent a fundamental shift in cybercriminal capabilities, moving beyond opportunistic attacks toward sustained, targeted operations against high-value institutional targets.
The sophistication demonstrated in multi-stage evasion, advanced steganography, and comprehensive 2FA bypass techniques indicates significant investment in research and development within criminal organizations.
Traditional security approaches focused on signature-based detection and static analysis prove inadequate against these evolved threats.
The combination of human psychological manipulation with advanced technical evasion creates attack vectors that require behavioral analysis, interactive sandbox environments, and continuous threat intelligence integration for effective detection and response.
Organizations must implement layered security strategies that combine advanced behavioral analytics, interactive malware analysis capabilities, and comprehensive threat intelligence integration.
The shift toward PhaaS models suggests that these sophisticated techniques will become increasingly accessible to lower-skilled threat actors, thereby significantly expanding the overall threat landscape.
Security teams should prioritize the development of detection rules based on behavioral indicators rather than static IOCs, as these campaigns demonstrate rapid infrastructure turnover and evasion technique evolution.
Integrate ANY.RUN solutions to interact with malware in the sandbox => Start Your Free Trial
The post How ClickFix and Multi-Stage Phishing Frameworks Are Breaking Enterprise Defenses appeared first on Cyber Security News.
