Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA

SUMMARY :

In August 2025, significant cyber attacks emerged, including a 7-stage Tycoon2FA phishing campaign targeting government, military, and financial institutions across the US, UK, Canada, and Europe. The attack uses multiple verification steps to evade security systems. A new ClickFix campaign delivered the Rhadamanthys Stealer using PNG steganography, indicating increased sophistication in payload delivery. Salty2FA, a new Phishing-as-a-Service framework attributed to Storm-1575, was discovered targeting Microsoft 365 accounts globally, capable of bypassing various 2FA methods. These attacks demonstrate the evolution of phishing kits and stealers, emphasizing the need for behavioral analysis and real-time threat intelligence in cybersecurity defenses.

OPENCTI LABELS :

phishing,rhadamanthys stealer,clickfix,tycoon2fa,salty2fa


AI COMMENTARY :

1. August 2025 witnessed a wave of sophisticated phishing and stealer campaigns that targeted critical sectors across the United States, United Kingdom, Canada, and Europe. These attacks leveraged multi-stage social engineering tactics, image-based payload delivery, and advanced Phishing-as-a-Service frameworks. The evolving threat landscape underscores the importance of continuous monitoring, rapid threat intelligence sharing, and adaptive defenses to protect government, military, and financial institutions from increasingly complex cyber campaigns.

2. The 7-Stage Tycoon2FA phishing operation represented a new level of persistence and deception in credential harvesting. Attackers initiated the campaign with personalized spear-phishing emails that prompted victims to log into counterfeit portals. Subsequent stages enforced repeated two-factor authentication prompts, session renewals, and device confirmations to exhaust user suspicion and evade detection by standard security systems. By the time credentials and one-time codes were exfiltrated, defenders were already several steps behind the attacker’s multi-phase workflow.

3. The ClickFix campaign introduced a novel payload delivery mechanism by embedding the Rhadamanthys Stealer within seemingly innocuous PNG images. Victims received malicious attachments labeled as legitimate application updates, and upon opening the images, hidden stealer code executed silently in the background. This steganography technique bypassed many antivirus and gateway protections that did not inspect image metadata or file contents beyond surface-level heuristics, signaling a worrying increase in payload sophistication and instruction evasion strategies.

4. Salty2FA emerged as a turnkey Phishing-as-a-Service framework attributed to the Storm-1575 group. The platform offered fully customizable phishing pages designed to mimic Microsoft 365 login flows and integrated bypass modules for SMS, email, and authenticator-app based two-factor authentication. Subscription customers of Salty2FA could deploy campaigns at global scale, automatically harvest session tokens, and redirect victims to legitimate portals once credential collection completed, reducing user suspicion and prolonging attacker access.

5. The convergence of Tycoon2FA, ClickFix, and Salty2FA campaigns highlights an alarming trend toward modular, multi-vector phishing toolkits that can be rapidly tailored to high-value targets. Traditional signature-based defenses struggle to keep pace with these innovations, making behavioral analysis, anomaly detection, and real-time threat intelligence sharing imperative. Security teams must prioritize continuous user education, deploy advanced email gateways with deep file inspection, and invest in orchestration platforms that correlate indicators of compromise across multiple attack stages.

6. As threat actors refine their tactics and offer turnkey phishing and malware solutions, organizations must adapt their security posture by implementing zero-trust principles, enhancing log aggregation and monitoring, and leveraging threat intelligence feeds to anticipate emerging campaigns. By understanding the operational details of eight-step phishing flows, image-based steganography, and Phishing-as-a-Service frameworks, defenders can close gaps before adversaries exploit them. Proactive collaboration across the cybersecurity community remains the strongest deterrent against these persistent and evolving threats.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Major August 2025 Cyber Attacks: 7-Stage Tycoon2FA Phishing, New ClickFix Campaign, and Salty2FA