VERY IMPORTANT

A new hybrid phishing threat combining elements of Salty2FA and Tycoon2FA has emerged, blurring the lines between distinct phishing kits. Analysis reveals a sudden drop in Salty2FA activity, followed by the appearance of samples containing code from both frameworks. The hybrid shows signs of Salty2FA infrastructure failure, forcing a fallback to Tycoon-based hosting and payload delivery. This overlap complicates attribution and weakens kit-specific detection rules. The emergence of this hybrid suggests a possible connection to Storm-1747, known operators of Tycoon2FA. Defenders are advised to update detection logic, expect more cross-kit overlap, and prepare for campaigns with increased flexibility and resilience to infrastructure failures.