← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Rockstar 2FA: A Driving Force in Phishing-as-a-Service (PaaS)
WHITE Storm-1575 AlienVault 2024-12-03 Modified: 2024-12-03
36
IOCs
MEDIUM VOLUME
Trustwave SpiderLabs has been monitoring the rise of Phishing-as-a-Service (PaaS) platforms, focusing on a kit named 'Rockstar 2FA' linked to widespread adversary-in-the-middle (AiTM) phishing attacks. The campaign, targeting Microsoft user accounts, employs car-themed web pages and has seen a significant increase since August 2024. Rockstar 2FA, an updated version of the DadSec/Phoenix kit, operates under a PaaS model and offers features like 2FA bypass, cookie harvesting, and antibot protection. The attacks use various email delivery mechanisms and themes to bypass traditional filters, affecting users across multiple sectors and regions.
dadsecmicrosoft 365aitmphishing-as-a-serviceRockstar 2FA
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Rockstar 2FA DadSec Phoenix
Indicators of Compromise (36)
All CVE FileHash-MD5 FileHash-SHA1 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2024-11477 2024-12-03
FileHash-MD5 fe581134d7ae4857a97443270a27e0fa 2024-12-03
FileHash-SHA1 c1191c405e82c32c645acb82f875fdd8fad29209 2024-12-03
URL http://bytequestixo.pro/wWge/ 2024-12-03
URL http://ctrk.klclick3.com/l/01J5V2NHDC0KB0P8B51Z9PCPZS_0 2024-12-03
URL http://cyberdynalumeo.ru/1RB3Y/ 2024-12-03
URL http://docsecureatt-docdrive-filedoc.pages.dev/ 2024-12-03
URL http://enterbuzztechscener.pl/pbtmx/ 2024-12-03
URL http://googlevoicesecrets.com/EHkslw5/auth/?_kx=lKiN48B6FuEu_OYp2PJPXw.Sdgjsn 2024-12-03
URL http://lifestylesyncteche.pro/Ykiy/ 2024-12-03
URL http://novatechies.cbg.ru/BUeEj/ 2024-12-03
URL http://payment-confirmation-to-your-bank-account-s-dabringhaus-licatec.packinqsystems.de/ 2024-12-03
URL http://pfremiumshirts.store/D91p/ 2024-12-03
URL http://pub-fe581134d7ae4857a97443270a27e0fa.r2.dev/0nedrive.html 2024-12-03
URL http://synthchromal.ru/Vc51/ 2024-12-03
URL http://system23cfb9.link.bmesend.com/api/LinkHandler/getaction2?redirectParam2=K09weU5vMDBKWXFUK0ZPdkw4azdKWHk5QlJsZkNXWXlLMUxiMHdXQU1YK3FFZGFsZG9ZQ2ZqNUdHd3ErZEpLeGpyeVE1U1hmU2xoSy9WemJySVEzQytGajZBVWE4em5jaEpuRHhEa05xOTZOcWxQRVdUN1g2S2ViR3YvZjN1K2dJZk9rQTRVajZmMD0%3d 2024-12-03
URL http://track.senderbulk.com/9164124/c?p=pDvu1IoaZGOuiG9hOsGCPPBXFmtx2_vWwJfaiQBzucIA8v9mjc3ztSyOneYxrKLjPngUzpA11TuGi1aI2aLIylOF1nHcpBoP4YzUvVEMYHtwY1nRlztPcQOoC6S6KSWuNNAgIAVnfapCVCgF1cOjSXtedVH_tWc1vLDH7FDQA0VZbtHORodc9jBuNuHh0DMH7zq9Mo6OMyLjnApzvQ3Kvw== 2024-12-03
URL http://www.curiosolucky.com/dos/ 2024-12-03
domain bytequestixo.pro 2024-12-03
domain cyberdynalumeo.ru 2024-12-03
domain enterbuzztechscener.pl 2024-12-03
domain entertaingadgetop.ru 2024-12-03
domain entertainmentcircuitss.ru 2024-12-03
domain fruechtebox-expresszsnu.ru 2024-12-03
domain googlevoicesecrets.com 2024-12-03
domain lifestylesyncteche.pro 2024-12-03
domain pfremiumshirts.store 2024-12-03
domain recambioselecue.ru 2024-12-03
domain synthchromal.ru 2024-12-03
hostname 2fwww.curiosolucky.com 2024-12-03
hostname aynures-newsletter.beehiiv.com 2024-12-03
hostname docsecureatt-docdrive-filedoc.pages.dev 2024-12-03
hostname novatechies.cbg.ru 2024-12-03
hostname payment-confirmation-to-your-bank-account-s-dabringhaus-licatec.packinqsystems.de 2024-12-03
hostname system23cfb9.link.bmesend.com 2024-12-03
hostname www.curiosolucky.com 2024-12-03
References (1)
↗ https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2fa-a-driving-force-in-phishing-as-a-service-paas