An unexpected disruption in the Rockstar2FA phishing-as-a-service (PhaaS) toolkit has paved the way for a sharp increase in activity from a newer platform known as FlowerStorm.
According to a recent report by Sophos, the Rockstar2FA service faced what appears to be a collapse of its infrastructure, rendering its phishing pages inaccessible. "This doesn’t seem to be the result of a takedown operation but rather a technical failure in the service’s backend," the report stated.
The Rockstar2FA Toolkit
Rockstar2FA, initially identified by Trustwave in late November 2024, enabled threat actors to execute phishing campaigns designed to steal Microsoft 365 credentials and session cookies, bypassing multi-factor authentication (MFA) protections.
The service is believed to be an evolution of the DadSec phishing kit, also tracked by Microsoft under the codename Storm-1575. Most phishing pages associated with Rockstar2FA have been hosted on top-level domains such as .com, .de, .ru, and .moscow, with a noticeable decline in the use of .ru domains over time.
The Shift to FlowerStorm
The Rockstar2FA outage, which occurred on November 11, 2024, resulted in redirect errors, Cloudflare timeouts, and the failure of phishing login pages to load. This technical interruption left a gap in the cybercrime ecosystem, which has since been filled by FlowerStorm, a PhaaS offering that has been active since at least June 2024.
Sophos noted similarities between the two services, particularly in the design of their phishing portals and the methods they use to connect with backend servers for credential theft. Both platforms also exploit Cloudflare Turnstile to block bot traffic and maintain their operations.
The nature of the Rockstar2FA outage remains unclear. It could signify a shift in strategy, a personnel change, or a deliberate attempt to separate the two operations. However, no concrete evidence currently links Rockstar2FA to FlowerStorm.
FlowerStorm's Global Impact
FlowerStorm has quickly expanded its operations, targeting countries such as:
- The United States
- Canada
- The United Kingdom
- Australia
- Italy
- Switzerland
- Germany
- India
- Puerto Rico
- Singapore
The service industry—particularly firms specializing in engineering, construction, real estate, legal services, and consulting—has been the primary focus of these attacks.
A Growing Threat
The rise of FlowerStorm underscores a broader trend in the cybercriminal landscape: the increasing use of phishing-as-a-service platforms and commodity tools to carry out large-scale attacks with minimal technical skill.
These developments serve as a reminder of the evolving threat posed by cybercriminal services, which enable even inexperienced attackers to launch sophisticated phishing campaigns.
This rewritten post maintains clarity and emphasizes the key details of the original while improving flow and readability. Let me know if you'd like further adjustments!