Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Whisper 2FA

Whisper 2FA is a phishing-as-a-service (PhaaS) kit used for rapid deployment of phishing campaigns and multi-factor authentication (MFA) bypass. Reporting cited in the content describes it as a lightweight kit that uses AJAX-based exfiltration to capture credentials and MFA codes in real time, including real-time validation of captured MFA codes. Supported MFA interception methods mentioned in the content include push notifications, SMS, voice calls, and app-based codes. Whisper 2FA has been used in phishing campaigns spoofing major brands including Microsoft 365, Adobe, and DocuSign, and Barracuda reported nearly one million phishing intrusions/attacks associated with the kit since July, making it the third most prevalent PhaaS kit after Tycoon and EvilProxy. The content also states it has benefited from ecosystem shifts following disruption of Tycoon 2FA and is considered an aggressive newer entrant alongside kits such as Sneaky 2FA. Recent versions are described as incorporating dense Base64 and XOR encoding layers, removal of readable text, anti-debugging and anti-analysis features, and behavior that can freeze the browser when developer analysis is detected. The content does not attribute Whisper 2FA to a specific threat actor, but it does indicate it is sold or leased as part of the broader professionalized PhaaS ecosystem.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

Security experts have issued a warning about the continued risk of Tycoon 2FA attacks... Before the takedown, Tycoon 2FA was behind tens of millions of phishing messages, reaching over 500,000 organizations each month worldwide.

Credential Access

1 technique
T1557Adversary-in-the-MiddleEvidence1

First spotted in August 2023, it used adversary in the middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.

Collection

1 technique
T1557Adversary-in-the-MiddleEvidence1

First spotted in August 2023, it used adversary in the middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
itproNews
Apr 17, 2026
Tycoon 2FA is down, but not out - researchers warn the phishing as a service operation is still a huge threat to businesses | IT Pro

A newer phishing kit/platform identified as an aggressive newcomer after the Tycoon 2FA takedown.

Read more
help net securityNews
Jan 8, 2026
Cybercriminals are scaling phishing attacks with ready-made kits

A lightweight phishing kit designed for rapid deployment and multi-method MFA bypass, with strong anti-analysis and obfuscation.

Read more
risky biz rssNews
Oct 16, 2025
Risky Bulletin: F5 says an APT stole source code, vulnerability reports

Phishing kit ("since July") designed to facilitate credential theft, with branding implying 2FA-focused lures/bypass.

Read more
scworldNews
Oct 16, 2025
Attacks with Whisper 2FA PhaaS kit escalate, report finds

Whisper 2FA is a sophisticated phishing-as-a-service kit that enables attackers to capture credentials and multi-factor authentication codes in real time. It uses AJAX technology for persistent data capture, integrates multiple encoding and anti-debugging techniques, and is used to spoof brands like Microsoft 365, Adobe, and DocuSign.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.