Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Mamba 2FA

Mamba 2FA is a phishing-as-a-service (PhaaS) platform and phishing kit associated with adversary-in-the-middle phishing designed to bypass multi-factor authentication. The provided content describes it as an established and heavily used platform in 2025, particularly in campaigns focused on MFA bypass. Barracuda reported increased campaign activity involving Mamba 2FA after the disruption of Tycoon 2FA, and assessed that tools, code, and techniques formerly associated with Tycoon 2FA were redistributed across competing kits including Mamba 2FA. The content places Mamba 2FA among established kits competing with newer entrants such as Cephas, Whisper 2FA, and GhostFrame, reflecting continued criminal demand for stealthy identity-focused phishing operations. High-confidence details in the content do not attribute Mamba 2FA to a specific threat actor, infection vector beyond phishing delivery, or specific indicators of compromise.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1566PhishingEvidence2

Security experts have issued a warning about the continued risk of Tycoon 2FA attacks... Before the takedown, Tycoon 2FA was behind tens of millions of phishing messages, reaching over 500,000 organizations each month worldwide.

T1566.001Spearphishing AttachmentEvidence1

Commonly observed delivery characteristics include: Email messages posing as Microsoft security alerts, document notifications, or account activity warnings ... Use of HTML email bodies or attached message files to preserve branding and formatting

T1566.002Spearphishing LinkEvidence1

Campaigns associated with Mamba phishing operations are most commonly delivered through email-based lures designed to drive the victim directly to the phishing URL.

Execution

1 technique
T1127Trusted Developer Utilities Proxy ExecutionEvidence1

MITRE FRAMEWORK Tactic Technique ID Technique Name ... Defense Evasion T1127 Trusted Developer Utilities Proxy Execution

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence2

the web pages used by Saiga feature the widely used ‘lorem ipsem’ pseudo-Latin placeholder text in the metadata fields. This text is semantically meaningless and does not indicate the page’s purpose or function, helping attackers to avoid triggering keyword-based detection systems and brand impersonation heuristics.

T1127Trusted Developer Utilities Proxy ExecutionEvidence1

MITRE FRAMEWORK Tactic Technique ID Technique Name ... Defense Evasion T1127 Trusted Developer Utilities Proxy Execution

Credential Access

6 techniques
T1056Input CaptureEvidence1

Analysis of the phishing URL reveals behavior consistent with Mamba AiTM phishing operations. The execution flow prioritizes automation and speed, reducing user interaction while enabling rapid credential capture and session handling.

T1056.003Web Portal CaptureEvidence1

The password field is monitored by client-side JavaScript. Input handling occurs within the browser, preparing the entered credentials for transmission immediately upon submission.

T1110.004Credential StuffingEvidence1

MITRE FRAMEWORK Tactic Technique ID Technique Name ... Credential Access T1110.004 Brute Force: Credential Stuffing

T1528Steal Application Access TokenEvidence1

Collectively, these trends reinforce the ongoing threat posed by AiTM phishing kits to enterprise cloud environments and underscore the need for continuous monitoring and adaptive defensive controls.

T1539Steal Web Session CookieEvidence1

In the background, however, the attacker captures every step in transit, including the username, password, MFA response, and resulting session cookie. Once that cookie is stolen, it can be replayed to access the account as an authenticated user.

T1557Adversary-in-the-MiddleEvidence1

First spotted in August 2023, it used adversary in the middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.

Collection

4 techniques
T1056Input CaptureEvidence1

Analysis of the phishing URL reveals behavior consistent with Mamba AiTM phishing operations. The execution flow prioritizes automation and speed, reducing user interaction while enabling rapid credential capture and session handling.

T1056.003Web Portal CaptureEvidence1

The password field is monitored by client-side JavaScript. Input handling occurs within the browser, preparing the entered credentials for transmission immediately upon submission.

T1119Automated CollectionEvidence1

Its workflow minimized visible user interaction, reduced friction during authentication, and relied on automation to handle identity context and credential relay.

T1557Adversary-in-the-MiddleEvidence1

First spotted in August 2023, it used adversary in the middle (AitM) proxying to bypass traditional multi-factor authentication (MFA) and capture session cookies in real time, leading to large-scale account compromise.

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1

Upon access, the browser issues an HTTPS GET request ... The server responds with HTML content, initiating the phishing flow.

T1105Ingress Tool TransferEvidence1

MITRE FRAMEWORK Tactic Technique ID Technique Name ... Command and Control T1105 Ingress Tool Transfer

T1132Data EncodingEvidence1

The encoded parameter contains a long, non-human-readable string, indicative of obfuscation and runtime data passing.

Impact

1 technique
T1499.004Application or System ExploitationEvidence1

MITRE FRAMEWORK Tactic Technique ID Technique Name ... Impact T1499.004 Endpoint Denial of Service: Application or System Exploitation

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
itproNews
Apr 17, 2026
Tycoon 2FA is down, but not out - researchers warn the phishing as a service operation is still a huge threat to businesses | IT Pro

An established phishing kit/platform mentioned as increasing campaign activity after the Tycoon 2FA takedown.

Read more
scworldNews
Jan 8, 2026
Report: Phishing kits dominated major attacks in 2025 | SC Media

A phishing-as-a-service kit used in high-volume phishing campaigns, noted for supporting multifactor authentication (MFA) bypass techniques and enabling more sophisticated, harder-to-detect credential theft workflows.

Read more
help net securityNews
Jan 8, 2026
Cybercriminals are scaling phishing attacks with ready-made kits

A phishing kit focused on bypassing multi-factor authentication (MFA), used in phishing campaigns.

Read more
verizon businessNews
Mar 18, 2026

Phishing-as-a-service platform used to bypass MFA via adversary-in-the-middle (AiTM) techniques.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.