Phishing-as-a-Service Surge Following Rockstar2FA Disruption Leads to Rise in FlowerStorm Activity

A disruption to the Rockstar2FA phishing-as-a-service (PhaaS) platform has triggered a notable increase in activity from a competing service called FlowerStorm. According to Sophos, the downtime of Rockstar2FA was not the result of a takedown operation, but rather a technical failure in its infrastructure, which caused its phishing pages to become unreachable.

Rockstar2FA, which was first identified by Trustwave in late November 2024, enabled cybercriminals to launch phishing attacks designed to harvest Microsoft 365 credentials and session cookies, bypassing multi-factor authentication (MFA). The toolkit was seen as an updated version of the DadSec phishing kit, also tracked as Storm-1575 by Microsoft. Most of the phishing pages were hosted on .com, .de, .ru, and .moscow domains, although the use of Russian (.ru) domains has reportedly decreased.

On November 11, 2024, Rockstar2FA experienced significant disruptions, with Cloudflare timeouts and failure to load counterfeit login pages. The exact cause of the outage remains unclear, but its collapse has created a vacuum now filled by FlowerStorm, a rising phishing toolkit that has been active since at least June 2024.

Both Rockstar2FA and FlowerStorm share similar features in their phishing portals and backend credential-harvesting methods, suggesting a potential connection between the two services. Additionally, both use Cloudflare Turnstile to prevent bot traffic, which indicates common operational strategies. However, there is no concrete evidence linking the two platforms directly, leaving room for speculation that the Rockstar2FA group may have pivoted to FlowerStorm, changed personnel, or intentionally separated the two operations.

FlowerStorm has been predominantly targeting organizations in the United States, Canada, the UK, Australia, and several other countries, with a focus on industries such as engineering, construction, real estate, legal services, and consulting.

The surge in phishing activity underscores the growing trend of cybercriminals using readily available cyberattack tools and services, requiring little technical expertise to conduct large-scale attacks. The findings highlight the persistent risk posed by phishing-as-a-service platforms and the need for robust security measures to protect against such threats.