FlowerStorm is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms. Phishing campaigns are delivered via Telegram and use unique URLs to route users to credential-capturing counterfeit login pages. 

Last month, Cyber Security News reported that a Rockstar2FA campaign had gone quiet and that FlowerStorm emerged to target Microsoft 365 users.

FlowerStorm masquerades as a popular service and steals login credentials and multifactor authentication tokens via HTTP POST requests to adversary-controlled backend servers. 

While most phishing pages use domains registered in .com, .de, .ru and .moscow, a small portion leverage Cloudflare Pages for deployment with manually created subdomain names that rely on separate backend servers for exfiltrating stolen data.   

The Rockstar2FA phishing kit experienced a disruption on November 11th, when the decoy pages failed to redirect due to a Cloudflare 522 error. The portal pages also malfunctioned and was unable to load the counterfeit Microsoft login portal indicating that the connection to the back-end server was severed.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Around the same time, FlowerStorm phishing activity surged, which is PaaS platform and has been active since June 2024. FlowerStorm phishing pages communicate with the backend server using a next.php file. 

The communication includes user credentials and a JWT token for session tracking, while the backend server can respond with success messages or MFA challenges. 

Some phishing pages communicate with a next.php file located on the same domain as the landing page, while others do not use the same structure.

FlowerStorm and Rockstar2FA phishing portals exhibit strong similarities, suggesting a potential link between their developers. Both utilize similar HTML structures, including Cloudflare turnstile keys and random text in comments. 

Some features are shared between their backend communication methods, such as data exfiltration based on PHP and specific field names for email validation and login events. 

In many cases, the timing of their domain registrations and page detections coincides, which may indicate that they utilise a shared infrastructure or that their operations are coordinated.

FlowerStorm is a paid phishing service that leverages infrastructure and communication methods similar to the previous Rockstar2FA operation, including PHP-based communication and email validation features. 

It primarily targets organizations in the United States, Canada, and other Western countries by focusing on the service sector. It reveals a preference for North American and European targets, with the United States accounting for most attacks.

Sophos analysis of Rockstar2FA and FlowerStorm indicates a possible shared origin due to similar kit contents and domain registration patterns. 

The diverging activity post-November 11th suggests a potential strategic shift, personnel changes, infrastructure disruption, or deliberate decoupling to evade detection. Meanwhile, FlowerStorm’s rapid expansion has resulted in operational errors that allow for disruption and provide insights into their backend infrastructure.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar