FlowerStorm Takes Over After Rockstar2FA Collapse

In November 2024, the popular phishing-as-a-service (PaaS) platform Rockstar2FA suddenly became inactive, creating a temporary disruption in the cybercrime landscape. According to Sophos MDR, the service experienced a backend collapse, causing its associated phishing pages and Telegram channels to become unreachable. The cause of the disruption was not a deliberate takedown, but rather a technical failure that left users unable to access the platform.

Rockstar2FA, which had been linked to the Microsoft Storm-1575 threat group, mimicked legitimate login pages to steal user credentials and multi-factor authentication (MFA) tokens. It used various domains, including those registered in .ru, .de, and .moscow, to host its pages. However, following the sudden breakdown of its infrastructure, including the loss of its Cloudflare connection, the service went offline.

This disruption left a void that was soon filled by FlowerStorm, a platform that operates similarly to Rockstar2FA and had been active since mid-2024. Named after its use of plant-related terms in HTML page titles, FlowerStorm’s phishing pages share many similarities with Rockstar2FA’s infrastructure, including the use of Cloudflare for its security protocols.

FlowerStorm’s rapid rise in the aftermath of Rockstar2FA’s collapse has been marked by its use of similar backend structures, albeit with slight differences. Both platforms rely on PHP communication files to exfiltrate stolen data. FlowerStorm’s backend setup uses files such as “next.php,” and its phishing portals have continued to operate, despite occasional disruptions.

Although it remains unclear whether FlowerStorm and Rockstar2FA are directly linked, their operational similarities and the overlapping timing of their activities suggest a shared infrastructure or coordinated efforts. The disruption of Rockstar2FA and the subsequent rise of FlowerStorm highlight the constantly evolving nature of phishing-as-a-service operations and the ongoing challenges in defending against these sophisticated cybercrime tools.

FlowerStorm’s impact on global phishing efforts has been significant, with the service primarily targeting organisations in North America and Europe. The platform has targeted industries ranging from engineering and construction to real estate and legal services.

While FlowerStorm is still active, its operators have made some errors, leading to occasional disruptions. However, these mistakes have allowed security experts to delve deeper into the platform’s operations, offering valuable insights into how the service functions.

As FlowerStorm continues to gain ground, cybersecurity teams remain on high alert, monitoring the evolution of these platforms and their impact on global phishing campaigns.

Share this post:

Comment what you think!