FlowerStorm Seizes Opportunity as Rockstar2FA Crumbles
Despite its popularity, the phishing-as-a-service platform Rockstar2FA suffered a partial collapse in November 2024 due to technical issues, allowing the new phishing toolkit FlowerStorm to emerge, according to Sophos MD.
Rockstar2FA was known for its advanced capabilities, mimicking legitimate credential requests for platforms like Microsoft and other cloud services. Users of the service managed phishing campaigns via Telegram, receiving unique URLs to target victims. These URLs led to counterfeit login pages designed to capture credentials and multifactor authentication (MFA) tokens.
“Visitors to the URL would be routed to a counterfeit Microsoft login page…sending credentials via an HTTP POST message to an adversary-controlled backend server,” Sophos MDR explained. The backend infrastructure, which relied on .ru, .de, and .moscow domains, was largely disrupted by mid-November, rendering the phishing portals inoperable.
A Rockstar2FA “decoy” page | Source: Sophos
Shortly after Rockstar2FA’s disruption, FlowerStorm emerged as a prominent phishing platform. Named after its plant-themed page titles—such as “OreganoLeaf” and “FennelBlossom”—FlowerStorm mirrored many aspects of Rockstar2FA’s operations. It utilized similar backend communication structures, such as PHP files for credential harvesting, and adopted Cloudflare’s CDN for serverless deployment.
While FlowerStorm quickly ramped up its operations, it also exhibited operational errors and misconfigurations. “The rapid ramp-up of FlowerStorm has led to some mistakes…providing us with an opportunity to more closely examine their back-end operations,” noted Sophos.
FlowerStorm’s users—likely cybercriminals purchasing its services—focused heavily on organizations in North America and Europe, particularly in industries such as engineering, construction, and legal consulting. Over 60% of detected targets were U.S.-based, followed by Canada, the UK, and Australia. The heavy focus on service-oriented sectors underscores the attractiveness of these organizations for credential theft and financial exploitation.
Despite their differences, Rockstar2FA and FlowerStorm share significant similarities, suggesting a potential common ancestry. Both platforms exhibit similar HTML structures, use Cloudflare for deployment, and rely on backend PHP files for data exfiltration. The synchronized rise and fall of their activities prior to November suggest potential coordination or overlapping operational objectives.
Sophos recommends monitoring for indicators of compromise, implementing robust phishing defenses, and staying informed about evolving threats. A list of FlowerStorm-related IoCs is available on Sophos X-Ops’ GitHub repository for further investigation.
