Keypoints
- Phishing continues to be a major online threat and attackers keep evolving tactics.
- Mamba 2FA uses adversary-in-the-middle techniques to bypass multifactor authentication such as OTPs and app notifications.
- Sekoia TDR identified 58 initial indicators of compromise: 45 domain names and 13 IP addresses.
- Reverse-WHOIS and DNS investigations expanded the artifact set to 346 registrant-connected domains and 65 additional IP addresses.
- Of the additional infrastructure discovered, two registrant-connected domains were flagged as malicious and 51 of the 65 extra IPs were associated with threats.
- Research artifacts and a sample dataset are available for download from the referenced website.
MITRE Techniques
- [T1566] Phishing – Utilizes deceptive emails or messages to trick users into revealing sensitive information. Quote: ‘Phishing has been around for years, yet it still proves to be a major online threat.’
- [T1557] Adversary-in-the-Middle (AitM) – Intercepts and manipulates communications between two parties to gain unauthorized access. Quote: ‘Mamba 2FA, for instance, has been armed with adversary-in-the-middle (AitM) capabilities.’
- [T1003] Credential Dumping – Extracts account login credentials from operating systems and software. Quote: ‘Credential Dumping (T1003): Extracts account login credentials from operating systems and software.’
- [T1483] Domain Generation Algorithms (DGA) – Generates domain names to evade detection and maintain communication with compromised systems. Quote: ‘Domain Generation Algorithms (DGA) (T1483): Generates domain names to evade detection and maintain communication with compromised systems.’
Indicators of Compromise
- [Domain names] Mamba 2FA-related domains – egensession[.]com, and 44 other domain IoCs (45 total)
- [IP addresses] Infrastructure IPs – 13 IP address IoCs (all geolocated in the U.S.), and 65 additional IPs discovered (51 tied to malicious campaigns)
- [Registrant-connected domains] Discovered via Reverse WHOIS – 346 registrant-connected domains (2 confirmed malicious)
- [Email addresses] WHOIS email artifacts – 23 historical registrant email addresses found, 2 of which were publicly listed
————
Phishing remains a top risk because attackers keep refining their playbook. The Mamba 2FA phishing kit now includes adversary-in-the-middle capabilities that can intercept one-time passwords and notification-based MFA, allowing attackers to bypass those protections.
Sekoia’s Threat Detection and Research team analyzed Mamba 2FA and published an initial set of 58 IoCs (45 domains and 13 IPs). Using reverse WHOIS, DNS lookups, and threat-intel queries, investigators expanded the dataset considerably—finding 346 registrant-connected domains, 65 additional IP addresses (51 of which have ties to malicious campaigns), and other linked artifacts.
The domain IoCs were concentrated among a few registrars, mostly created in 2024, and largely registered in the U.S. The research highlights specific flagged domains (for example egensession[.]com) and notes that a sample of the extended artifacts and full findings are available for download from the referenced site to support detection and response efforts.
Read more: https://circleid.com/posts/a-dns-investigation-into-mamba-the-latest-aitm-phishing-player