A sudden collapse in Salty2FA infrastructure in late October 2025 coincided with samples that contained indicators, code, and delivery fallbacks from both Salty2FA and Tycoon2FA, producing single payloads that executed stages from each kit. This hybridization complicates attribution and detection, and suggests defenders should treat Salty2FA and Tycoon2FA as a linked…