Phishing has been around for years, yet it still proves to be a major online threat. To continue profiting, cybercriminals must continuously adapt their techniques.

Phishing malware Mamba 2FA, for instance, has been armed with adversary-in-the-middle (AitM) capabilities. This new feature allowed the malware to bypass multifactor authentication (MFA) measures like one-time passwords (OTPs) and app notifications.

The Sekoia Threat Detection and Research (TDR) Team analyzed Mamba 2FA and identified 58 indicators of compromise (IoCs) comprising 45 domain names and 13 IP addresses. Our research team expanded the IoC list and uncovered additional threat artifacts, including:

• 346 registrant-connected domains, two of which turned out to be malicious
• 65 additional IP addresses, 51 of which turned out to be associated with various threats
• One IP-connected domain
• Six string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Under the Mamba 2FA Hood

As is our usual first step, we looked into the IoCs first beginning with a bulk WHOIS lookup for the 45 domain names. That revealed the following:

• The domains were distributed among four registrars led by Hosting Concepts B.V. and WEBCC, which tied in first place with 19 domain IoCs each. NameSilo LLC came in second, accounting for six domain IoCs. Hello Internet Corp. with one domain IoC rounded out the list.

  

• A majority of the domain IoCs, 40 to be exact, were created in 2024 while the remaining five were created in 2023.

  

• They were spread across three different countries led by the U.S. with 35 domain IoCs. Six domain IoCs were registered in Malaysia while three in the Netherlands. One domain IoC didn’t have a registrant country in its current WHOIS record.

  

• Twenty-seven domain IoCs had public registrant information in their current WHOIS records. Specifically, 13 each had registrant email addresses and names, and all 27 had registrant organizations.

A bulk IP geolocation lookup for the 13 IP address IoCs, meanwhile, showed that all were geolocated in the U.S. but didn’t have ISP information in their A records.

Mamba 2FA IoC List Expansion Results

We jump-started our search for additional Mamba 2FA artifacts with Reverse WHOIS Search queries for the registrant email address, name, and organization we obtained from our bulk WHOIS lookup earlier. Using the parameters Advanced, Historic, and Exact match, we uncovered 346 registrant-connected domains after filtering out duplicates and the IoCs.

Threat Intelligence API queries for the 346 registrant-connected domains revealed that two of them were associated with threats. The domain egensession[.]com, for instance, was tagged as an IoC for phishing and generic threats.

After that, we ran the 45 domain IoCs on WHOIS History API and obtained 23 email addresses from their historical WHOIS records. Only two, however, were public.

Of the public email addresses, only one had connected domains based on the results of our Reverse WHOIS API queries—the same email address that showed up in some of the domain IoCs’ WHOIS records earlier. As such, none of the email-connected domains remained when we removed duplicates, the IoCs, and the registrant-connected domains from our list.

Next, we performed DNS lookups for the 45 domain IoCs and found 65 IP addresses after filtering out duplicates and the IoCs. Based on Threat Intelligence API queries for these additional IP addresses, 51 have already figured in various malicious campaigns.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.