Phishing Kits & PhaaS
What Is FlowerStorm?
FlowerStorm is a Phishing-as-a-Service (PhaaS) platform that emerged in December 2024 following the infrastructure collapse of Rockstar 2FA, employing adversary-in-the-middle (AiTM) attacks to harvest Microsoft 365 credentials and session tokens while bypassing multi-factor authentication.
FlowerStorm is a Phishing-as-a-Service (PhaaS) platform that emerged in December 2024 following the infrastructure collapse of Rockstar 2FA, employing adversary-in-the-middle (AiTM) attacks to harvest Microsoft 365 credentials and session tokens while bypassing multi-factor authentication. The platform derives its name from botanical terms systematically embedded in the HTML source code of its phishing pages, including "Flower," "Sprout," "Blossom," and "Leaf" in page titles and JavaScript function names. Security researchers at Sophos MDR, Darktrace, and Bleeping Computer documented substantial evidence suggesting FlowerStorm represents an operator rebrand of Rockstar 2FA rather than an independent competitor, based on nearly identical phishing page templates, infrastructure abuse patterns, and the timing of FlowerStorm's emergence within one to two weeks of Rockstar 2FA's November 2024 failure.
FlowerStorm campaigns demonstrated concentrated geographic targeting, with 84% of identified victims located in the United States according to Darktrace analysis from December 2024. The platform's infrastructure abuses Cloudflare's content delivery network in patterns nearly identical to Rockstar 2FA, while distribution occurs through Telegram bots inherited from the Rockstar 2FA ecosystem. Although FlowerStorm activity increased sharply in late November 2024, filling the void left by Rockstar 2FA's collapse, the platform faced immediate competitive pressure from established incumbents including Tycoon 2FA, which commanded 89% market share by early 2025 according to Centripetal.ai analysis.
How Does FlowerStorm Work?
FlowerStorm operates through Telegram-coordinated phishing campaigns that deliver AiTM proxy pages to victims. When users click phishing links distributed via Telegram channels, they encounter realistic Microsoft 365 login pages that proxy authentication requests between the victim's browser and Microsoft's legitimate servers. This adversary-in-the-middle architecture enables FlowerStorm to intercept both the username and password credentials entered by victims and the session tokens issued by Microsoft after successful authentication, including multi-factor authentication completion.
The technical implementation relies on algorithmic HTML generation that combines botanical terminology in randomized patterns. According to Darktrace analysis from December 2024, FlowerStorm pages feature titles generated by combining words like "Flower" and "Blossom," while JavaScript function names follow similar botanical naming conventions. This algorithmic approach creates unique page signatures for each campaign while maintaining consistent underlying functionality. The randomization complicates signature-based detection by security products, as each phishing page presents slightly different HTML characteristics despite identical operational behavior.
FlowerStorm's infrastructure abuse of Cloudflare's CDN mirrors patterns documented in Rockstar 2FA campaigns. Cloudflare provides legitimate content delivery and DDoS protection services used by millions of websites, making Cloudflare-hosted domains more likely to pass reputation filters in email gateways and browser security tools. By hosting phishing pages on Cloudflare infrastructure, FlowerStorm operators obscure the actual backend servers controlling credential exfiltration while benefiting from Cloudflare's performance and availability characteristics.
The AiTM mechanism employs WebSocket connections through Session.IO or similar libraries to relay authentication data between victim browsers and attacker-controlled servers. When victims complete MFA challenges, believing they are authenticating directly to Microsoft, the proxy captures the resulting session tokens. These tokens represent proof of successful authentication and can be replayed by attackers to access victim accounts without triggering new MFA prompts. According to Sophos MDR reporting from December 2024, this session token theft capability enables account compromise that persists even after victims change passwords, as the stolen session remains valid until expiration or explicit revocation.
FlowerStorm campaigns demonstrate defensive evasion through redirect behavior. According to Darktrace analysis, direct navigation to FlowerStorm domains (typing the URL into a browser rather than clicking a phishing link) triggers automatic redirection to legitimate decoy pages. This technique frustrates security researchers attempting to analyze phishing infrastructure, as automated scanning tools that directly access domains encounter benign content rather than phishing pages. Only users arriving via specifically crafted phishing links with proper referrer headers encounter the credential harvesting forms.
Distribution through Telegram bots provides customers with unique phishing page URLs and campaign management dashboards. According to Sophos MDR and Bleeping Computer reporting from December 2024, this distribution model inherited directly from Rockstar 2FA suggests operational continuity between the platforms. Customers receive real-time alerts via Telegram bot notifications when credentials are captured, enabling rapid exploitation of compromised accounts while session tokens remain valid.
How Does FlowerStorm Differ From Other Phishing Platforms?
Factor | FlowerStorm | Rockstar 2FA | Tycoon 2FA | Mamba 2FA |
|---|---|---|---|---|
Launch date | Jun 2024 (early phase), Dec 2024 (surge) | Aug 2024 | 2024 | May 2024 |
AiTM capable | Yes | Yes | Yes | Yes |
Primary target | Microsoft 365 | Microsoft 365 | Microsoft 365 | Microsoft 365 |
Geographic focus | 84% US | Varied | Varied | Varied |
CDN abuse | Cloudflare | Cloudflare | Cloudflare | Cloudflare (+ IPRoyal proxy layer as of Oct 2024) |
C2 method | Telegram | Telegram | Telegram | Telegram |
Pricing | Unknown | $200-350/month | $250/month | $250/month |
Market status | Rising (Dec 2024) | Collapsed (Nov 2024) | Dominant (89% share Jan 2025) | Significant (10M attacks late 2025) |
Ideal for | Opportunistic attackers post-Rockstar | (Defunct) | Professional phishing operators | High-volume campaigns |
The comparison reveals FlowerStorm as an emerging platform competing in a market dominated by Tycoon 2FA. According to Centripetal.ai analysis from January 2025, Tycoon 2FA commanded 89% of PhaaS market share, with EvilProxy holding 8% and smaller platforms including FlowerStorm splitting the remaining market. By August 2025, Tycoon's share increased to 95.59% according to updated Centripetal analysis, indicating consolidation around established platforms rather than significant FlowerStorm market penetration.
The technical similarity between FlowerStorm and Rockstar 2FA extends beyond infrastructure patterns to include HTML template structure and Telegram distribution mechanisms. Multiple security researchers at Sophos MDR and Darktrace independently assessed that FlowerStorm likely represents an operator rebrand rather than an independent competitor. This hypothesis derives from the timing of FlowerStorm's surge coinciding with Rockstar 2FA's collapse, the identical Cloudflare abuse tactics, and the lack of differentiated functionality that would distinguish FlowerStorm as an independent innovation.
FlowerStorm's geographic concentration differs from competitors. According to Darktrace analysis from December 2024, 84% of FlowerStorm victims identified through honeypot monitoring were located in the United States, with sectoral concentration in Services (33%), Manufacturing (21%), Retail (12%), and Financial Services (8%). This US focus contrasts with Tycoon 2FA and Mamba 2FA, which demonstrated more geographically distributed victim bases. The concentration may reflect either operator targeting preferences or customer base composition in Telegram channels where FlowerStorm was distributed.
Why Does FlowerStorm Matter?
FlowerStorm represents a case study in PhaaS operator resilience and continuity following platform disruption. The rapid emergence of FlowerStorm within one to two weeks of Rockstar 2FA's November 11, 2024 infrastructure collapse demonstrates that PhaaS operations frequently persist through rebranding rather than permanent elimination. According to Sophos MDR analysis published December 19, 2024, the technical continuity between Rockstar 2FA and FlowerStorm, including identical phishing templates and Cloudflare abuse patterns, indicates that the same threat actors or technical knowledge base continued operations under a new platform identity.
This rebranding pattern has significant implications for defensive strategies. Organizations that successfully block Rockstar 2FA infrastructure through DNS filtering, email gateway rules, or threat intelligence feeds must recognize that the same operational capabilities may quickly resurface under different domain names and platform branding. Defensive approaches that rely on static indicators like platform names or specific domain lists provide only temporary protection. According to Darktrace reporting from 2024, effective defense requires behavioral detection that identifies AiTM proxy characteristics, Cloudflare abuse patterns, and session token theft attempts regardless of the specific PhaaS platform employed.
FlowerStorm's emergence also illustrates market dynamics in the PhaaS ecosystem. Despite achieving rapid deployment and inheriting the Rockstar 2FA customer base, FlowerStorm failed to capture significant market share from Tycoon 2FA, which maintained and even increased dominance through late 2024 and into 2025. According to Centripetal.ai analysis, Tycoon 2FA's share grew from 89% in January 2025 to 95.59% by August 2025, indicating that FlowerStorm and other emerging platforms struggled to compete against established incumbents with proven reliability and extensive feature sets.
The platform's geographic targeting concentration provides insights into victim selection patterns in PhaaS campaigns. According to Darktrace analysis from December 2024, the 84% US victim concentration suggests either deliberate geographic targeting by FlowerStorm operators or concentration of purchasing customers in regions with high US organizational targeting requirements. The sectoral distribution across Services, Manufacturing, Retail, and Financial Services indicates broad opportunistic targeting rather than specialized focus on high-value sectors, consistent with a PhaaS model that provides infrastructure to diverse customers with varied targeting objectives.
What Are the Limitations of FlowerStorm?
Association with Failed Predecessor
If FlowerStorm is indeed a Rockstar 2FA operator rebrand, as multiple security researchers assess, this association introduces reputational and operational risks. Law enforcement agencies and security vendors that investigated Rockstar 2FA can apply accumulated intelligence to FlowerStorm operations, accelerating disruption efforts. According to Sophos MDR analysis from December 2024, the technical continuity between platforms means that detection signatures, infrastructure patterns, and operational tradecraft documented for Rockstar 2FA remain largely applicable to FlowerStorm. This reduces the "clean slate" advantage typically associated with new platform launches and potentially shortens FlowerStorm's operational lifespan.
Infrastructure Fragility Through Cloudflare Dependence
FlowerStorm inherited Rockstar 2FA's reliance on Cloudflare's content delivery network for hosting phishing pages. According to Darktrace analysis from 2024, this dependence creates single-point-of-failure risk if Cloudflare implements abuse mitigation or responds to takedown requests. While Cloudflare historically demonstrated limited proactive content moderation, the platform does respond to court orders and abuse reports that document terms of service violations. The November 11, 2024 Rockstar 2FA collapse manifested partially as Cloudflare HTTP 522 errors, indicating CDN disconnection from backend servers. FlowerStorm faces similar infrastructure vulnerability if Cloudflare terminates service or if backend infrastructure experiences technical failure.
Detection Pattern Similarity to Rockstar 2FA
Security vendors that developed detection signatures for Rockstar 2FA can repurpose these signatures with minimal modification to detect FlowerStorm campaigns. According to Bleeping Computer reporting from December 2024, the HTML template structure, botanical keyword patterns, and Cloudflare abuse characteristics provide specific indicators that threat intelligence platforms incorporate into detection rules. This reduces FlowerStorm's operational effectiveness against organizations that deployed Rockstar 2FA-specific defenses, limiting the platform's longevity and requiring operators to invest in infrastructure changes that differentiate FlowerStorm from its predecessor.
Telegram Communication Chokepoint
FlowerStorm's sole reliance on Telegram for command-and-control communications and customer distribution creates disruption vulnerability. According to Sophos MDR analysis from December 2024, the Telegram bot infrastructure provides essential functionality including credential exfiltration notifications, campaign management, and customer support. If Telegram suspends operator accounts responding to abuse reports or law enforcement requests, the entire customer communication and support infrastructure fails simultaneously. More sophisticated PhaaS operations mitigate this risk through distributed communication channels or proprietary infrastructure independent of third-party platform policies.
Limited Differentiation in Saturated Market
FlowerStorm entered a PhaaS market dominated by Tycoon 2FA's 89% share and faced competition from established platforms including EvilProxy, Mamba 2FA, and emerging alternatives like Sneaky 2FA. According to Centripetal.ai analysis from January and August 2025, FlowerStorm failed to capture significant market share despite rapid deployment. The platform offered no substantial feature improvements over Rockstar 2FA, representing primarily a geographic and naming refresh rather than technical innovation. In a market where customers prioritize reliability, feature depth, and proven operational track records, FlowerStorm's lack of differentiation limited its competitive positioning.
Competitive Pressure From Market Leaders
Tycoon 2FA's increasing market dominance, growing from 89% in January 2025 to 95.59% by August 2025 according to Centripetal.ai reporting, demonstrates consolidation around proven platforms. This consolidation disadvantages new entrants like FlowerStorm that lack established customer bases and operational track records. According to Barracuda Networks analysis from 2025, PhaaS customers increasingly favor platforms with demonstrated reliability, extensive template libraries, and responsive technical support, characteristics that require sustained operational investment to develop.
How Can Organizations Defend Against FlowerStorm?
Threat Intelligence Integration
Organizations should integrate threat intelligence feeds that include FlowerStorm infrastructure indicators into DNS filtering, email gateway, and web proxy systems. According to Darktrace and Sophos MDR reporting from December 2024, security vendors maintain actively updated lists of identified FlowerStorm domains based on honeypot observations and incident investigations. DNS reputation services that incorporate these indicators can block resolution of FlowerStorm phishing domains before browsers load page content. Email gateways should query real-time threat intelligence APIs to identify and quarantine messages containing FlowerStorm URLs before delivery to user mailboxes.
HTML Anomaly Detection
Security tools should implement detection rules that identify FlowerStorm's distinctive botanical terminology patterns in HTML page titles and JavaScript function names. According to Darktrace analysis from 2024, the algorithmic generation of page elements using combinations of "Flower," "Sprout," "Blossom," and "Leaf" creates detectable signatures despite randomization. Email security gateways that perform URL rewriting and real-time page rendering can analyze HTML structure for these patterns. Browser isolation solutions should flag pages demonstrating FlowerStorm's characteristic naming conventions for security analyst review before allowing user interaction.
Cloudflare CDN Abuse Monitoring
Organizations should implement monitoring for unusual Cloudflare DNS patterns indicative of AiTM infrastructure. According to Sophos MDR analysis from December 2024, FlowerStorm's Cloudflare abuse creates distinctive DNS resolution and certificate characteristics. Security operations centers can monitor for rapid creation of multiple Cloudflare-hosted subdomains with sequential naming patterns, SSL certificate issuance for domains mimicking Microsoft services, and Cloudflare Workers deployment for redirect functionality. These patterns indicate potential phishing infrastructure regardless of the specific PhaaS platform involved.
Session Binding Implementation
Microsoft 365 administrators should implement session token binding that ties authentication sessions to originating device characteristics. According to Beyond Identity and Microsoft security guidance from 2024, session binding prevents replayed tokens from functioning when used from different devices or IP addresses. Organizations should configure Azure Active Directory conditional access policies to require device compliance status before granting access, enforce impossible travel detection that blocks authentication from geographically impossible locations within short time windows, and implement network location restrictions that allow Microsoft 365 access only from known corporate IP ranges or trusted VPN endpoints.
Anomalous Authentication Pattern Detection
Security operations centers should monitor Microsoft 365 authentication logs for patterns consistent with session token replay attacks. According to Darktrace analysis from 2024, FlowerStorm compromises often manifest as successful authentication from unexpected geographic locations shortly after legitimate user login, rapid sequential authentication attempts from different IP addresses using the same credentials, or authentication from IP addresses associated with VPN services or hosting providers rather than typical user networks. SIEM systems should correlate these patterns with phishing email delivery to identify potential compromise before significant damage occurs.
Passwordless Authentication Migration
The most effective defense against FlowerStorm and similar AiTM platforms is eliminating reliance on passwords and session token-based authentication. According to Beyond Identity and Microsoft security guidance, FIDO2 security keys provide cryptographic authentication that cannot be intercepted or replayed by AiTM proxies. Organizations should prioritize FIDO2 deployment for high-value accounts, administrative users, and users with access to sensitive data. Windows Hello for Business provides an alternative passwordless approach for Windows-based environments. These technologies eliminate the credential and session token theft vulnerability that FlowerStorm exploits.
FAQs
Is FlowerStorm the same as Rockstar 2FA?
The relationship remains uncertain with no definitive attribution, but substantial evidence suggests operational connection. According to Sophos MDR and Darktrace analysis published in December 2024, FlowerStorm emerged within one to two weeks of Rockstar 2FA's November 11, 2024 infrastructure collapse. The platforms share nearly identical technical infrastructure including Cloudflare abuse patterns, HTML template structure with botanical keywords, Telegram-based distribution mechanisms, and Microsoft 365 targeting focus. Multiple independent security researchers assessed that the timing, technical continuity, and similar feature sets indicate possible operator rebrand. However, no law enforcement attribution or direct evidence linking specific individuals to both platforms has been publicly disclosed. Organizations should treat FlowerStorm as operationally similar to Rockstar 2FA regardless of whether the same individuals control both platforms.
Why is it called FlowerStorm?
The name derives from systematic use of plant-related terminology in the HTML source code of phishing pages. According to Darktrace analysis from December 2024, FlowerStorm pages feature titles algorithmically generated using botanical words including "Flower," "Sprout," "Blossom," and "Leaf." JavaScript function names follow similar botanical naming conventions, creating distinctive code signatures despite randomization of specific combinations. This naming pattern appears to serve both evasion purposes, as each page presents slightly different HTML characteristics to complicate signature-based detection, and operational organization, allowing operators to track different campaign variants through consistent terminology themes. The "Storm" component likely references the threat actor's self-designation or represents marketing terminology common in PhaaS platform branding.
What percentage of phishing attacks use FlowerStorm?
As of December 2024 and into 2025, FlowerStorm represented an emerging but minority threat in the PhaaS ecosystem. According to Centripetal.ai analysis published in January 2025, Tycoon 2FA commanded 89% of PhaaS incidents, with EvilProxy holding 8% market share, leaving FlowerStorm and other emerging platforms to split the remaining 3%. By August 2025, updated Centripetal analysis showed Tycoon's share increasing to 95.59%, indicating further market consolidation. Barracuda Networks reporting from 2025 identified Mamba 2FA as responsible for close to 10 million attacks in late 2025, substantially exceeding FlowerStorm's documented activity. Exact FlowerStorm percentage figures were not published in available security research, but the platform represents a growing threat insufficient to challenge established market leaders.
How do I defend against FlowerStorm attacks?
Effective defense requires layered controls addressing multiple attack stages. According to Darktrace and Sophos MDR guidance from 2024, organizations should implement session token binding that ties authentication sessions to specific devices, preventing replayed tokens from functioning when used from different hardware. Impossible travel detection policies should block authentication from geographically impossible locations within short time windows. Organizations should deploy real-time anomaly detection that flags authentication from new devices or unusual IP addresses for additional verification. User education should emphasize that multi-factor authentication alone provides insufficient protection against session token theft. Email gateway protection with URL rewriting and real-time sandbox analysis blocks phishing URLs before delivery. For maximum protection, organizations should migrate to passwordless authentication using FIDO2 security keys, which provide cryptographic authentication immune to AiTM proxy attacks.
What are FlowerStorm's geographic and sector targets?
According to Darktrace analysis published in December 2024, 84% of FlowerStorm victims identified through honeypot monitoring were located in the United States, indicating strong geographic concentration. The sectoral distribution showed Services sector organizations representing 33% of victims, Manufacturing 21%, Retail 12%, and Financial Services 8%. This distribution reflects both deliberate attacker targeting and the composition of customers purchasing FlowerStorm access through Telegram channels. The concentration in Services and Manufacturing suggests opportunistic targeting of organizations with substantial Microsoft 365 deployments and user populations susceptible to phishing. The Financial Services percentage, while lower than traditional financial-focused PhaaS platforms, indicates that FlowerStorm customers include threat actors targeting high-value sectors alongside broader opportunistic campaigns.
