What Is Rockstar 2FA?

Rockstar 2FA is an updated variant of the DadSec phishing kit, operating as a Phishing-as-a-Service (PhaaS) platform that employs adversary-in-the-middle (AiTM) attacks to intercept Microsoft 365 credentials and session tokens, effectively bypassing multi-factor authentication (MFA). First observed in August 2024, the platform was tracked by Microsoft as Storm-1575 and operated through subscription-based access distributed via Telegram, ICQ, and Mail.ru. Despite achieving significant market penetration within three months, Rockstar 2FA experienced complete infrastructure collapse on November 11, 2024, not from law enforcement action but from technical failure, with many users subsequently migrating to the FlowerStorm platform.

The service operated on a subscription model priced at $200 for two weeks or $350 per month, positioning itself as a mid-tier PhaaS offering accessible to moderately funded threat actors. During its brief operational window from August through November 2024, Rockstar 2FA represented a major portion of the AiTM PhaaS market before its technical infrastructure failure eliminated it from the competitive landscape.

How Does Rockstar 2FA Work?

Rockstar 2FA functions as an adversary-in-the-middle proxy that positions itself between victims and legitimate Microsoft 365 authentication servers. When victims attempt to log in through what appears to be a standard Microsoft login page, the phishing infrastructure intercepts not only the username and password but also the session tokens and MFA cookies generated after successful authentication. This capability distinguishes Rockstar 2FA from traditional phishing pages that merely capture credentials.

The attack begins when victims receive phishing emails containing links to Rockstar 2FA-controlled domains. These domains host convincing replica login pages mimicking Microsoft 365, OneDrive, and Outlook interfaces. The HTML pages incorporate random text in comments and Cloudflare "turnstile" CAPTCHA mechanisms to evade automated security analysis. When victims enter their credentials, the AiTM proxy captures the authentication data while simultaneously relaying the login request to Microsoft's legitimate servers.

The technical implementation relies on Socket.IO library functionality to establish bidirectional WebSocket connections between the victim's browser and relay servers controlled by Rockstar 2FA operators. This architecture enables real-time interception of the complete authentication flow. After victims complete MFA challenges, believing they are authenticating to Microsoft directly, the proxy captures the session tokens issued by Microsoft servers. These tokens represent proof of successful authentication and can be replayed by attackers to access victim accounts without triggering new MFA prompts.

According to Sophos MDR analysis published in December 2024, Rockstar 2FA infrastructure abuse relied heavily on Cloudflare's content delivery network for masking hosting infrastructure. This dependency on Cloudflare services would later contribute to the platform's catastrophic failure in November 2024.

The subscription model distributed phishing capabilities through Telegram, ICQ, and Mail.ru channels. Customers who purchased access received customizable phishing page templates, Telegram bot integration for real-time credential delivery, and advertised features including "fully undetectable" links, antibot protection mechanisms, and automated 2FA cookie harvesting. The platform marketed itself as providing comprehensive MFA bypass capabilities, a claim substantiated by security researchers who documented successful session token theft in controlled honeypot environments.

How Does Rockstar 2FA Differ From Other Phishing Platforms?

The comparison reveals Rockstar 2FA as a mid-market offering that emerged from the earlier DadSec platform. According to LevelBlue/Spiderlabs analysis from 2024, Rockstar 2FA represented an updated and rebranded version of DadSec, with Microsoft tracking both operations under the threat actor designation Storm-1575. The evolution from DadSec to Rockstar 2FA included enhanced features and more aggressive marketing through multiple communication channels.

Rockstar 2FA's pricing positioned it between budget offerings and premium services like EvilProxy, which commanded $300 or more per month. The $200 two-week option provided a low-commitment entry point for threat actors testing PhaaS capabilities. Compared to Tycoon 2FA, which dominated the market with 89% share by early 2025 according to Centripetal.ai analysis, Rockstar 2FA focused exclusively on Microsoft 365 targets rather than diversifying across multiple platforms.

The most significant differentiator was Rockstar 2FA's brief operational lifespan. Unlike established competitors that maintained stable infrastructure for months or years, Rockstar 2FA operated for only three months before experiencing catastrophic failure. This infrastructure fragility, discussed in detail below, distinguished it from more resilient platforms that implemented redundant hosting and failover mechanisms.

Why Does Rockstar 2FA Matter?

Rockstar 2FA represents a significant case study in the PhaaS ecosystem for three primary reasons: its rapid market penetration, its technical infrastructure collapse, and the subsequent user migration patterns that revealed operational relationships between competing PhaaS platforms.

First, the platform demonstrated how quickly new PhaaS offerings can achieve significant market share in the cybercrime economy. Sophos MDR detected a significant surge in Rockstar 2FA campaigns starting in August 2024, indicating rapid adoption by threat actors. Within three months, the platform had established sufficient market presence that its November 2024 collapse created a noticeable void in the PhaaS landscape. This rapid adoption pattern illustrates the low barriers to entry in the PhaaS market and the willingness of threat actors to switch platforms in pursuit of improved capabilities or pricing.

Second, Rockstar 2FA's infrastructure collapse on November 11, 2024, provides critical insights into the operational vulnerabilities of PhaaS platforms. According to Sophos MDR reporting published December 19, 2024, the failure manifested as Cloudflare HTTP 522 errors, indicating disconnection between Cloudflare's CDN and backend servers. Associated Telegram command-and-control channels went offline simultaneously. Critically, this disruption was not attributed to law enforcement action but rather to internal infrastructure failure. The technical specifics of the failure remain undocumented in public reporting, but the consequence was total service unavailability.

This collapse demonstrates that PhaaS platforms face technical risks independent of law enforcement pressure. Organizations defending against phishing attacks cannot rely solely on law enforcement disruption of PhaaS infrastructure; the market demonstrates resilience through rapid replacement of failed platforms by competitors or successors.

Third, the migration pattern following Rockstar 2FA's collapse reveals relationships between PhaaS operators and platforms. Within one to two weeks of the November 11 failure, Sophos MDR and Darktrace researchers documented a sharp spike in FlowerStorm activity. Analysis of FlowerStorm phishing pages revealed nearly identical templates, Cloudflare abuse tactics, Telegram distribution models, and HTML comment structures compared to Rockstar 2FA. Multiple security researchers independently assessed that FlowerStorm likely represents a rebrand or relaunch by Rockstar 2FA operators rather than an unrelated competitor capturing displaced customers.

This successor relationship matters because it demonstrates that PhaaS disruption, whether through law enforcement action or technical failure, often results in rebranding rather than permanent elimination. The same threat actors and infrastructure knowledge persist under new names, requiring defenders to track threat actor behaviors and techniques rather than relying on static indicators like platform names.

What Are the Limitations of Rockstar 2FA?

Infrastructure Fragility

Rockstar 2FA's complete service collapse on November 11, 2024, exposed fundamental infrastructure weaknesses. The failure manifested as Cloudflare HTTP 522 errors across all customer campaigns simultaneously, indicating dependence on centralized backend infrastructure without adequate redundancy or failover mechanisms. According to Sophos MDR analysis published December 19, 2024, this was not a gradual degradation but a sudden, complete failure affecting the entire platform. Organizations that had invested in Rockstar 2FA subscriptions lost access to active campaigns and harvested credentials stored on compromised infrastructure. This demonstrates that PhaaS platforms, despite marketing claims of reliability, can experience catastrophic failure that affects all customers simultaneously.

Limited Target Scope

Rockstar 2FA focused primarily on Microsoft 365 authentication flows, lacking the multi-platform capabilities offered by competitors. While Microsoft 365 represents a high-value target environment, this specialization limited Rockstar 2FA's applicability to threat actors conducting campaigns against Google Workspace, social media platforms, or other authentication systems. Competitors like EvilProxy offered templates for multiple platforms, providing customers with greater flexibility. This limitation likely constrained Rockstar 2FA's market share compared to more versatile competitors.

Detection Signature Exposure

The rapid documentation of Rockstar 2FA infrastructure and tactics by security vendors accelerated its obsolescence. Once researchers at Sophos, Darktrace, Cofense, and other organizations published detailed analyses of Rockstar 2FA's HTML patterns, Cloudflare usage, and domain characteristics, security products could implement specific detection rules. According to Beyond Identity analysis from 2024, email gateways and browser protection systems quickly identified and blocked Rockstar 2FA phishing pages once infrastructure details became public. This detection erosion reduced the platform's effectiveness even before the November infrastructure collapse.

Telegram Dependency

Rockstar 2FA relied on Telegram channels for customer distribution, support, and command-and-control communications. This centralization created a single point of failure vulnerable to Telegram's abuse reporting mechanisms. If Telegram suspended the operator's accounts, the entire customer communication and support infrastructure would fail. While Telegram has historically demonstrated limited cooperation with law enforcement requests, the platform does respond to abuse reports that violate terms of service. This dependency on a single communication platform introduced operational risk that more sophisticated PhaaS operations mitigate through distributed communication channels or proprietary infrastructure.

Brief Operational Window

Rockstar 2FA operated for approximately three months from August through November 2024 before infrastructure collapse. This short lifespan limited the platform's ability to build reputation, accumulate customers, and refine capabilities. According to LevelBlue/Spiderlabs analysis from 2024, the brief window also meant customers who purchased monthly subscriptions ($350) received limited value before service termination. This operational instability likely damaged the Rockstar 2FA brand among potential customers, contributing to skepticism about new PhaaS entrants claiming superior reliability.

How Can Organizations Defend Against Rockstar 2FA?

DNS Reputation Filtering

Organizations should implement DNS-based blocking of known Rockstar 2FA infrastructure domains. Security research from Darktrace and Sophos published in 2024 documented specific domain patterns and hosting characteristics associated with Rockstar 2FA campaigns. DNS reputation services that incorporate these indicators can prevent user browsers from resolving phishing domains before page content loads. This defense remains effective even against infrastructure changes, as threat intelligence providers continuously update blocklists based on honeypot observations and incident reports.

Email Gateway Rules

Email security gateways should implement rules that flag or quarantine messages containing Rockstar 2FA phishing page URLs or domain characteristics. According to Cofense analysis from 2024, Rockstar 2FA campaigns typically delivered phishing links through email with urgent subject lines related to document sharing, password expiration, or security alerts. Email gateways that perform real-time URL analysis and sandbox detonation can identify Rockstar 2FA pages by their distinctive HTML structure, Cloudflare turnstile implementation, and Socket.IO library usage. Organizations should configure email systems to rewrite external URLs through secure gateway proxies that provide an additional inspection layer.

Conditional Access Policies

Microsoft 365 administrators should implement conditional access policies that require risk-based authentication for unusual access patterns. Rockstar 2FA's session token replay attacks often manifest as authentication from unexpected IP addresses or geographic locations. According to Microsoft Security Best Practices guidance, conditional access rules can require step-up authentication when detecting impossible travel scenarios (user authenticates from New York, then California five minutes later), new device types, or locations outside the organization's normal operational geography. These policies add friction that disrupts automated token replay even when attackers possess valid session tokens.

Legacy Authentication Blocking

Organizations should disable legacy authentication protocols in Microsoft 365 environments. According to Darktrace analysis from 2024, Rockstar 2FA's replay attacks sometimes exploited legacy protocols that do not support modern authentication requirements. By enforcing modern authentication exclusively, administrators eliminate an attack vector that session token replay may exploit. Microsoft provides specific guidance for disabling legacy authentication through Azure Active Directory settings and Exchange Online PowerShell commands.

Session Timeout Policies

Implementing aggressive session timeout policies limits the window during which stolen session tokens remain valid. According to Beyond Identity analysis from 2024, organizations should configure Microsoft 365 session timeouts of five to ten minutes for sensitive operations and one hour for general access. While this introduces user friction through more frequent re-authentication prompts, it substantially reduces the value of stolen session tokens. Attackers must use replayed tokens within the session validity window, and shorter windows reduce the probability of successful exploitation.

Passwordless Authentication

The most effective defense against Rockstar 2FA and similar AiTM platforms is eliminating reliance on passwords and traditional MFA codes. Passwordless authentication using FIDO2 security keys or Windows Hello for Business provides cryptographic proof of user identity that cannot be intercepted by AiTM proxies. According to Beyond Identity and Microsoft security guidance, FIDO2 keys use public-key cryptography where the private key never leaves the physical device. Even if an attacker proxies the authentication flow, they cannot extract or replay the cryptographic signature. Organizations should prioritize passwordless authentication deployment for high-value accounts and sensitive applications.