FlowerStorm: The New Phishing-as-a-Service Platform Filling the Void

In the ever-evolving landscape of cyber threats, the emergence of new platforms facilitating malicious activities is a constant concern. One such development is the rise of "FlowerStorm," a phishing-as-a-service (PhaaS) platform that has gained prominence following the disruption of its predecessor, Rockstar2FA.

The Fall of Rockstar2FA

Rockstar2FA was a significant player in the PhaaS ecosystem, enabling cybercriminals to conduct large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials. In November 2024, the platform experienced a partial infrastructure collapse, rendering many of its services unreachable. This disruption was attributed to technical failures rather than law enforcement actions.

The Rise of FlowerStorm

Following the decline of Rockstar2FA, a new platform named FlowerStorm began to fill the void. First appearing online in June 2024, FlowerStorm gained traction in the cybercriminal community, offering services similar to its predecessor. The platform's name is derived from the use of plant-related terms in the HTML page titles of its phishing pages, such as "Flower," "Sprout," "Blossom," and "Leaf."

Similarities Between Rockstar2FA and FlowerStorm

Analyses have revealed several similarities between Rockstar2FA and FlowerStorm, suggesting a possible shared ancestry or operational overlap:

• Both platforms utilize phishing portals that mimic legitimate login pages (e.g., Microsoft) to harvest credentials and MFA tokens.
• The HTML structures of their phishing pages are highly similar, featuring random text in comments and Cloudflare "turnstile" security features.
• Credential harvesting methods align closely, using fields like email, password, and session tracking tokens.
• Both platforms heavily use .ru and .com domains and Cloudflare services for domain registration and hosting.
• Operational patterns showed synchronized rises and falls through late 2024, indicating potential coordination.

Implications for Cybersecurity

The emergence of FlowerStorm underscores the persistent adaptability of cybercriminals in the face of disruptions. For users and organizations, this development represents a renewed threat of sophisticated phishing attacks that can lead to significant security breaches. Sophos' telemetry indicates that approximately 63% of the organizations and 84% of users targeted by FlowerStorm are based in the United States, with sectors such as services, manufacturing, retail, and financial services being the most affected.

Conclusion

As the cybersecurity landscape continues to evolve, the rise of platforms like FlowerStorm highlights the need for robust security measures and continuous vigilance. Organizations must remain proactive in implementing advanced threat detection and response strategies to mitigate the risks posed by these emerging PhaaS platforms.