NovaCookies Phishing Service Emerges as Sneaky2FA Successor
Phishing services are rapidly evolving into sophisticated, turn-key platforms engineered for widespread exploitation. Recently, the novel NovaCookies toolkit enabled attackers to compromise over one hundred cloud accounts. This devastating breach afflicted a single healthcare organization in a solitary day. Crucially, researchers at Proofpoint have linked NovaCookies to the infamous Sneaky2FA cluster. They identify this malware as an advanced iteration of the legacy tool.
Historical Trajectory and Operational Patterns
The operational cadence of Sneaky2FA exhibited periodic surges until February 2026. At that precise juncture, Proofpoint first detected the emergence of NovaCookies. Subsequently, from March through May, threat actors deployed this refined variant with significantly heightened frequency. However, a noticeable deceleration occurred in June, as the volume of documented incursions began to recede.
According to the latest threat insights from Proofpoint, this utility utilizes an adversarial technique to harvest credentials seamlessly.
Advanced Adversarial Mechanics
Fundamentally, NovaCookies intercepts sensitive data via an adversary-in-the-middle (AitM) architecture. The fraudulent interface harvesting these credentials seamlessly relays the data to the legitimate service. This includes inputted usernames, passwords, and session tokens. Consequently, this unauthorized acquisition grants attackers the ability to bypass robust multi-factor authentication protocols entirely.
While the ancestral Sneaky2FA framework predominantly targeted Microsoft environments, NovaCookies introduces specialized subroutines. Specifically, it features tailored configurations designed to exploit Okta platforms and GoDaddy-linked Entra domains.
The Phishing-as-a-Service Business Model
Furthermore, the developers distribute NovaCookies under a fully managed Phishing-as-a-Service (PaaS) business model. Subscribing clients pay a recurring premium to gain access to the malicious platform. Meanwhile, the core operator centrally maintains the underlying command servers and supporting infrastructure. Therefore, this streamlined division of labor alleviates the technical burden for affiliates. It allows them to execute campaigns without deploying complex backend architectures.
Infrastructure Shifts and Targeted Sectors
In April, vigilant monitors observed a conspicuous migration across internet service providers facilitating the malicious traffic. This behavioral pattern strongly correlates with server rehoming or proxy rotation designed to evade administrative detection mechanisms.
Regrettably, healthcare institutions remain highly preferred targets. This vulnerability was evidenced by the swift compromise of over one hundred credentials within a single corporate environment. Ultimately, defenders continue to monitor the ongoing evolution of both Sneaky2FA and NovaCookies closely. To mitigate these evolving threats, organizations should urgently deploy specialized defensive tools. These solutions effectively identify and obstruct cloud account takeover attempts.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.