The phishing platform “Whisper 2FA” has rapidly become one of the most active tools used in large-scale credential theft campaigns, according to new research from Barracuda.
Since July 2025, the platform has been responsible for nearly one million phishing attacks targeting accounts across multiple industries, placing it just behind Tycoon and EvilProxy in the global phishing-as-a-service (PhaaS) landscape.
What makes Whisper 2FA stand out is its use of AJAX, a web technology that allows real-time communication between browser and server without page reloads. This enables the phishing kit to repeatedly capture credentials and multi-factor authentication (MFA) codes until it obtains a valid token.
Unlike typical phishing kits that stop after stealing a password, Whisper 2FA continuously loops through attempts, effectively bypassing MFA protections.
Attackers have been using a range of lures to deliver Whisper 2FA, mimicking brands such as DocuSign, Adobe and Microsoft 365. These phishing emails often use urgent pretexts, such as invoices or voicemail notifications, to prompt users to log in and unknowingly submit their details to attackers.
Read more on multi-factor authentication bypass techniques: Astaroth Phishing Kit Bypasses 2FA Using Reverse Proxy Techniques
Rapid Evolution and Obfuscation Techniques
Barracuda’s analysis shows the kit is evolving at remarkable speed. Early variants featured visible code comments and light obfuscation.
“The Whisper 2FA phishing kit is evolving rapidly in both technical complexity and anti-detection strategies,” the firm warned.
Current versions remove readable text, add dense Base64 and XOR encoding layers, and include multiple anti-debugging features that disable shortcuts like Ctrl+Shift+I or right-click functions.
The latest variants also employ an “infinite debugger loop,” freezing browsers if developers attempt to inspect the phishing page.
Once active, the kit can validate stolen login codes instantly through the attackers’ command-and-control (C2) systems, turning the process into a live relay between victim and attacker.
A typical Whisper 2FA attack follows several stages:
-
Credential collection through a realistic login form
-
Background exfiltration of email and password data
-
An MFA prompt that requests a one-time code
-
Real-time validation of the code through the attacker’s backend
Each phase is designed to mimic legitimate authentication processes while invisibly transmitting stolen data.
A New Generation of Phishing-as-a-Service
Barracuda researchers describe Whisper 2FA as a sign of how PhaaS operations have matured.
The kit combines simplicity for attackers with complex evasion for defenders. By removing the need for reverse proxies and using lightweight AJAX requests, Whisper 2FA becomes harder to detect and easier to deploy.
“The Whisper 2FA phishing campaign demonstrates how phishing kits have evolved from simple credential stealers into sophisticated, full-service attack platforms,” Barracuda said.
“This level of sophistication reflects the rise of Phishing-as-a-Service (PhaaS), where kits are professionally developed, regularly updated and sold or leased to attackers.”
Experts recommend that organizations strengthen defenses through layered security, phishing-resistant MFA and continuous threat monitoring to counter the rise of advanced kits like Whisper 2FA.
