{
	"id": "a873ee32-c1f8-49ce-83bc-607853d41441",
	"created_at": "2026-04-06T00:16:11.547684Z",
	"updated_at": "2026-04-10T03:27:46.356208Z",
	"deleted_at": null,
	"sha1_hash": "09f262cdfa666ec3406e628e0c65e194269aaed6",
	"title": "Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2878563,
	"plain_text": "Tycoon 2FA: an in-depth analysis of the latest version of the AiTM\r\nphishing kit\r\nBy Sekoia TDR\u0026nbsp;and\u0026nbsp;Quentin Bourgue\r\nPublished: 2024-03-25 · Archived: 2026-04-05 17:13:49 UTC\r\nTable of contents\r\nIntroduction\r\nContext\r\nUncovering of Tycoon 2FA\r\nBackground of Tycoon 2FA\r\nTechnical analysis\r\nHow the Tycoon 2FA phishing kit works\r\nExfiltration through WebSockets\r\nMain changes in the latest version\r\nTracking opportunities\r\nConclusion\r\nIoCs \u0026 Technical details\r\nIntroduction\r\nTo enhance our threat intelligence, improve detection and identify new threats, Sekoia analysts engage in continuous hunting\r\nto address the main threats affecting our customers. For this, we proactively search and identify emerging threats, using our\r\ntelemetry data, internal tools and external services.\r\nIn October 2023, our daily threat hunting routine led us to uncover a new Adversary-in-The-Middle (AiTM) phishing kit\r\nallegedly used by multiple threat actors to carry out widespread and effective attacks. Our investigation revealed that this kit\r\nwas associated with the Tycoon 2FA Phishing-as-a-Service (PhaaS) platform, which had been active since at least August\r\n2023.\r\nAt this time, the Sekoia Threat Detection \u0026 Research (TDR) team conducted an in-depth analysis of the Tycoon 2FA PhaaS\r\nkit and shared1 some of our findings with the cybersecurity community on Twitter. Since then, we have been actively\r\nmonitoring the infrastructure of Tycoon 2FA phishing pages, campaigns leveraging the kit, source code updates, and\r\nactivities of the alleged developer.\r\nOur monitoring of the prominent PhaaS kit revealed that Tycoon 2FA has become one of the most widespread AiTM\r\nphishing kits over the last few months, with more than 1,100 domain names detected between late October 2023 and late\r\nFebruary 2024.\r\nIn mid-February 2024, we identified a new emerging version of the Tycoon 2FA that was widely distributed in the wild.\r\nThis new version enhances its obfuscation and anti-detection capabilities and changes network traffic patterns. In response\r\nto these developments, Sekoia analysed the changes and highlighted the new infrastructure.\r\nThis blog post aims to present an in-depth analysis of Tycoon 2FA and the recent developments we spotted in the\r\nphishing kit. Additionally, this report provides tracking opportunities to actively monitor the infrastructure and mitigate\r\nrisks associated with Tycoon 2FA.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 1 of 21\n\nContext\r\nUncovering of Tycoon 2FA\r\nIn October 2023, our threat hunting for evasive phishing campaigns identified the massive use of QR codes redirecting to\r\nseveral AiTM phishing kits. While some of them were already known and monitored by us, such as Caffeine, Dadsec,\r\nEvilProxy and NakedPages, others were unfamiliar to us. Analysing unknown phishing pages led us to identify a growing\r\ninfrastructure of hundreds of similar AiTM phishing pages.\r\nThese similarities included:\r\nA small HTML page containing a script that deobfuscates an additional script using base64 and XOR operations, and\r\nexecutes it;\r\nRequests to the same obfuscated JavaScript code, named “myscr[0-9]{6}.js”\r\nUsage of a custom CloudFlare Turnstile page, the Cloudflare CAPTCHA alternative, to protect the phishing page;\r\nRequests to specific Cascading Style Sheets (CSS) resources, named “pages-godaddy.css” and “pages-okta.css”;\r\nUsage of WebSocket to exfiltrate the user input data.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 2 of 21\n\nFigure 1. Email attachments redirecting users to Tycoon 2FA phishing pages, distributed in October 2023\r\nBy pivoting on these similarities using urlscan.io, we therefore listed hundreds of phishing pages of this previously unknown\r\ncluster. In October 2023, we shared the following urlscan.io’s query to track the similar phishing pages using the specific\r\nresource filenames:\r\nfilename:(“pages-godaddy.css” AND “pages-okta.css”)\r\nThe oldest phishing pages returned by this heuristic retrieved their resources from the same domain\r\n“codecrafterspro[.]com”, which appeared to be a central server of this cluster.\r\nLeveraging DNS, registrar and WHOIS records, we pivoted on domain names that we identify as belonging to the same\r\nthreat actor:\r\nDomain Name First seen\r\ntycoongroup[.]ws\r\ncodecrafters[.]su\r\n2023-07-29\r\n2023-08-09\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 3 of 21\n\ncodecrafterspro[.]com\r\ndevcraftingsolutions[.]com\r\n2023-08-17\r\n2023-09-07\r\nIn October 2023, “codecrafters[.]su” and “devcraftingsolutions[.]com” also hosted resources for the phishing pages we\r\nanalysed. Of note, the same login panel “Powered by TycoonGroup” was found on both domains (see Figure 2), confirming\r\nthat the domain “tycoongroup[.]ws” belongs to this infrastructure. At this time, the domain hosted a website that promoted\r\nTycoon as the “best 2FA bypass phishing platform” (see Figure 2).\r\nThis tangible evidence allowed Sekoia to associate this growing infrastructure of hundreds of phishing pages with the\r\nTycoon 2FA phishing platform.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 4 of 21\n\nFigure 2. Login page of Tycoon 2FA administration panel and Tycoon 2FA website (tycoongroup[.]ws), as of October 2023\r\nBackground of Tycoon 2FA\r\nIn addition to a dedicated website, the Tycoon 2FA operator also advertised its PhaaS using Telegram since October 2023.\r\nThis threat actor goes under the handles Tycoon Group, SaaadFridi and Mr_XaaD and regularly publishes changelogs about\r\nthe latest updates of Tycoon 2FA in the Telegram channel “hxxps://t.me/tycoon_2fa_Link”.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 5 of 21\n\nThe threat actor, who is also the alleged developer of the phishing kit, sells ready-to-use Microsoft 365 and Gmail phishing\r\npages, as well as attachment templates, starting at $120 for 10 days, with prices increasing depending on the TLD. In March\r\n2023, the phishing service provided several domain name extensions, including .ru, .su, .fr, .com, .net and .org.\r\nFigure 3. Publications in the Tycoon 2FA Telegram channel named “Saad Tycoon Group”, advertising the Tycoon 2FA\r\nPhaaS\r\nThe publications also include screenshots of the administration panel accessible to the customers. This enabled us to identify\r\nlinks between Tycoon 2FA and another known phishing platform.\r\nAs mentioned2 on Twitter in October 2023, the Tycoon 2FA phishing platform shares several similarities with the Dadsec\r\nOTT phishing kit, which we analysed in-depth in the “FLINT 2023-043 – Dadsec OTT: a new prevalent PhaaS using AitM\r\nphishing” sent to our clients in November 2023.\r\nFirst, the Dadsec OTT and Tycoon 2FA administration panels are almost identical in content and design, as shown in Figure\r\n4. On both platforms, we find the logo of the PhaaS in the top right-hand corner, the same statistical data categories (Bots\r\nBlocked, Total Visits, Valid Login, SSO Login and Invalid Login), similar main tabs (Settings and Clear Logs), and an almost\r\nidentical UI design, with the same table, buttons, font, etc.\r\nSecond, the Dadsec OTT and Tycoon 2FA phishing kits operate in a similar way. To protect from bot traffic, both phishing\r\npages first challenge the user with a test using Cloudflare Turnstile. Both of them use custom HTML pages to embed the\r\nCloudflare CAPTCHA alternative (see Figure 5):\r\nDadsec OTT pages contain the text “While we are checking your browser…” above the Cloudflare Turnstile test.\r\nTycoon 2FA pages contain the same text as Dadsec in its previous version. In 2024, the pages include the text “this\r\npage is running browser checks to ensure your security” below the Cloudflare Turnstile test.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 6 of 21\n\nOnce the challenge is passed, the two phishing pages display a page mimicking Microsoft authentication. The workflow to\r\nretrieve, deobfuscate and process the fake authentication page differ between both phishing kits.\r\nFigure 4. Comparison of Dadsec OTT and Tycoon 2FA administration panel dashboards (source: Telegram)\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 7 of 21\n\nFigure 5. Custom page embedding a Cloudflare Turnstile challenge used by the Tycoon 2FA phishing kit\r\nSekoia analysts assess with high confidence that the alleged developer of the Tycoon 2FA PhaaS had access to and\r\npartially reused the source code of the Dadsec OTT phishing kit. It is plausible that the Tycoon 2FA developer forked the\r\ncode of the Dadsec OTT administration panel and developed the core functions of the new AiTM phishing kit, including the\r\nfront-end HTML code of the phishing pages and the back-end code for the authentication process.\r\nThe leak of Dadsec’s source code that we analysed in October 2023 supports this hypothesis, since the Tycoon 2FA\r\ndeveloper could have obtained this leak to initiate its new PhaaS project. Another possibility is that the developer of Tycoon\r\n2FA was a customer of Dadsec OTT and had access to the front-end code. Further gathering of additional evidence, such as\r\nthe source code of Tycoon 2FA, may help to confirm or refute these hypotheses.\r\nTechnical analysis\r\nThe technical analysis provided in this report is based on the new version of Tycoon 2FA released in mid-February 2024.\r\nAccording to Sekoia’s tracking of Tycoon 2FA phishing pages, the earliest page corresponding to this new version was\r\nobserved in the wild on 12 February 2024. An example of this version can be found at\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/”, which was scanned using urlscan[.]io at https://urlscan.io/result/1876f332-\r\ne54f-4d24-9a42-d703e80cc9ec/.\r\nOur analysis is mainly based on the “victim-facing” interactions. We do not have access to the source code of the Tycoon\r\n2FA phishing kit, meaning we cannot study the back-end of the adversary infrastructure.\r\nThe phishing kit relies on the AiTM technique and involves an attacker server (also known as reverse proxy server) hosting\r\nthe phishing web page, intercepting victims’ inputs and relaying them to the legitimate service, and prompting the MFA\r\nrequest. Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures\r\nsession cookies. Stolen cookies allow attackers to replay a session and therefore bypass the MFA, even if credentials have\r\nbeen changed in between.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 8 of 21\n\nThe following is a comprehensive overview of the main operations specific to the Tycoon 2FA phishing kit:\r\nFigure 6. Overview of the main operations specific to the Tycoon 2FA phishing kit, as of March 2024\r\nStage 0 – Spreading phishing pages\r\nThe customers of the Tycoon 2FA PhaaS mainly distribute their phishing pages using redirections from URLs and QR code,\r\nwhich are embedded in email attachments or email bodies. The Tycoon 2FA service provides their clients with templates of\r\nphishing attachments (HTML pages), aiming at offering ready-to-use decoy documents, and making it easier for\r\ncybercriminals to carry out their campaigns.\r\nFor example, some PDFs use human resources, financial, or security-themed lures to convince the target into following the\r\nnext steps up to sharing their credentials and resolving the MFA challenge. Sekoia observed decoys impersonating\r\nDocuSign, Microsoft, Adobe, among others (see Figure 1). \r\nMost of the phishing campaigns carried out by the Tycoon 2FA customers seem to target organisations worldwide, by\r\nsending large volumes of phishing emails. Some of the customers focus on identifying and targeting employees in the\r\nfinancial, accounting, or executive departments to take advantage of their access through fraud or use of privileged\r\ninformation.\r\nStage 1 – Cloudflare Turnstile challenge\r\nWhen a user clicks on the phishing URL, it is redirected to a page embedding a Cloudflare Turnstile challenge (see Annex 1)\r\nto prevent unwanted traffic.\r\nBelow are some examples of URLs:\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/” if not email address specified in the URL;\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/X\u003cred@act.ed\u003e”;\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/X\u003cbase64(red@act.ed)\u003e”;\r\nThe HTML code of this page contains:\r\nA style attribute with CSS code that implements an infinite load;\r\nA script attribute that requests an alleged central Command \u0026 Control (C2) server and receives either a “0” or a “1”:\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 9 of 21\n\nIf the request returns “0”, the script deobfuscates and writes a second HTML code, which is the page\r\nembedding the Cloudflare Turnstile challenge;\r\nIf the request returns “1”, the script proceeds to the next step, which is the fake Microsoft phishing page\r\nprompting for email address;\r\nA base64 and XOR obfuscated HTML code imports the Cloudflare Turnstile challenge and displays the custom text\r\n“this page is running browser checks to ensure your security”. It contains a script that performs the following actions:\r\nRuns the Cloudflare Turnstile challenge;\r\nExfiltrates information to the phishing domain likely dedicated to the Tycoon 2FA customer. The POST\r\nrequest sends the following data: “pagelink”, “bltdip” (the user’s IP address), “bltdref” (the URL of the\r\nphishing page), “bltdua” (the User-Agent) and “bltddata”. The C2 server responds either with “success” or\r\n“error”;\r\nReloads the page when it receives a “success” from the C2 server;\r\nRedirects to another page when it receives an “error”.\r\nInterestingly, the custom text displayed below the challenge is specific to the Tycoon 2FA phishing kit and enables us to\r\nrecognise the phishing pages of this PhaaS quickly.\r\nThe next steps correspond to the common scenario when the user proceeds to the validation of the Cloudflare Turnstile\r\nchallenge and receives a “success” from the C2 server.\r\nThis stage is not visible to the user, as it executes a JavaScript code in the background and then redirects the user to another\r\npage depending on the presence of an email address.\r\nFor this stage, the URL is identical to the previous one, as the page is reloaded. Therefore, it could be:\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/”;\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/X\u003cred@act.ed\u003e”;\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/X\u003cbase64(red@act.ed)\u003e”.\r\nThe HTML code of this page contains a JavaScript code that extracts the email address from the URL (if it contains one),\r\nusing regular expressions. It covers email addresses encoded using base64 and those in clear. It then redirects to the same\r\nURL, but with different characters after the separator “?”, depending on the presence and the format of the email address.\r\nExamples of the next-stage URL are:\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/?r” if no email address extraction;\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/?r\u003cred@act.ed\u003e” if an email address is extracted;\r\n“hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/?rr\u003cred@act.ed\u003e” if a base64-encoded email address is extracted.\r\nOf note, the characters between the separators “?” and the email addresses are allegedly randomly generated by the C2\r\nserver.\r\nStage 3 – Redirection page\r\nOnce again, this stage is not visible to the user, as it redirects to another web page of the phishing domain.\r\nThe HTML code only contains the text “Redirecting to” and the next-stage URL, both in the HTML title and body.\r\nAn example of the next-stage URL is:\r\n“hxxps://i9152.cisele0[.]com/lbuakdidnqmytlcBiVbomCGYTSPFFZAABOLJGWUCZHXZKPGZOQRAVFAAF?\r\n317727838333203306556902opEXJOOmXGJPZNFTJIXPAAFUILTKKRQQEFFSNIABRZNUPXEUOAKDATDS”\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 10 of 21\n\nStage 4 – Fake Microsoft authentication login page and sockets\r\nThe HTML code is a script attribute that embeds a deobfuscation function and obfuscated HTML code, which is the fake\r\nMicrosoft authentication page, and its grabbing features. \r\nThe deobfuscation function takes the obfuscation payload and a XOR key as arguments, decodes the base64-encoded\r\npayload, and XORs it.\r\nThe decoded HTML embeds the source code of the fake Microsoft authentication page, which downloads resources\r\nincluding:\r\nJavaScript files:\r\n“hxxps://www.google[.]com/recaptcha/api.js“\r\n“hxxps://cdn.socket[.]io/4.6.0/socket.io.min.js”\r\n“hxxps://code.jquery[.]com/jquery-3.6.0.min.js”\r\nImages for the background and the icons of the phishing page;\r\nThe redirection URL, if the authentication process succeeds.\r\nIt also contains over 260 lines of JavaScript code aiming to:\r\nFingerprint the user’s web browser using the User-Agent;\r\nInitiate a WebSocket with the C2 server (same domain as the phishing page), using the downloaded library\r\n“socket.io.min.js”;\r\nImplement socket communications;\r\nCapture and exfiltrate the user inputs;\r\nRetrieve the final redirection URL.\r\nAt the end of the JavaScript code, it downloads and executes an additional highly obfuscated JavaScript, which implements\r\nthe two-factor authentication (2FA) challenge.\r\nAn example of the JavaScript code URL is:\r\n“hxxps://i9152.cisele0[.]com/34S7EHRE0DB8QrFfvijoRMsX632e0GRF8rZ89110”\r\nStage 5 – 2FA relaying\r\nThe JavaScript code interacts with the HTML of the previous stage to build and display the Microsoft 2FA page.\r\nThe code is obfuscated using numerous variable renaming with hexadecimal patterns (e.g. “_0x40e211”, “_0x2db5”,\r\n“_0x5e1add”), string manipulation (e.g. split, extraction, concatenation), functions overlay, and other code transformations.\r\nTDR analysts assess that the Tycoon 2FA developer likely used the open-source tool javascript-obfuscator available3 on\r\nGitHub to obfuscate this stage.\r\nIf the first step of the authentication using the email address and password succeeds, the JavaScript code is then responsible\r\nfor handling user interactions and form validation of the phishing page. It also updates the HTML page with the fake\r\nMicrosoft page implementing the 2FA method. For this, it implements numerous conditional statements depending on the\r\nuser inputs and responses of the Microsoft server. Some elements to be displayed on the phishing page are also received by\r\nthe WebSockets, including the final redirection page, or the message error if the Microsoft API denies the 2FA challenge.\r\nBased on the JavaScript code received by the user web browser, Tycoon 2FA implements the following 2FA methods:\r\nMicrosoft Authenticator (push notifications)\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 11 of 21\n\nOne-time password (OTP) code, delivered by:\r\nApplications\r\nSMS\r\nPhone call verification\r\nUsing commercial proxy servers, the Tycoon 2FA phishing pages relay the user inputs, including the email address, the\r\npassword, and the 2FA code, to the legitimate Microsoft authentication API. The response to the Microsoft API traffic\r\nreturns the appropriate pages and information to the user.\r\nDue to its position in the middle of the authentication process, the C2 server captures all relevant data and notably the\r\nsession cookies, allowing the cybercriminals to replay a session and therefore bypass the MFA.\r\nThis 2FA relaying capability is the core feature of an AiTM phishing kit, aiming at intercepting login details during a\r\nlegitimate session-based authentication between the victim and the legitimate service. From the perspective of the victim’s\r\nweb browser, the Tycoon 2FA relaying capability consists of a JavaScript code implementing all the variations in a\r\nsuccessful or failed Microsoft 365 authentication.\r\nStage 6 – Final redirection\r\nThe final stage of the Tycoon 2FA phishing kit involves redirecting the user to a URL specified by the cybercriminal.\r\nThe JavaScript code of the stage 4 embeds an endpoint URL in the variable “urlo” aimed at returning the final redirection\r\nURL. When the authentication is successful, the phishing page sends a POST request to this endpoint with a session\r\nidentifier (argument “pagelink”) set during the WebSocket communications and other information. Then, the C2 server\r\nresponds with the redirection URL.\r\nMost customers of the Tycoon 2FA PhaaS use the default redirection URL, which is\r\n“hxxps://login.microsoftonline[.]com/common/SAS/ProcessAuth”. Subsequently, we observed a threat actor who used a non-existent WeTransfer URL “hxxps://wetransfer[.]com/invoicedocument” (see Annex 2). This use is possibly related to a\r\nphishing email pretending that the user must authenticate on Microsoft 365 to access a document. Once authenticated\r\nthrough the Tycoon 2FA phishing page, the user is redirected to this legitimate “not found” webpage, which could lead them\r\nnot to suspect that the previous page was malicious. The same goes for the default redirection URL, which redirects the user\r\nto an error page of the legitimate Microsoft website.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 12 of 21\n\nFigure 7. Final redirection to a non-existent WeTransfer webpage, after a successful authentication on the Tycoon 2FA\r\nphishing page\r\nFinally, the phishing page once again exfiltrates some victim details to the C2 server using a HTTP POST request. The sent\r\ndata include the session identifier (argument “pagelink”), the IP address obtained from the “httpbin[.]org” API, the User-Agent and other information.\r\nRegarding the redundancy of this communication, Sekoia analysts believe that the developer did not invest significant\r\neffort in optimising the code of the phishing kit, revealing that this phishing kit is not as sophisticated as some other\r\nPhaaS competitors such as Caffeine.\r\nExfiltration through WebSockets\r\nFrom the rendering of the fake Microsoft page to the closure of the phishing page by the user, the C2 server collects\r\nharvested data and status of the operations using WebSockets. It also communicates to the user web browser some\r\nelements to build the following phishing pages.\r\nAn example of URL initiating the WebSockets communications is:\r\n“hxxps://i9152.cisele0[.]com/web6socket/socket.io/?type=User\u0026appnum=1\u0026EIO=4\u0026transport=websocket”\r\nThe following is the main steps of the Tycoon 2FA WebSocket communications for a successful authentication using the\r\nMicrosoft Authenticator as 2FA (the client being the user web browser):\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 13 of 21\n\n← Initiation\r\nof the\r\nWebSocket\r\n(server to\r\nclient)\r\n{“sid”:”4KP6W7ZLo_GpdtK9AF6E”,”upgrades”:\r\n[],”pingInterval”:1000,”pingTimeout”:60000,”maxPayload”:1000000}\r\n→\r\nExfiltration of\r\nthe user\r\ndetails\r\n(client to\r\nserver)\r\n[“send_to_browser”,{“route”:”enteremail”,”arguments”:[“\u003cEMAIL ADDRESS”,”\u003cSESSION\r\nID\u003e”,”chrome”,”\u003cIP ADDRESS\u003e”],”getresponse”:1}] \r\n→ Update of\r\nthe status\r\n(client to\r\nserver)\r\n[“browser_connected”,”4572″]\r\n← Response\r\nof the server\r\n(server to\r\nclient)\r\n[“response_from_browser”,{“message”:”correct email”,”bottomsection”:[{“a_text”:”Forgot my\r\npassword”,”a_id”:”idA_PWD_ForgotPassword”,”type”:”link”}],”backbutton”:1}]\r\n→\r\nExfiltration of\r\nthe user\r\npassword\r\n(client to\r\nserver)\r\n[“send_to_browser”,{“route”:”enterpassword”,”arguments”:[“\u003cPASSWORD\u003e”],”getresponse”:1}]\r\n← Response\r\nof the server\r\n(server to\r\nclient)\r\n[“response_from_browser”,{“message”:”approve auth request auth app”,”bottomsection”:\r\n[{“a_text”:”I can’t use my Microsoft Authenticator app right\r\nnow”,”a_id”:”signInAnotherWay”,”type”:”link”},{“a_text”:”More\r\ninformation”,”a_id”:”moreInfoUrl”,”type”:”link”}],”backbutton”:0,”authappcode”:”39″,”description”:\r\n{“type”:”text”,”text”:”Open your Authenticator app, and enter the number shown to sign in.\r\n”},”image_src”:”\u003cICON_LINK\u003e”}]\r\n→\r\nAcknowledge\r\nof the client\r\n(client to\r\nserver)\r\n[“send_to_browser”,{“route”:”responserecieved”,”arguments”:[],”getresponse”:0}]\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 14 of 21\n\n→ Waiting for\r\n2FA\r\nvalidation\r\n(Microsoft\r\nAuthenticator)\r\n(client to\r\nserver)\r\n[“send_to_browser”,{“route”:”waitauth”,”arguments”:[“app”],”getresponse”:1}]\r\nThe WebSocket communications exfiltrating harvested credentials remain unchanged in the latest version of the Tycoon 2FA\r\nphishing kit.\r\nMain changes in the latest version\r\nThe latest version of Tycoon 2FA introduced changes to the JavaScript and HTML codes responsible for its main phishing\r\ncapabilities. Additionally, the phishing page retrieves its various resources in a different order and filters unwanted traffic\r\nmore widely to reject those from bots or analysis.\r\nTo identify the main changes introduced by the latest version, here is an overview of how the previous version worked and a\r\ncomparison with our analysis of the new version:\r\n1. The first HTML page contains a JavaScript code that fingerprints the web browser, deobfuscates the next-stage URL,\r\nand redirects to the next-stage.\r\n→ This stage is similar to the stage 1 of the new version, but does not embed the Cloudflare Turnstile challenge.\r\n2. The next-stage payload is an obfuscated JavaScript code, named with the characteristic pattern “/myscr[0-9]{6}.js”,\r\nwhich corresponds to the fake Microsoft authentication page and also embeds the Cloudflare Turnstile challenge. The\r\nHTML code of the fake Microsoft login page is encoded as unicode in a large array of integers. Mathematical\r\noperations whose results do not influence deobfuscate are performed.\r\n→ This stage includes a part of stage 4 (the fake login page) and stage 1 of the new version (CloudFlare Turnstile\r\nchallenge). The deobfuscation method embedding unnecessary mathematical operations disappeared in the latest version.\r\n3. The old version downloads the three following JavaScript codes:\r\n“/web6/assets/js/pages-head-top-web.min.js”, which downloads the WebSocket JavaScript library and the second\r\nJavaScript code;\r\n“/web6/assets/js/pages-head-web.min.js”, which implements the 2FA relying using the WebSocket and downloads the\r\nthird JavaScript code;\r\n“/web6/assets/js/pages.min.js”, that builds the 2FA challenge webpages.\r\n→ This stage is now part of stage 4 and 5.\r\n4. It sends data to “/web6/info” using several POST requests and retrieves the HTML code to build the 2FA challenge\r\nwebpages.\r\n→ This stage is now part of stage 4 and 5.\r\nBy comparing two versions of the Tycoon 2FA phishing kit, we identified similar deobfuscation functions and core\r\nfunctionalities. However, notable changes were made to the structure of the different stages.\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 15 of 21\n\nNotably, there was an enhancement in stealth tactics by providing the malicious resources once the user resolved the\r\nCloudFlare Turnstile challenge. And URLs are now set using pseudorandom names.\r\nMoreover, it appears that the phishing kit developer extended the kit’s capabilities to identify and evade more traffic\r\npatterns associated with analysis or scan environments. This includes IP addresses hosted in datacenters or associated\r\nwith the Tor network, as well as specific User-Agent strings of bots and some versions of Linux web browsers.\r\nThese changes suggest a deliberate effort to improve the phishing kit’s stealth and evasion techniques, to strengthen its\r\nresilience against detection and analysis.\r\nTracking opportunities\r\nSekoia analysts actively monitor the Tycoon 2FA phishing infrastructure by tracking phishing URLs.\r\nIn response to the changes made to the phishing kit in mid-February 2024, we updated our tracking heuristics to illuminate\r\nthe infrastructure hosting the new version of Tycoon 2024.\r\nPrevious resources-based heuristics\r\nAs mentioned above, the older versions of Tycoon 2FA used JavaScript files with characteristic patterns or hardcoded\r\nnames.\r\nSome of our basic heuristics based on the URL pattern stem from the Tycoon 2FA requests. Sekoia analysts used queries\r\nsimilar to the following one on urlscan[.]io:\r\nHeuristic valid since August 2023:\r\nfilename:(“pages-godaddy.css” AND “pages-okta.css”)\r\nThis query relied on the specific names of two CSS files used by the phishing kit to replicate login pages. By March 2024,\r\nthis heuristic yielded over 3,000 results on urlscan, all associated with high confidence with Tycoon 2FA phishing pages.\r\nHeuristic valid since August 2023:\r\nfilename.keyword:/.*\\/myscr[0-9]{6}\\.js/ filename:”turnstile/v0/api.js”\r\nThis query is based on the specific generated name of the JavaScript code embedding the fake Microsoft login page and the\r\nCloudflare Turnstile challenge. By March 2024, this heuristic yielded over 4000 results on urlscan, all strongly associated\r\nwith Tycoon 2FA phishing pages.\r\nHeuristic valid since November 2023:\r\nfilename:(“/web6/assets/js/pages-head-top-web.min.js” OR “/web6/assets/js/pages-head-web.min.js”)\r\nThis query is based on the specific names of JavaScript code implementing core capabilities of the Tycoon 2FA phishing kit,\r\nsuch as exfiltration using WebSockets, and dynamically building the 2FA relaying pages. By March 2024, this heuristic\r\nyielded around 3,000 results on urlscan, associated with high confidence with Tycoon 2FA phishing pages.\r\nHowever, recent changes in Tycoon 2FA led to the renaming and modification of these specific resources. Also, they are not\r\nloaded until the Cloudflare Turnstile challenge is resolved. Therefore, the phishing pages of the latest version no longer load\r\nthese specific resources when analysed by URL scanning services.\r\nResources-based heuristics for the latest version\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 16 of 21\n\nWhen scanning a Tycoon 2FA phishing page using the latest version, only requests of stages 0 and 1 are sent, as the Turnstile\r\nchallenge must then be solved first. If no redirection steps precede the URL of the phishing page, the scan results in 5\r\nrequests, e.g.:\r\nRequests for stage 0 and 1 Details Size\r\nGET hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/\r\nTycoon\r\n2FA\r\nphishing\r\npage\r\n7\r\nKB\r\nGET hxxps://7374.ginvet9[.]com/\r\nCentral\r\nserver to\r\napprove\r\nthe\r\nTurnstile\r\nchallenge\r\n1 B\r\nGET hxxps://code.jquery[.]com/jquery-3.6.0.min.js\r\nJquery\r\nlibrary\r\n87\r\nKB\r\nGET hxxps://challenges.cloudflare[.]com/turnstile/v0/api.js?render=explicit\r\nCloudflare\r\nTurnstile\r\nchallenge\r\n38\r\nKB\r\nGET hxxps://challenges.cloudflare[.]com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/8jtx6/0x4AAAAAAAS4S8P1a9d4qbbW/auto/\r\nCloudflare\r\nTurnstile\r\nchallenge\r\n0 B\r\nTo find a heuristic to list Tycoon 2FA phishing pages using the latest version, we can use the following elements on\r\nurlscan[.]io:\r\nThe hash of the response from the central C2 server, mostly returning “0” to approve the challenge display (SHA256:\r\n5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9);\r\nThe resources requested by the phishing page before the Turnstile challenge;\r\nA limited number of requests are sent (5 if no redirection steps), and the total of data received does not exceed 150\r\nKB\r\nSekoia analysts use similar queries on urlscan:\r\nHeuristic valid since mid-February 2024:\r\nfilename:(“code.jquery.com/jquery-3.6.0.min.js” AND “challenges.cloudflare.com/turnstile/v0/api.js”)\r\nhash:5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9\r\nThis query uses the hash of the response of the central C2 server. In March 2024, this heuristic yielded over 500 results on\r\nurlscan, associated with high confidence with Tycoon 2FA phishing pages.\r\nHeuristic valid since August 2023:\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 17 of 21\n\nfilename:(“code.jquery.com/jquery-3.6.0.min.js” AND “challenges.cloudflare.com/turnstile/v0/api.js”) stats.requests:\u003c7\r\nstats.dataLength:\u003c150000\r\nThis query uses the number of requests and the data size of all resources. In March 2024, this heuristic yielded over 700\r\nresults on urlscan that we associated with medium confidence with Tycoon 2FA phishing pages.\r\nTracking Tycoon 2FA is more complex since the developer enhanced the stealth capabilities of the phishing kit. Even\r\nthough we cannot use characteristic filenames to continue tracking the phishing pages, Sekoia found heuristics by\r\ncorrelating the legitimate resource names with the response of the central C2 server, or the length of the data as well\r\nas the size of the resources.\r\nHTML page embedding the Cloudflare Turnstile challenge\r\nAs already mentioned, the HTML page importing the Cloudflare Turnstile challenge displays the text “this page is running\r\nbrowser checks to ensure your security”.\r\nGiven that the urlscan Pro service allows to search for the visible text context, we can use the following query to list the\r\nTycoon 2FA phishing pages:\r\ntext.content:”this page is running browser checks to ensure your security”\r\nCryptocurrency asset\r\nOn 28 November 2023, a screenshot was published in the “Saad Tycoon Group” Telegram channel, illustrating a private\r\ndiscussion with a Tycoon 2FA customer sharing feedback about the service. The discussion mentioned a Bitcoin address\r\n(19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx), that we assess with high confidence to belong to “Saad Tycoon Group”,\r\nthe operator and alleged developer of the PhaaS.\r\nFigure 8. Publication in the Tycoon 2FA Telegram channel mentioning a Bitcoin address, allegedly belonging to “Saad\r\nTycoon Group”\r\nInvestigation of the cryptocurrency wallet led us to make the following observations, as of mid-March 2024:\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 18 of 21\n\nSince October 2019, the Bitcoin wallet has recorded more than 1,800 transactions including 1117 inputs and 1088\r\noutputs;\r\nAccording to BlockExplorer4, the total amount of Bitcoin as of 12 March 2024:\r\nSent is 5.46848394 BTC (around $391,644 at the time of writing)\r\nReceived is 5.50159883 BTC (around $394,015 at the time of writing)\r\nSince August 2023, the potential beginning of Tycoon 2FA’s activities:\r\nThe wallet has recorded around 700 incoming transactions with an average value of $366;\r\nApproximately 90% of their values were between $25 and $720;\r\nThe total value of transactions exceeded $250,000;\r\nMore than 530 transactions were over $120, which is the entry price of the PhaaS for a 10 days .ru link.\r\nOver the last few months, the wallet dynamics (incoming transactions and associated amounts) align with the observed\r\nTycoon 2FA PhaaS activities. Indeed, the prices publicly announced by the service range between $120 and $320.\r\nAdditionally, the operator of the PhaaS mentioned that the customers have to pay an extra charge for any domain change,\r\nwhich could explain transactions of a few dozen dollars.\r\nAssuming that the wallet is mainly used for the Tycoon 2FA PhaaS operations since August 2023, the total amount of\r\ntransactions suggests that several hundred Tycoon 2FA kits were sold as-a-service over half a year. These alleged sales\r\nfigures are consistent with the thousands of phishing pages that were collected in the wild since August 2023 and associated\r\nwith high confidence with Tycoon 2FA.\r\nThe total amount of transactions on the Saad Tycoon Group’s Bitcoin wallet indicates that the fraudulent service generates\r\na significant amount of money. The financial cost of the phishing infrastructure is substantial for this service,\r\nencompassing domain registration, server hosting, possibly phishing page protection using Cloudflare (hosting and\r\nCloudflare Turnstile) and commercial proxy services. Conversely, the development and maintenance of the kit likely rely on\r\none individual, given the relatively low sophistication and limited improvements over time.\r\nConclusion\r\nFirst seen in the wild in August 2023, Tycoon 2FA is an Adversary-in-The-Middle phishing kit, distributed under the\r\nPhishing-as-a-Service model. It mainly aims to harvest Microsoft 365 session cookies to bypass the MFA process during\r\nsubsequent authentication. Tycoon 2FA became widespread in the months following its release and is currently massively\r\nused in numerous phishing campaigns.\r\nOur analysis of the main operations of Tycoon 2FA revealed that the developer enhanced stealth capabilities in the most\r\nrecent version of the phishing kit. The recent updates could reduce the detection rate by security products of the Tycoon\r\n2FA phishing pages and the infrastructure. Additionally, its ease of use and its relatively low price make it quite popular\r\namong threat actors.\r\nSekoia actively monitors the Tycoon 2FA phishing infrastructure and has identified over 1,200 domain names since\r\nAugust 2023. Using the tracking heuristics shared above, we will continue to actively monitor the infrastructure.\r\nThrough studying the Bitcoin transactions allegedly attributed to Saad Tycoon Group, Sekoia analysts believe that the\r\nTycoon Group operations are highly lucrative, and we expect the Tycoon 2FA PhaaS to remain a prominent threat within\r\nthe AiTM phishing market in 2024.\r\nTo provide our customers with actionable intelligence, TDR analysts will continue to monitor the prevalent PhaaS and\r\nproactively search for the associated infrastructures.\r\nIoCs \u0026 Technical details\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 19 of 21\n\nTycoon 2FA IoCs\r\nThe list of IoCs is available on Sekoia.io GitHub repository.\r\n0q5e0.nemen9[.]com\r\n25rw2.canweal[.]com\r\n35fu2.ouchar[.]ru\r\n4343w.jgu0[.]com\r\n43rw98nop8.m1p8z[.]com\r\n4m2swl.7e2r[.]com\r\n5me78.methw[.]ru\r\n6j312.rchan0[.]com\r\n77p3e.rimesh3[.]com\r\n8000n.uqin[.]ru\r\n8uecv.gnornamb[.]com\r\n98q5e.ructin[.]com\r\n9c43r.theq0[.]com\r\n9oc0y2isa27.demur3[.]com\r\nbeacon.diremsto[.]com\r\nbloggcenter[.]com\r\nbuneji.fiernmar[.]com\r\ne85t8.nechsha[.]com\r\nex1uo.rhknt[.]ru\r\nexplore.atlester[.]ru\r\nfiq75d.rexj[.]ru\r\nfisaca.trodeckh[.]com\r\ngalume.aricente[.]com\r\ngz238.uatimin[.]com\r\nhorizon.sologerg[.]com\r\njp1y36.it2ua[.]com\r\nk348d.venti71[.]com\r\nkjlvo.ningeona[.]com\r\nkjsdflwe.nitertym[.]ru\r\nl846d.ferver8[.]com\r\nlibudi.oreversa[.]com\r\nn29k4.ilert[.]ru\r\nn9zph.lw8opi[.]com\r\no6t94g.3tdx2r[.]com\r\noo99v.coqqwx[.]ru\r\np1v12.17nor[.]com\r\npmd8ot6xhw.3qjpc[.]com\r\nq908q.refec7[.]com\r\nr298y.sem01[.]com\r\nrlpq.tk9u[.]com\r\nroriku.orankfix[.]com\r\ntlger-surveillance[.]com\r\ntnyr.moporins[.]com\r\nwasogo.shantowd[.]com\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 20 of 21\n\nx12y.restrice[.]ru\r\nxrs.chenebystie[.]com\r\nxva.tjlpkcia[.]com\r\nzaqaxu.dthiterp[.]ru\r\nzekal6.tnjxb[.]com\r\nzemj4f.ymarir[.]ru\r\nCryptocurrency wallet address\r\n19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx used by Saad Tycoon Group\r\nExternal references\r\n1. https://twitter.com/sekoia_io/status/1717891843105366409 ↩︎\r\n2. https://twitter.com/sekoia_io/status/1717891849153610153 ↩︎\r\n3. https://github.com/javascript-obfuscator/javascript-obfuscator/ ↩︎\r\n4. https://blockexplorer.one/bitcoin/mainnet/address/19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx ↩︎\r\nFeel free to read other Sekoia TDR (Threat Detection \u0026 Research) analysis here :\r\nCTI Cybercrime Infrastructure\r\nShare this post:\r\nSource: https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nhttps://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/"
	],
	"report_names": [
		"tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit"
	],
	"threat_actors": [
		{
			"id": "f0fa6ad6-1d0f-4487-bcc7-abddf5340b90",
			"created_at": "2024-03-28T02:00:05.783759Z",
			"updated_at": "2026-04-10T02:00:03.610317Z",
			"deleted_at": null,
			"main_name": "Saad Tycoon",
			"aliases": [],
			"source_name": "MISPGALAXY:Saad Tycoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434571,
	"ts_updated_at": 1775791666,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09f262cdfa666ec3406e628e0c65e194269aaed6.pdf",
		"text": "https://archive.orkl.eu/09f262cdfa666ec3406e628e0c65e194269aaed6.txt",
		"img": "https://archive.orkl.eu/09f262cdfa666ec3406e628e0c65e194269aaed6.jpg"
	}
}