{
	"id": "98c7a62d-bec0-4d76-a9c2-2b46b907bd8b",
	"created_at": "2026-04-29T02:21:21.563657Z",
	"updated_at": "2026-04-29T08:22:58.914492Z",
	"deleted_at": null,
	"sha1_hash": "cf28df18d959c0ac9e0c889fb629c3b226b8f715",
	"title": "Tycoon2FA New Evasion Technique for 2025",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1792652,
	"plain_text": "Tycoon2FA New Evasion Technique for 2025\r\nBy Rodel Mendrez\r\nPublished: 2025-04-10 · Archived: 2026-04-29 02:13:57 UTC\r\nApril 10, 2025 3 Minute Read by Rodel Mendrez\r\nThe Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and\r\ndetection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode\r\ncharacters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection.\r\nThis blog takes a closer look at these methods to better understand how this kit is evolving and what defenders\r\nshould be aware of.\r\n1. Obfuscation Using Invisible Unicode Characters and Proxies\r\nLately, the Tycoon 2FA landing pages have incorporated a clever obfuscation technique using invisible Unicode\r\ncharacters. This technique, when paired with JavaScript Proxy objects, is designed to complicate static analysis\r\nand defer script execution until runtime.\r\nThis behavior is demonstrated in a real-world Tycoon 2FA phishing landing page, as shown in this Urlscan.io\r\nsession: https://urlscan.io/result/0195c73f-bfd0-7000-8386-94b11ace6088/dom/\r\nFigure 1. Tycoon 2FA using invisible Unicode characters to encode JavaScript code. The obfuscation is actually\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 1 of 8\n\nquite simple but clever.\r\nTycoon is using specific invisible Unicode characters to encode binary data:\r\nHalfwidth Hangul Filler to represent binary 0\r\nUTF-16: 0xFFA0\r\nUTF-8: EF BE A0\r\nHangul Filler to represent binary 1\r\nUTF-16:  0x3164\r\nUTF-8:  E3 85 A4\r\nThe screenshot below shows how these invisible Unicode characters are converted into their escaped Unicode\r\nrepresentations using CyberChef:\r\nFigure 2. Escaping the invisible Unicode characters in this sample reveals a series of UTF-16 values ‘\\uFFA0’ for\r\nbinary 0 and ‘\\u3164’ for binary 1.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 2 of 8\n\nFigure 3. Diagram of the decoding process.\r\nIn figure 3, the encoded characters are joined into a binary string, which is then split into 8-bit segments (bytes).\r\nEach byte is then converted into its corresponding character. When an attacker wants to execute a script, they\r\nencode it using these invisible Unicode characters to represent binary.\r\nHere's the decoding mechanism:\r\nFigure 4. Snippet of the decoding mechanism.\r\nAs you can see in figure 4, the property name on the obfEvaluator proxy becomes the carrier of the payload. Once\r\naccessed, it triggers the decoder and dynamically evaluates the reconstructed JavaScript code.\r\nThis method:\r\nMakes the payload invisible to the human eye.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 3 of 8\n\nEvades static analysis and simple pattern-matching.\r\nDelays execution until runtime, often only when specific conditions are met.\r\nCombined with other evasion layers, this approach adds a frustrating layer of indirection for analysts and\r\ndefenders.\r\n2. From Cloudflare Turnstile to Custom CAPTCHA\r\nPreviously, many phishing kits — including Tycoon 2FA — leaned on third-party CAPTCHA services like\r\nCloudflare Turnstile. These services offered basic anti-bot protection, but they also introduced a weak point for\r\ndefenders. Security teams could more easily fingerprint and block phishing pages using recognizable third-party\r\nelements.\r\nFigure 5. Tycoon2FA new custom CAPTCHA solution.\r\nTycoon has now pivoted to a custom CAPTCHA solution, likely in an attempt to reduce its detectability and\r\nincrease friction for automated analysis tools. The CAPTCHA is rendered using an HTML5 canvas element with\r\nrandomized characters, background noise, and slight distortions. Here's a simplified breakdown of how it works:\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 4 of 8\n\nFigure 6. Simplified version of the CAPTCHA mechanism.\r\nIf CAPTCHA verification fails, a new one is generated. If successful, it sends form data and fetches instructions\r\nfrom an attacker-controlled server. If the server responds with an error or a non-expected value, it injects a\r\nwebpage using base64-decoded HTML, loading a decoy page.\r\nFigure 7. Screengrab of the decoy page.\r\nThis technique is more than cosmetic; it helps Tycoon blend into legitimate login workflows while allowing the\r\nattacker to dynamically serve decoys or reroute victims.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 5 of 8\n\n3. Anti-Debugging JavaScript\r\nTycoon 2FA also includes anti-debugging scripts to hinder researchers and slow down detection:\r\nFigure 8. Anti-debugging routine of the Tycoon 2FA phishing landing page.\r\nThis script:\r\nDetects browser automation (navigator.webdriver, PhantomJS, Burp Suite)\r\nBlocks dev tools shortcuts (F12, Ctrl+Shift+I, Ctrl+U, etc.)\r\nPrevents right-click (disabling \"Inspect Element\")\r\nUses debugger with a timing check to detect if execution is paused by a debugger\r\nRedirects to another site (rakuten.com) if analysis is suspected\r\nThese layers of obfuscation and evasion make dynamic analysis harder and extend the lifespan of phishing\r\ncampaigns.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 6 of 8\n\nWhat This Means for Defenders\r\nThe recent updates to the Tycoon 2FA kit show a clear move toward stealth and evasion. While none of these\r\ntechniques are groundbreaking individually, their combined use can complicate detection and response.\r\nHTML5-based visuals like the custom CAPTCHA can mislead users and add legitimacy to phishing\r\nattempts.\r\nUnicode and Proxy-based obfuscation can delay detection and make static analysis more difficult.\r\nAnti-debugging behaviors may hide malicious activity from researchers and automated tools.\r\nSecurity teams should consider behavior-based monitoring, browser sandboxing, and a deeper inspection of\r\nJavaScript patterns to stay ahead of these tactics.\r\nYARA Detection Rule\r\nFigure 9. YARA detection rule.\r\nCyberChef Recipe to Decode the Tycoon2FA Javascript\r\nFigure 10. CyberChef Recipe to Decode the Tycoon2FA Javascript.\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 7 of 8\n\nFigure 11. To use the recipe, click on \"Load Recipe\" and copy/paste the Recipe to the Recipe Form.\r\nFigure 12. Paste the Tycoon2FA phishing landing page HTML source code to the CyberChef input form.\r\nStay Informed\r\nSign up to receive the latest security news and trends straight to your inbox from LevelBlue.\r\nSource: https://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nhttps://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025"
	],
	"report_names": [
		"tycoon2fa-new-evasion-technique-for-2025"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-29T06:58:56.521699Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-29T06:58:57.498394Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1777429281,
	"ts_updated_at": 1777450978,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf28df18d959c0ac9e0c889fb629c3b226b8f715.pdf",
		"text": "https://archive.orkl.eu/cf28df18d959c0ac9e0c889fb629c3b226b8f715.txt",
		"img": "https://archive.orkl.eu/cf28df18d959c0ac9e0c889fb629c3b226b8f715.jpg"
	}
}