← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Tycoon 2FA: an in-depth analysis of the latest version of the phishing kit
WHITE Tycoon Group AlienVault 2024-03-26 Modified: 2024-03-26
66
IOCs
HIGH VOLUME
This report provides an in-depth analysis of Tycoon 2FA, an Adversary-in-The-Middle phishing kit distributed as a Phishing-as-a-Service platform. It became widespread since August 2023 and is currently massively used in phishing campaigns mainly targeting Microsoft 365 accounts. Our analysis revealed recent changes enhancing its stealth capabilities. We identified tracking opportunities to monitor this threat and will continue investigating Tycoon 2FA infrastructure.
malwarecredential theftmfa bypassmicrosoft 365phishingcybercrime
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (66)
All BitcoinAddress URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
BitcoinAddress 19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx 2024-03-26
URL http://i9152.cisele0.com/34S7EHRE0DB8QrFfvijoRMsX632e0GRF8rZ89110 2024-03-26
URL http://i9152.cisele0.com/lbuakdidnqmytlcBiVbomCGYTSPFFZAABOLJGWUCZHXZKPGZOQRAVFAAF?317727838333203306556902opEXJOOmXGJPZNFTJIXPAAFUILTKKRQQEFFSNIABRZNUPXEUOAKDATDS 2024-03-26
URL http://i9152.cisele0.com/web6socket/socket.io/?type=User&appnum=1&EIO=4&transport=websocket 2024-03-26
URL https://7374.ginvet9.com/ 2024-03-26
URL https://blockexplorer.one/bitcoin/mainnet/address/19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx 2024-03-26
URL https://i9152.cisele0.com/NOZcbtTxxEiGj/ 2024-03-26
URL https://i9152.cisele0.com/NOZcbtTxxEiGj/?r 2024-03-26
URL https://i9152.cisele0.com/NOZcbtTxxEiGj/?rr 2024-03-26
URL https://i9152.cisele0.com/NOZcbtTxxEiGj/X 2024-03-26
domain bloggcenter.com 2024-03-26
domain codecrafters.su 2024-03-26
domain codecrafterspro.com 2024-03-26
domain devcraftingsolutions.com 2024-03-26
domain tlger-surveillance.com 2024-03-26
domain tycoongroup.ws 2024-03-26
hostname 0q5e0.nemen9.com 2024-03-26
hostname 25rw2.canweal.com 2024-03-26
hostname 35fu2.ouchar.ru 2024-03-26
hostname 4343w.jgu0.com 2024-03-26
hostname 43rw98nop8.m1p8z.com 2024-03-26
hostname 4m2swl.7e2r.com 2024-03-26
hostname 5me78.methw.ru 2024-03-26
hostname 6j312.rchan0.com 2024-03-26
hostname 7374.ginvet9.com 2024-03-26
hostname 77p3e.rimesh3.com 2024-03-26
hostname 8000n.uqin.ru 2024-03-26
hostname 8uecv.gnornamb.com 2024-03-26
hostname 98q5e.ructin.com 2024-03-26
hostname 9c43r.theq0.com 2024-03-26
hostname 9oc0y2isa27.demur3.com 2024-03-26
hostname beacon.diremsto.com 2024-03-26
hostname buneji.fiernmar.com 2024-03-26
hostname e85t8.nechsha.com 2024-03-26
hostname ex1uo.rhknt.ru 2024-03-26
hostname explore.atlester.ru 2024-03-26
hostname fiq75d.rexj.ru 2024-03-26
hostname fisaca.trodeckh.com 2024-03-26
hostname galume.aricente.com 2024-03-26
hostname gz238.uatimin.com 2024-03-26
hostname horizon.sologerg.com 2024-03-26
hostname i9152.cisele0.com 2024-03-26
hostname jp1y36.it2ua.com 2024-03-26
hostname k348d.venti71.com 2024-03-26
hostname kjlvo.ningeona.com 2024-03-26
hostname kjsdflwe.nitertym.ru 2024-03-26
hostname l846d.ferver8.com 2024-03-26
hostname libudi.oreversa.com 2024-03-26
hostname n29k4.ilert.ru 2024-03-26
hostname n9zph.lw8opi.com 2024-03-26
hostname o6t94g.3tdx2r.com 2024-03-26
hostname oo99v.coqqwx.ru 2024-03-26
hostname p1v12.17nor.com 2024-03-26
hostname pmd8ot6xhw.3qjpc.com 2024-03-26
hostname q908q.refec7.com 2024-03-26
hostname r298y.sem01.com 2024-03-26
hostname rlpq.tk9u.com 2024-03-26
hostname roriku.orankfix.com 2024-03-26
hostname tnyr.moporins.com 2024-03-26
hostname wasogo.shantowd.com 2024-03-26
hostname x12y.restrice.ru 2024-03-26
hostname xrs.chenebystie.com 2024-03-26
hostname xva.tjlpkcia.com 2024-03-26
hostname zaqaxu.dthiterp.ru 2024-03-26
hostname zekal6.tnjxb.com 2024-03-26
hostname zemj4f.ymarir.ru 2024-03-26
References (1)
↗ https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/