← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Tycoon 2FA: Advanced Evasion Techniques in Phishing-as-a-Service
WHITE Saad Tycoon PetrP.73 2025-05-20 Modified: 2025-05-20
70
IOCs
HIGH VOLUME
In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.
tycoonstagemechanismaprilredirectattack detectedctrlpagecaptchapost requestshiftmetagenericaugustfindfalsemodelerrorstagesdatemanipulationinvisiblesaad tycoonencrypted
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Encrypted
Indicators of Compromise (39 / 70 total)
All FileHash-MD5 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL https://stellarnetwork.sucileton.com/EQn1RAKa/ 2025-05-20
URL https://stellarnetwork.sucileton.com/34xdw8PBxy6XD6713 2025-05-20
URL https://stellarnetwork.sucileton.com/EQn1RAKa 2025-05-20
URL https://stellarnetwork.sucileton.com/hdYChzlF8NDyL0mfez91q3kibS7yyomnQOpysLzEavnCzdTq0R6fa9y 2025-05-20
URL http://b.location.search/ 2025-05-20
URL http://de.location.search 2025-05-20
URL http://de.location.search/ 2025-05-20
URL http://h.location.search/ 2025-05-20
URL http://k.location.search 2025-05-20
URL http://k.location.search/ 2025-05-20
URL http://n.location.search/ 2025-05-20
URL http://outer.location.search/ 2025-05-20
URL http://t.location.search/ 2025-05-20
URL http://top.location.search/ 2025-05-20
URL https://a.location.search/ 2025-05-20
URL https://de.location.search 2025-05-20
URL https://e.location.search/ 2025-05-20
URL https://f.location.search/ 2025-05-20
URL https://i.location.search/ 2025-05-20
URL https://k.location.search 2025-05-20
URL https://k.location.search/ 2025-05-20
URL https://n.location.search/ 2025-05-20
URL https://r.location.search/ 2025-05-20
URL https://this.aa.location.search/ 2025-05-20
URL http://api.deobfuscate.io 2025-05-20
URL http://landing.deobfuscate.io 2025-05-20
URL http://obf-io.deobfuscate.io 2025-05-20
URL https://api.deobfuscate.io 2025-05-20
URL https://landing.deobfuscate.io 2025-05-20
URL https://obf-io.deobfuscate.io 2025-05-20
URL https://obf-io.deobfuscate.io/ 2025-05-20
URL http://mfamandatorysetupnoreplymicrosoft.sucileton.com/ 2025-05-20
URL http://stellarnetwork.sucileton.com 2025-05-20
URL http://wqd.sucileton.com/ 2025-05-20
URL https://mfamandatorysetupnoreplymicrosoft.sucileton.com/ 2025-05-20
URL https://mfamandatorysetupnoreplymicrosoft.sucileton.com/EQn1RAKa 2025-05-20
URL https://mfamandatorysetupnoreplymicrosoft.sucileton.com/EQn1RAKa/ 2025-05-20
URL https://stellarnetwork.sucileton.com 2025-05-20
URL https://wqd.sucileton.com/ 2025-05-20
References (1)
↗ https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/