{ "type": "Domain", "indicator": "devcraftingsolutions.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/devcraftingsolutions.com", "alexa": "http://www.alexa.com/siteinfo/devcraftingsolutions.com", "indicator": "devcraftingsolutions.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3862598300, "indicator": "devcraftingsolutions.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "6602e304dfdc004f73c12a6e", "name": "Tycoon 2FA: an in-depth analysis of the latest version of the phishing kit", "description": "This report provides an in-depth analysis of Tycoon 2FA, an Adversary-in-The-Middle phishing kit distributed as a Phishing-as-a-Service platform. It became widespread since August 2023 and is currently massively used in phishing campaigns mainly targeting Microsoft 365 accounts. Our analysis revealed recent changes enhancing its stealth capabilities. We identified tracking opportunities to monitor this threat and will continue investigating Tycoon 2FA infrastructure.", "modified": "2024-03-26T15:02:23.552000", "created": "2024-03-26T15:00:20.635000", "tags": [ "malware", "credential theft", "mfa bypass", "microsoft 365", "phishing", "cybercrime" ], "references": [ "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/" ], "public": 1, "adversary": "Tycoon Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 345, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "URL": 9, "domain": 6, "hostname": 50 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386909, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674ae2b59e86ef0decf267d7", "name": "New Rockstar 2FA Raises Concerns About Microsoft 365 Accounts", "description": "The full list of names and figures released by the European Commission on 30 November 2024:-1 December 2024.. and the full text of the document: the complete text, translation and translation.", "modified": "2024-11-30T10:02:29.786000", "created": "2024-11-30T10:02:29.786000", "tags": [ "cyber", "threat", "november", "time", "crypto cyber", "defence", "classification", "confidential" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-rockstar-2fa-phishing-service-targets-microsoft-365-accounts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 48 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660520b87b943ecebeff204a", "name": "Tycoon 2FA, a new PhaaS platform.", "description": "", "modified": "2024-08-30T06:00:50.405000", "created": "2024-03-28T07:48:08.117000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 48 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66036a959c1b2a09975ea1f8", "name": "New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts", "description": "A round-up of interesting technology-related links shared over the past 24 hours, as well as the latest developments in the battle against cybercrime and the threat posed by the \"Tycoon 2FA\".", "modified": "2024-03-27T00:38:45.796000", "created": "2024-03-27T00:38:45.796000", "tags": [ "sekoia", "tycoon", "october", "august", "urls", "phaas", "microsoft", "gmail", "saad tycoon", "telegram", "evolution", "linux", "valid from", "valid" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/", "tycoon2fa_iocs_20240325.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dataendure_soc", "id": "59789", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "domain": 7, "hostname": 48 }, "indicator_count": 110, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "797 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6602d83ed7e200ab8345b404", "name": "New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts", "description": "Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection.\n\nTycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers.", "modified": "2024-03-26T14:14:22.608000", "created": "2024-03-26T14:14:22.608000", "tags": [ "tycoon", "phaas", "javascript code", "c2 server", "sekoia", "october", "august", "html code", "march", "dadsec ott", "twitter", "february", "bitcoin", "capture", "final", "open", "waiting", "first", "vidar", "raccoon", "saad tycoon" ], "references": [ "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/", "https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 295, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 7, "hostname": 50 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 436, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6602bcc224c78e8f32982213", "name": "New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts", "description": "A round-up of interesting technology-related links shared over the past 24 hours, as well as the latest developments in the battle against cyber-thieves, including a new phishing-as-a-service platform named \"Tycoon 2FA\".", "modified": "2024-03-26T12:17:06.019000", "created": "2024-03-26T12:17:06.019000", "tags": [ "sekoia", "tycoon", "october", "august", "urls", "phaas", "microsoft", "gmail", "saad tycoon", "telegram", "evolution", "linux", "javascript code", "c2 server", "html code", "march", "dadsec ott", "twitter", "february", "bitcoin", "capture", "final", "open", "waiting", "first", "vidar", "raccoon" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/", "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 7, "hostname": 50 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6601cbbd782e8b37b4c968b7", "name": "Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit", "description": "", "modified": "2024-03-25T19:08:45.877000", "created": "2024-03-25T19:08:45.877000", "tags": [ "tycoon", "phaas", "javascript code", "c2 server", "sekoia", "october", "august", "html code", "march", "dadsec ott", "twitter", "february", "bitcoin", "capture", "final", "open", "waiting", "first", "vidar", "raccoon" ], "references": [ "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 7, "hostname": 50 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 508, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6601c6f36b436474b7968120", "name": "Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit", "description": "A new version of the Tycoon 2FA phishing kit is widely distributed in the wild, according to a report from cybersecurity firm Sekoia, which has been monitoring the infrastructure of similar pages.", "modified": "2024-03-25T18:48:19.436000", "created": "2024-03-25T18:48:19.436000", "tags": [ "tycoon", "phaas", "javascript code", "c2 server", "sekoia", "october", "august", "html code", "march", "dadsec ott", "twitter", "february", "bitcoin", "capture", "final", "open", "waiting", "first", "vidar", "raccoon", "saad tycoon" ], "references": [ "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#h-iocs-amp-technical-details", "https://github.com/SEKOIA-IO/Community/blob/main/IOCs/tycoon2fa/tycoon2fa_iocs_20240325.csv" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 7, "hostname": 50 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/", "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#h-iocs-amp-technical-details", "https://www.bleepingcomputer.com/news/security/new-rockstar-2fa-phishing-service-targets-microsoft-365-accounts/", "https://github.com/SEKOIA-IO/Community/blob/main/IOCs/tycoon2fa/tycoon2fa_iocs_20240325.csv", "tycoon2fa_iocs_20240325.csv", "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/" ], "related": { "alienvault": { "adversary": [ "Tycoon Group" ], "malware_families": [], "industries": [ "Finance" ] }, "other": { "adversary": [ "Saad Tycoon" ], "malware_families": [ "Linux" ], "industries": [ "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "6602e304dfdc004f73c12a6e", "name": "Tycoon 2FA: an in-depth analysis of the latest version of the phishing kit", "description": "This report provides an in-depth analysis of Tycoon 2FA, an Adversary-in-The-Middle phishing kit distributed as a Phishing-as-a-Service platform. It became widespread since August 2023 and is currently massively used in phishing campaigns mainly targeting Microsoft 365 accounts. Our analysis revealed recent changes enhancing its stealth capabilities. We identified tracking opportunities to monitor this threat and will continue investigating Tycoon 2FA infrastructure.", "modified": "2024-03-26T15:02:23.552000", "created": "2024-03-26T15:00:20.635000", "tags": [ "malware", "credential theft", "mfa bypass", "microsoft 365", "phishing", "cybercrime" ], "references": [ "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/" ], "public": 1, "adversary": "Tycoon Group", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 345, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "URL": 9, "domain": 6, "hostname": 50 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386909, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674ae2b59e86ef0decf267d7", "name": "New Rockstar 2FA Raises Concerns About Microsoft 365 Accounts", "description": "The full list of names and figures released by the European Commission on 30 November 2024:-1 December 2024.. and the full text of the document: the complete text, translation and translation.", "modified": "2024-11-30T10:02:29.786000", "created": "2024-11-30T10:02:29.786000", "tags": [ "cyber", "threat", "november", "time", "crypto cyber", "defence", "classification", "confidential" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-rockstar-2fa-phishing-service-targets-microsoft-365-accounts/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 48 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "549 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "555 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "564 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660520b87b943ecebeff204a", "name": "Tycoon 2FA, a new PhaaS platform.", "description": "", "modified": "2024-08-30T06:00:50.405000", "created": "2024-03-28T07:48:08.117000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 48 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "670 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66036a959c1b2a09975ea1f8", "name": "New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts", "description": "A round-up of interesting technology-related links shared over the past 24 hours, as well as the latest developments in the battle against cybercrime and the threat posed by the \"Tycoon 2FA\".", "modified": "2024-03-27T00:38:45.796000", "created": "2024-03-27T00:38:45.796000", "tags": [ "sekoia", "tycoon", "october", "august", "urls", "phaas", "microsoft", "gmail", "saad tycoon", "telegram", "evolution", "linux", "valid from", "valid" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/", "tycoon2fa_iocs_20240325.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dataendure_soc", "id": "59789", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "domain": 7, "hostname": 48 }, "indicator_count": 110, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "797 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6602d83ed7e200ab8345b404", "name": "New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts", "description": "Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection.\n\nTycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers.", "modified": "2024-03-26T14:14:22.608000", "created": "2024-03-26T14:14:22.608000", "tags": [ "tycoon", "phaas", "javascript code", "c2 server", "sekoia", "october", "august", "html code", "march", "dadsec ott", "twitter", "february", "bitcoin", "capture", "final", "open", "waiting", "first", "vidar", "raccoon", "saad tycoon" ], "references": [ "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/", "https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [ "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 295, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "domain": 7, "hostname": 50 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 436, "modified_text": "798 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "devcraftingsolutions.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "devcraftingsolutions.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780414397.1602943 }