{ "type": "URL", "indicator": "https://wqd.sucileton.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://wqd.sucileton.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4069711320, "indicator": "https://wqd.sucileton.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6851011a6c087abfa19e269b", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms", "description": "The evolution of cybercriminals\u2019s tactics for bypassing two-factor authentication (2FA) is revealed in a study by security researchers at the Institute for Strategic Studies (ISS).", "modified": "2025-06-17T05:52:06.768000", "created": "2025-06-17T05:46:02.707000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "telegram", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 51, "domain": 4, "hostname": 25 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "682ce996ee00bc29988d4ed4", "name": "Tycoon 2FA: Advanced Evasion Techniques in Phishing-as-a-Service", "description": "In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.", "modified": "2025-05-20T20:44:06.988000", "created": "2025-05-20T20:44:06.988000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 39, "domain": 4, "hostname": 26 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "375 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Saad Tycoon" ], "malware_families": [ "Encrypted" ], "industries": [], "unique_indicators": 85 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sucileton.com", "whois": "http://whois.domaintools.com/sucileton.com", "domain": "sucileton.com", "hostname": "wqd.sucileton.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6851011a6c087abfa19e269b", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms", "description": "The evolution of cybercriminals\u2019s tactics for bypassing two-factor authentication (2FA) is revealed in a study by security researchers at the Institute for Strategic Studies (ISS).", "modified": "2025-06-17T05:52:06.768000", "created": "2025-06-17T05:46:02.707000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "telegram", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 51, "domain": 4, "hostname": 25 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "682ce996ee00bc29988d4ed4", "name": "Tycoon 2FA: Advanced Evasion Techniques in Phishing-as-a-Service", "description": "In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.", "modified": "2025-05-20T20:44:06.988000", "created": "2025-05-20T20:44:06.988000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 39, "domain": 4, "hostname": 26 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "375 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://wqd.sucileton.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://wqd.sucileton.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780180370.8930314 }