DUBAI, DUBAI, UNITED ARAB EMIRATES, May 14, 2025 /EINPresswire.com/ -- ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, has released a detailed report on the evolution of Tycoon2FA, a phishing-as-a-service (PhaaS) kit targeting credentials of corporate clients of Microsoft 365.

๐“๐ฒ๐œ๐จ๐จ๐ง๐Ÿ๐ ๐€: ๐€๐๐ฏ๐š๐ง๐œ๐ž๐ ๐š๐ง๐ ๐„๐ฏ๐จ๐ฅ๐ฏ๐ข๐ง๐ ๐„๐ฏ๐š๐ฌ๐ข๐จ๐ง ๐“๐š๐œ๐ญ๐ข๐œ๐ฌ

ANY.RUNโ€™s research shows that Tycoon2FA has undergone significant updates over the past 6 months, incorporating a growing arsenal of evasion mechanisms. The newly introduced tactics help the threat evade endpoint protection, automated analysis, and corporate defenses. Key techniques include:

ยท ๐—–๐˜‚๐˜€๐˜๐—ผ๐—บ ๐—–๐—”๐—ฃ๐—ง๐—–๐—›๐—” ๐—œ๐—บ๐—ฝ๐—น๐—ฒ๐—บ๐—ฒ๐—ป๐˜๐—ฎ๐˜๐—ถ๐—ผ๐—ป: Transitioning from Cloudflare Turnstile to custom HTML5 canvas-based CAPTCHAs with randomized elements, enhancing stealth and blocking automated detection.

ยท ๐—–๐—ผ๐—บ๐—ฝ๐—น๐—ฒ๐˜ ๐—๐—ฎ๐˜ƒ๐—ฎ๐—ฆ๐—ฐ๐—ฟ๐—ถ๐—ฝ๐˜ ๐—ข๐—ฏ๐—ณ๐˜‚๐˜€๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป: Employs invisible Unicode characters (e.g., Hangul Filler) and encryption-based obfuscation, leveraging JavaScript Proxy objects to delay execution and evade static analysis.

ยท ๐—”๐—ฑ๐˜ƒ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—ฑ ๐—”๐—ป๐˜๐—ถ-๐——๐—ฒ๐—ฏ๐˜‚๐—ด๐—ด๐—ถ๐—ป๐—ด ๐—ฎ๐—ป๐—ฑ ๐—•๐—ฟ๐—ผ๐˜„๐˜€๐—ฒ๐—ฟ ๐—™๐—ถ๐—ป๐—ด๐—ฒ๐—ฟ๐—ฝ๐—ฟ๐—ถ๐—ป๐˜๐—ถ๐—ป๐—ด: Detects debugging environments (e.g., Selenium), manipulates clipboard content, and uses browser fingerprinting to tailor attacks.

ยท ๐—Ÿ๐—ฒ๐—ด๐—ถ๐˜๐—ถ๐—บ๐—ฎ๐˜๐—ฒ ๐—ฅ๐—ฒ๐˜€๐—ผ๐˜‚๐—ฟ๐—ฐ๐—ฒ ๐—”๐—ฏ๐˜‚๐˜€๐—ฒ ๐—ฎ๐—ป๐—ฑ ๐—ฅ๐—ฒ๐—ฑ๐—ถ๐—ฟ๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐—–๐—ต๐—ฎ๐—ถ๐—ป๐˜€: Utilizes legitimate CDNs for corporate logos and extended redirect chains to mask malicious infrastructure.

From basic obfuscation observed in October 2024 to recent additions like encryption-based obfuscation and custom fake page redirects noted in April and May 2025, Tycoon2FAโ€™s continuous evolution underscores its ability to adapt and challenge even the most robust corporate defenses.

Read the full analysis on ANY.RUNโ€™s Cybersecurity Blog.

๐‡๐จ๐ฐ ๐€๐๐˜.๐‘๐”๐ ๐‡๐ž๐ฅ๐ฉ๐ฌ ๐๐ฎ๐ฌ๐ข๐ง๐ž๐ฌ๐ฌ๐ž๐ฌ ๐‚๐จ๐ฎ๐ง๐ญ๐ž๐ซ ๐“๐ฒ๐œ๐จ๐จ๐ง๐Ÿ๐ ๐€ ๐€๐ญ๐ญ๐š๐œ๐ค๐ฌ

ANY.RUNโ€™s Interactive Sandbox equips SOC and DFIR teams with real-time analysis to detect and analyze Tycoon2FA campaigns. Businesses can extract Indicators of Compromise (IOCs), monitor phishing behaviors, and map attack tactics using the MITRE ATT&CK framework.

๐€๐›๐จ๐ฎ๐ญ ๐€๐๐˜.๐‘๐”๐

ANY.RUN is a trusted partner for over 15,000 organizations in finance, healthcare, retail, technology, and beyond, delivering advanced malware analysis and threat intelligence products. Its cloud-based Interactive Sandbox, Threat Intelligence Lookup, and TI Feeds enable businesses to analyze, investigate, and detect the latest malware and phishing campaigns to streamline triage, response, and proactive security.

