{"id":13375,"date":"2025-05-13T12:29:24","date_gmt":"2025-05-13T12:29:24","guid":{"rendered":"\/cybersecurity-blog\/?p=13375"},"modified":"2025-09-19T09:58:15","modified_gmt":"2025-09-19T09:58:15","slug":"tycoon2fa-evasion-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/","title":{"rendered":"Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline"},"content":{"rendered":"\n<p>Attackers keep improving ways to avoid being caught, making it harder to detect and investigate their attacks. The Tycoon 2FA phishing kit is a clear example, as its creators regularly add new tricks to bypass detection systems.&nbsp;<\/p>\n\n\n\n<p>In this study, we\u2019ll take a closer look at how Tycoon 2FA\u2019s anti-detection methods have changed over the past several months and suggest ways to spot them effectively.&nbsp;<\/p>\n\n\n\n<p>This article will discuss:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A review of old and new anti-detection techniques.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>How the new tricks compared to the old ones.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tips for spotting these early.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Knowing how attackers dodge detection and keeping user detection rules up to date are key to fighting these anti-detection methods.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is Tycoon 2FA&nbsp;<\/h2>\n\n\n\n<p>Tycoon 2FA is a modern <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\" target=\"_blank\" rel=\"noreferrer noopener\">Phishing-as-a-Service (PhaaS)<\/a> platform designed to bypass two-factor authentication (2FA) for Microsoft 365 and Gmail. It was first identified by <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Sekoia<\/a> analysts in October 2023, though the Saad Tycoon group, which promotes this tool through private Telegram channels, has been active since August 2023.&nbsp;<\/p>\n\n\n\n<p>Tycoon 2FA uses an Adversary-in-the-Middle (AiTM) approach, where attackers set up a phishing page through a reverse proxy server. After a user enters their credentials and completes the 2FA process, the server captures session cookies, allowing attackers to reuse the session and bypass security measures.&nbsp;<\/p>\n\n\n\n<p>Currently, Tycoon 2FA is highly popular and widely used by cybercriminals, including the Saad Tycoon group. The platform offers ready-made phishing pages and an easy-to-use admin panel, making it accessible even to less technically skilled attackers.&nbsp;<\/p>\n\n\n\n<p>Discover the latest examples of Tycoon 2FA attacks using this search query in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tycoon2fa_evasion&amp;utm_term=130525&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>:<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tycoon2fa_evasion&amp;utm_term=130525&amp;utm_content=linktotiplans#%7B%2522query%2522:%2522threatName:%255C%2522Tycoon%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;Tycoon&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p>In 2024, an updated version of Tycoon 2FA was released, featuring enhanced evasion techniques, including dynamic code generation, obfuscation, and traffic filtering to block bots. Phishing emails are now frequently sent from legitimate, potentially compromised email addresses.&nbsp;<\/p>\n\n\n\n<p>The evolution of this phishing kit continues, with ANY.RUN researchers <a href=\"https:\/\/x.com\/anyrun_app\/status\/1914999622881235340\" target=\"_blank\" rel=\"noreferrer noopener\">noting regular updates and new evasion mechanisms<\/a> in its malicious software. This article aims to investigate and provide technical details on how Tycoon 2FA has evolved, is evolving, and may continue to evolve.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Before We Begin<\/h3>\n\n\n\n<p>Tune in to <a href=\"https:\/\/anyrun.webinargeek.com\/how-soc-teams-save-time-and-effort-with-any-run-action-plan?cst=blog\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s live webinar<\/a> on Wednesday, May 14 | 3:00 PM GMT. We welcome&nbsp;<strong>heads of SOC teams, managers, and security specialists<\/strong>&nbsp;of different tiers who want to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Solve common security issues<\/li>\n\n\n\n<li>Optimize their work processes&nbsp;<\/li>\n\n\n\n<li>Find out how to save company\u2019s resources&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/anyrun.webinargeek.com\/how-soc-teams-save-time-and-effort-with-any-run-action-plan?cst=blog\" target=\"_blank\" rel=\"noreferrer noopener\">Sign up for webinar \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analysis of a Tycoon2FA Attack from 01.10.2024&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s begin the analysis with a typical Tycoon2FA attack observed in October of 2024. The attack starts with a malicious URL and employs multiple evasion techniques to avoid detection. Below, we well break down each stage of the attack, highlighting its protective mechanisms and their purposes.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7a87388b-8e07-4944-8d65-1422f56d303f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tycoon2fa_evasion&amp;utm_term=130525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox session<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 1: Initial Attack Mechanisms&nbsp;<\/h3>\n\n\n\n<p>The attack starts with a request to the following URL:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hxxps:\/\/stellarnetwork&#091;.]sucileton&#091;.]com\/EQn1RAKa\/ <\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #1: Basic Code Obfuscation<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The page\u2019s source code is obfuscated, making it difficult for automated systems or analysts to interpret its functionality.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1188\" height=\"663\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-2.png\" alt=\"\" class=\"wp-image-13403\"\/><figcaption class=\"wp-element-caption\"><em>Figure 1: Evasion Mechanisms in Stage 1 of Tycoon 2FA<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This is a foundational defense to hinder initial analysis.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSpeed up and simplify detection of malware and phishing threats like Tycoon2FA with proactive analysis <br>in <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=tycoon2fa_evasion&#038;utm_term=130525&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #2: &#8220;Nomatch&#8221; Check<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The code compares the URL (part of the attacker\u2019s infrastructure) against a \u201cnomatch\u201d value. This check appears to be a decoy or placeholder, as the comparison always returns False. It may serve as a flag for services like Cloudflare.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"554\" height=\"140\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image35.png\" alt=\"\" class=\"wp-image-13409\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image35.png 554w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image35-300x76.png 300w\" sizes=\"(max-width: 554px) 100vw, 554px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 2: &#8220;Nomatch&#8221; Evasion Mechanism<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #3: Domain Comparison<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The code verifies whether the current page\u2019s domain matches the attacker\u2019s designated infrastructure domain. If the domains match, the attack proceeds to load Stage 2 (the malicious payload) into the Document Object Model (DOM). If not, a fake error page is displayed.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1085\" height=\"163\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-4.png\" alt=\"\" class=\"wp-image-13411\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-4.png 1085w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-4-300x45.png 300w\" sizes=\"(max-width: 1085px) 100vw, 1085px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 3: Domain Comparison Evasion Mechanism<\/em><\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #4: Redirect to Fake Litespeed 404 Page on Failed Checks<\/strong>&nbsp;<\/h4>\n\n\n\n<p>If the domain check fails, the user is redirected to a fake \u201cLitespeed 404\u201d error page.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"595\" height=\"112\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-1.png\" alt=\"\" class=\"wp-image-13414\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-1.png 595w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-1-300x56.png 300w\" sizes=\"(max-width: 595px) 100vw, 595px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 4: Fake 404 Page Redirect&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><\/p>\n\n\n\n<p>The page is designed to appear legitimate and deter further investigation.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"545\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image36-1024x545.png\" alt=\"\" class=\"wp-image-13415\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image36-1024x545.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image36-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image36.png 1493w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 5: Example of Fake Litespeed 404 Page<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Purpose of Stage 1 Evasion Mechanisms&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"1500\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-3.png\" alt=\"\" class=\"wp-image-13418\" style=\"width:651px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-3.png 1000w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/1-3-200x300.png 200w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 6: Flowchart of Stage 1 Protective Checks in Tycoon 2FA<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>These mechanisms are designed to prevent the malicious code from executing or revealing its behavior in isolated scenarios, such as:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malware analysis sandboxes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Offline inspection of saved HTML files.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>By ensuring the code only runs in the attacker\u2019s controlled environment, these checks reduce the likelihood of detection.&nbsp;<\/p>\n\n\n\n<p>If all Stage 1 checks are passed, the malicious payload (Stage 2) is injected into the page\u2019s DOM, advancing the attack to its next phase.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 2: Main Evasion Mechanisms&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #5: Cloudflare Turnstile CAPTCHA&nbsp;<\/strong>&nbsp;<\/h4>\n\n\n\n<p>Before loading the main content, Tycoon 2FA requires users to pass a Cloudflare Turnstile CAPTCHA. This protects the malicious page from web crawlers, <a href=\"https:\/\/any.run\/cybersecurity-blog\/safebrowsing\/\" target=\"_blank\" rel=\"noreferrer noopener\">Safebrowsing services<\/a>, or automated systems that could capture and analyze the page\u2019s content.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1210\" height=\"402\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image37.png\" alt=\"\" class=\"wp-image-13420\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image37.png 1210w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image37-300x100.png 300w\" sizes=\"(max-width: 1210px) 100vw, 1210px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 7: Cloudflare CAPTCHA in Tycoon 2FA<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #6: Debugger Timing Check<\/strong>&nbsp;<\/h4>\n\n\n\n<p>During Stage 2, the code also measures the time taken to launch a debugger, a technique used to detect whether the page is running in a real browser or a sandboxed environment. In this sample, the check is rudimentary, and the timing result is not actively used, suggesting it may be a placeholder or incomplete feature.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"527\" height=\"168\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image38.png\" alt=\"\" class=\"wp-image-13421\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image38.png 527w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image38-300x96.png 300w\" sizes=\"(max-width: 527px) 100vw, 527px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 8: Debugger Timing Check Mechanism<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Evasion Mechanism #7: C2 Server Queries<\/strong>&nbsp;<\/p>\n\n\n\n<p>Tycoon 2FA sends a series of requests to the attacker\u2019s Command-and-Control (C2) servers to determine whether to proceed to Stage 3. This process involves two steps:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>GET Request to Secondary C2 Domain<\/strong>:&nbsp;<br>A GET request is sent to another C2 domain, expecting a single-byte response: \u20180\u2019 or \u20181\u2019.&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>If \u20181\u2019 is received, the attack halts, and the user is redirected to a legitimate page.&nbsp;&nbsp;<\/li>\n\n\n\n<li>If \u20180\u2019 is received, the attack continues.&nbsp;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"492\" height=\"359\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3a.png\" alt=\"\" class=\"wp-image-13423\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3a.png 492w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3a-300x219.png 300w\" sizes=\"(max-width: 492px) 100vw, 492px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 10: Code Fragment for Stage 3 Validation Checks<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>If all Stage 2 checks are successfully passed, the page reloads, and the Stage 3 payload, the core malicious component, is retrieved and executed.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 3: Payload Unpacking&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #8: Base64 + XOR Obfuscation<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The payload in Stage 3 is obfuscated using a combination of Base64 encoding and XOR encryption with a predefined key. This protects the malicious code from being easily analyzed or detected.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"954\" height=\"184\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3b-1.png\" alt=\"\" class=\"wp-image-13427\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3b-1.png 954w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3b-1-300x58.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3b-1-768x148.png 768w\" sizes=\"(max-width: 954px) 100vw, 954px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 11: Code for XOR-Base64 Deobfuscation<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After deobfuscation (use this <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Base64('A-Za-z0-9%2B\/%3D',true,false)XOR(%7B'option':'UTF8','string':'Xz9nuEyiZi'%7D,'Standard',false)&amp;input=WkFsYUhCdzFEVWtwR3p0SEd3WUJNUWthWUVaM0dWWUtFR3NUR0M4TUtnTVhEUm9vVmdNckhEMElRRU5HYTA5SGFrYzFFMWRBSHpaYlYyWkdLeGxMQndVeFIyUlFWU3NaU3djRk1Wa2FLQXBsV0ZFYUFUVUtVM1ZHT3g1WEJBWnJHZ1UxSER3Y1ZROEhJRmNLTlFSM0cxTVBEV29WQURnYWR4bExGd1V4RmtRd0duZE9GMTliZEZZS0tCQW9EbFpESHpaWEJETUhkaEJLVEV0NVZobzVHekVLVFZCNFQzUmpaaG83Q0ZBZUFYdDBZeXdJS2xwSUNnQWtMaXNYUERRNUdWTlZaeDFMWVdSU0RGZ2NWVGM5Q3pBYUFSWlJDekpsUkVsNExucEJOR1FESkF0SkFnNHpPWDhwTmdRM0pIcFVlQTFRQUJFcURrYzJCanNiVFFjYUsxY0JPeG93VkVvYkZ6WU5HM0pZY1VFMFpCd2pXVUVDRGpNNWZ5azJCRGNrYzBramR6TTJFaTQ2THgwcUdUUjBUa2hsSVE0eEtoNDllaTg3Q0ZjYUtnVXhEaEZKVm1KUVJ5b0dLRklRVlhoUEJHUlFBRDVhRVU4dEloSXFIQzRiTzNjalhHVUNaRkJKZUZvWkRSb3JDaDE2SENvV2FROEhKQlFhZWxSNEZGd1pWUkFySlFrTU9RaGFCaVVrQ3dnM0duQU5VQUFSS2c1SE5nWTdHMDBIR2l0WEdqOElLaGxSUjA1SWMwbDZTWGdUWDA1ZE1oQUhQZ1l2VkZVQkZpUU5BRFVIZGhKTEN4TnJFQWM1QlMwZVhCMWRZbHhiYVU1eFV4a1ZlRTlaU1hwSmVGb1pUaTBpRWlvY0xoczdkeU5WZUZrZU13YzhGVTVBR1NvYUNDNEFOeFFYQmdjZ0gwY3BHVFFUVFVaU1lFdGFmVUIyQ2xZZVhXeENaRkJKZUZvWkUzaFBXVWw2U1RFY0dVWUNMQmNOTlI1MkZsWU5GREVRQmpSSE1BaGNDRnNzRndvMkhEd2ZTa1pTZWw1QWMwa2pkek5PVldWWlNYcEplQ0plQlRZRFBpb2JKeFZhQkU0Q0xCY05OUjUyRmxZTkZERVFCalJITUFoY0NGczJDUVV6SFhCZEJrbGNhd2tHS2tGeFFUUmtWV1ZaU1hwSmVGcElDZ0FrTGlzWFBEUTVHVk5WWjF0U1YyTjRXaGxPVldWWlNTZ3RPaEJLTnhrdEhDNTZWSGhZRzFWNFQxbEpla2tsZHpNVGVFOGZIRFFLTEJOV0FGVVRDaTBlUFFFUmJRMEhiUU1iRHlVYlBYb05QU0ZRU1NGa1VoRkxPeXdLQXdVTFBEWmFCRTRQTnl3bEdTNGJHWEVLV3pjY0dUWUlPeDhSUVZacUhrVjZUbjlURnh3UU5SVUlPUXh3VldWUldpSlZTWDFPY1VFMFpGRnJHQU03RVhBQk5HUUJQQWtNWUVsNktuWTlJV2RWWkZBY0toWURUbGRxQ3hnOVdqSXphRjQwS1R3dE54QWlGZ3dXQlNRNENDZ2VLUlVNSWdVS1Rqa2ZVU0JKU1FnQ1oxVmtVQTA1RGxoVVZUNGRDQzRJWWxwU0hDQWNOaE0yT0EwVVJFSjRUd29jT1FvOUNVcFVWU01NQnprZE1SVlhSaEVrRFFoelNTTjNNeGdVTjFrU08wVTZWbHBDRVRoWlZIb2pDelYzUUFVa0N4by9RVHdiVFE5Y2ZuUmpNd0FNQ0ZRaEl6Y3BDbnBVZURsTEZ3VXhGaU1KUnhrL2FrQVJJQm9iSXhrc1VsaENWUVlMRUNvZE56QnFRQ1VITWkwY1czQTVTeGNGTVJZakNVYzlGRnBBUFNBQlJ5b0lLZ2xjUmhGc1ZVa1pHeUVLVFFFL0ZsY01OQXAyTWx3V1d6VVlHeWtNY0JnUVFuaFBXVWw2U1NNU1dCMGRJQXRUZWlvcUEwa2FHZzhxUnpzRlB4VVhQVDBFVEZob1JYZ1JYQmNtTEFNTVlFbHVUaFpXV1dVUUhUOGJPUTVRQVJzMlEwbGpVR0VIRUVKVlBoQWZZRWtiQ0VBZUFTb3pPblFNTmhrWEpoQTlWeGs3R3lzZkVRMWNPRkJITGdZTERrc0hHeUpSS2lnUUtBNVdKQ1pySEFjNVJ3ME9YMVpjZm5SalYyTjhWRmdFRkQxUkVsZGpMQU5KQzA5bFd5NGZQWHBXTkdRQU54VlRlZ0F4TGtzRE9oTUxPVGxGVlhCS0d4WW1IQm9wVTNnY1RBQVdNUkFHTkVFcUgwb2VHaXNLRERJZE5SWVFUZzVJY3cwMUNpMFhYQUFCYXc0Yk14MDlVa3NMQmpVV0J5a01NQTVVQWx4K2RHTW5SVlZ3WEJ3SEtndFRlZzh0RkZvYUhDb1hRU0lCS2xZWkhRRWtEUndwUlhnZlN4d2FOMUJKSVdSU0dWWUFCaW9WREhRRk54MFJDd2MzRmh0elVsVndSR04vT0ZCU1YyTlZjQlpCVlRJUUJ6NEdMMVJWQVJZa0RRQTFCM1lJWEI0WkpCb01jaHM5Q1VrQkd6WWNRR0ZrVWdjVlkzOGdDeHMxRzJKYVh4c2JKZzBBTlFkd0FsRWNXV1VLSFRzZExRa1ZUaEEzQ3dZb1FIZ0JOR1FDTEJjTk5SNTJGbFlORkRFUUJqUkhNQWhjQ0ZWNFdVNHlIU3dLU2xSYWFoMGNPUUk4RDFvRkVpcFhDalVFZjBFMFpBaEljeFJ6VWxWd1JHTi9TSE1QTHdjN0RsQUJHMlVPUEFBb0RCQmFMVEV5VVRrVktod2RjUVVaTFRGQWVoSlZjQmxPVldVTkd5TkpJM2N6VGxWbFdVbDZTWGdJWEJvQU54ZEpPQjAzR3hFUEFTb2JRUW9tR3o1ZUpoNHBFU0Z6UUhoSEJFNGxDam90UFNFekZsRW1Ua2h6U1hwSmVBY1pEUlF4R2dGNlFUMElTMGRWUG5SamVrbDRXaGxPVldVTERDNGNLaFFaQ0JRcENneGhaRkphR1U1Vk9IUmpKMlJTRTE5R0xTSVNLaHd1R3p0M0kxVjRSRWw0UzNFQk5HUlZaVmxKREJvY1BtMDNIaEVhRzNKTFoxZ1pSVlUwSFJ3N1BobzNiQUkyYkVKa1VCUlZjRkFJWFIwZUFoa3ZIemw0SURobFdGUm5TWHBZRUJWNFQxbEpla2t4SEJsR0FoQWpLQTRET3psOUdWMGRIZ0laTHg4NWVDQTRiRkJKSVdSU1dobE9WVE1ZRzNvb0hoQkJIaGNpRHhnN1NXVmFXQm9hSjFFeFBRSWJQSDR0TkFzMFFHRmtVbG9aVGxVekdCdDZEREE1U3hvektDNHJPRWxsV2hFdk15OEJHVGdPTGd0WVFCZ2tEUW95UVhjaFpSbGJhQ1JEWjFZREprNUFXQmhTUVdWVEdBWWNXa1ZzSWdoM0V4bFhZMTVZZkZkRUIwSUVWR0lQV0Q4NFJBQlpkVU5rRlVkcEJFWnpTU1FHR1RVYk1CVUZCMEFEU21SVmVFOVpTWHBKTVJ3UkN4MEdDeDBjQkE4NFcwNUllRmtITHdVMFUwSmpmMlZaU1hvZU1SUmRBUUpyRlFZNUNDd1RWZ0JiTnh3Wk5nZzdIeEVaSENzZEJpMUhOQlZhRHdFc0ZnZDBHVGtPVVFBVUtCeEhLQXdvRmxnTkVHMVdUR2hhZHgwVlRsSm1Ya0IwR3owS1ZROFdJRkZHZjFvZVZWNUNWV0pHVG5OSEtoOUpBaFFtSEVGMVRHODRGZ2xaWlY0U2ZVQjJDRndlR1NRYURISkdmVTE5UVJKcFdVNG5UbkZUQW1OL1pWbEplaFJWY0JsT1ZXVVFEM0lNTURsTEdqTW9MaXM0U1hsSEJFNGJNQlVGY3hKVmNCbE9WV1V2R2g0dERDTlNPaFkzVVV0bFMzaFJHUjhSTUJnK0dDUU5GbnBPWG1VTExUZ0RLeU5WQmhBQ1dVSjZEREE1U3hvektDNHJPRWNxSDBrQ0ZDWWNRWFZNYkVvV0NWbGxYaWw5UUhZSVhCNFpKQm9NY2taOVRYdEJFbWxaVGlGT2NWUkxDd1VwR0FvL1FYZGZEaXBhSWxWSmZSUi9VeEJWZUU5WlNYcEpKWGN6RTFVZ0ZSby9TU04zTTA1VlpWa2ZPeHQ0SDFFdEJ6RS9CQTByT2xvRVRsMGRIZ0laTHg4NWVDQTRheFFJTGdvd1VoWTFLVEpYUkFkRFpVVmlNZ0pyVkRSeFFXZEFlUkpRY1VsQUFRaDFBSGhETDNWVVVIUkVCVkZsUUM0a1ZCTWJSQUpLRkZjb1BrdEZKMFp4V2tVU1ZSNFhIRFlGQlZOaVhpaCtkR042U1hoYVVBaGRJQkVxS0IwZUYyNHNGMlZFVkhvSExSWlZSdzVJYzBsNlNYZ05VQUFSS2c1SE5nWTdHMDBIR2l0WEd6OFpOQnRhQzEweUVBYytCaTlVVlFFV0pBMEFOUWQyQ2xnYUhTc1lCRDlIS2g5SkFoUW1IRUYxVEdwSkZnbFpaVjVLZlVCMkNGd2VHU1FhREhKR2ZVbC9RUkpwV1U1bFRuRlVTd3NGS1JnS1AwRjNYdzRzV2lKVlNYMFNmMU1YSEJBMUZRZzVESEJWSEZreGFoNUZlazRsWFJCSFRraHpTWHBKZUFjMFpGVmxXVWt6RDNBZlVTMEhNVDhFRFNzNldoaFRTR1VYSERZRmNRRTBaRlZsV1VrTUdodytiVGNlRVJvYmNrdG5XQmxGVlRRZEhEcytHamRzQWpabFVray9BUnNJVFNnWUVqc0xkQnM5Q2xVUEZpQlJSbjlkYUZWZVFsVmlPVTV6UnlvZlNRSVVKaHhCZFV4dk9CWUpXV1ZlRW4xQWRnaGNIaGtrR2d4eVJuMU5mVUVTYVZsT0owNXhVd0pqZjJWWlNYb1VWWEJFWTM4NGRHTm1SaXNaU3djRk1VYz0&amp;oeol=CRLF\" target=\"_blank\" rel=\"noreferrer noopener\">CyberChef recipe<\/a>), the next stage is revealed, advancing the attack.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 4: Dynamic Payload Retrieval&nbsp;<\/h3>\n\n\n\n<p>During the payload retrieval, a POST request is sent to the attacker\u2019s C2 server. The request body contains data derived from the initial phishing URL, with logic that varies based on whether the victim\u2019s email is included in the URL.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"564\" height=\"161\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3c.png\" alt=\"\" class=\"wp-image-13428\"\/><figcaption class=\"wp-element-caption\"><em>Figure 12: Code for Sending POST Request<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #9: Encrypted Payload Delivery<\/strong><\/h4>\n\n\n\n<p>The C2 server responds with a JSON file containing ciphertext and decryption parameters. The specific data received depends on the contents of the POST request. The payload is decrypted to reveal the URL for the next stage.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1010\" height=\"275\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image42-1.png\" alt=\"\" class=\"wp-image-13431\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image42-1.png 1010w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image42-1-300x82.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image42-1-768x209.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image42-1-370x101.png 370w\" sizes=\"(max-width: 1010px) 100vw, 1010px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 13: Code for Decrypting POST Request Response<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><\/p>\n\n\n\n<p>To see the sample of the retrieved payload and its decryption, visit <a href=\"https:\/\/jsfiddle.net\/hrnxc1tw\/1\/\" target=\"_blank\" rel=\"noreferrer noopener\">JSFiddle.<\/a> The result of this action is the URL for Stage 5.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 5: Fake Login Page Delivery&nbsp;<\/h3>\n\n\n\n<p>The content in Stage 5 is mostly unobfuscated, presenting a fake Microsoft Outlook login page designed to deceive the victim. It includes SVG assets and a stylesheet to mimic the legitimate interface.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3e-1024x555.png\" alt=\"\" class=\"wp-image-13433\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3e-1024x555.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3e-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3e-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3e.png 1494w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 14: Loading of Fake MS Outlook Login Page<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>At the end of the page\u2019s source code, an additional JavaScript script reuses the Base64 + XOR obfuscation technique (previously seen in Stage 3) to hide further malicious code.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"908\" height=\"289\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3f.png\" alt=\"\" class=\"wp-image-13434\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3f.png 908w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3f-300x95.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image3f-768x244.png 768w\" sizes=\"(max-width: 908px) 100vw, 908px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 15: Base64\/XOR Obfuscation in Stage 5<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Deobfuscating this script reveals the next stage of the attack.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 6: Fake Authorization and Data Exfiltration&nbsp;<\/h3>\n\n\n\n<p>The frontend mimics a Microsoft Outlook login page, designed to trick victims into entering their credentials.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1496\" height=\"797\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image40.png\" alt=\"\" class=\"wp-image-13436\"\/><figcaption class=\"wp-element-caption\"><em>Figure 16: Loaded Fake MS Outlook Login Page<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>At the end of the source code, a JavaScript script implements several new protective and operational mechanisms:&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #10: Browser Detection<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The script identifies the victim\u2019s browser to tailor the attack or detect analysis environments (e.g., sandboxes).&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"463\" height=\"277\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image41.png\" alt=\"\" class=\"wp-image-13437\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image41.png 463w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image41-300x179.png 300w\" sizes=\"(max-width: 463px) 100vw, 463px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 17: Code for Browser Detection<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #11: Clipboard Manipulation<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The script replaces the clipboard contents with junk data to interfere with analysis or debugging attempts.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"502\" height=\"106\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image71.png\" alt=\"\" class=\"wp-image-13439\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image71.png 502w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image71-300x63.png 300w\" sizes=\"(max-width: 502px) 100vw, 502px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 18: Code for Clipboard Manipulation<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #9 (Reused): Payload Encryption\/Decryption<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The script encrypts and decrypts the payload using hardcoded keys and initialization vectors (IVs), protecting data sent to and received from the C2 server.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"418\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image72.png\" alt=\"\" class=\"wp-image-13445\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image72.png 601w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image72-300x209.png 300w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 19: Code for Payload Encryption\/Decryption<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #12: C2 Routing with Dynamic URLs<\/strong>&nbsp;<\/h4>\n\n\n\n<p>A randomly generated URL for data exfiltration is created using the RandExp library, following a pattern determined by the Tycoon 2FA operation mode (e.g., checkmail, checkpass, twofaselected). This ensures varied C2 communication paths, complicating detection.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"798\" height=\"348\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image73.png\" alt=\"\" class=\"wp-image-13447\"\/><figcaption class=\"wp-element-caption\"><em>Figure 20: Code for Generating Random Exfiltration URLs<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #13: Redirect API Validation<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The script checks the validity of a redirect API, likely used by Tycoon 2FA operators to monitor client status or subscription activity.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"918\" height=\"428\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image74.png\" alt=\"\" class=\"wp-image-13448\"\/><figcaption class=\"wp-element-caption\"><em>Figure 21: Code for Redirect API Validation<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Finally, the stolen data (e.g., credentials) is exfiltrated to a third C2 domain in the attack chain. The response from the C2 server dictates the phishing page\u2019s behavior, such as prompting for 2FA or updating the account status.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1346\" height=\"121\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image75.png\" alt=\"\" class=\"wp-image-13451\"\/><figcaption class=\"wp-element-caption\"><em>Figure 22: Code for Data Exfiltration<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>A <a href=\"https:\/\/jsfiddle.net\/3vga04hz\/1\/\" target=\"_blank\" rel=\"noreferrer noopener\">JSFiddle snippet<\/a> demonstrates the encryption\/decryption of sent\/received data.&nbsp;&nbsp;<\/p>\n\n\n\n<p>At the end of Stage 6, there is a link to another script, which loads the next stage of the attack.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"628\" height=\"28\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image76.png\" alt=\"\" class=\"wp-image-13452\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image76.png 628w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image76-300x13.png 300w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 23: Link to Next Tycoon 2FA Stage<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 7: Phishing Framework Enhancements&nbsp;<\/h3>\n\n\n\n<p>After deobfuscation, Stage 7 reveals additional functionality for the Phishing-as-a-Service (PhaaS) framework, defining critical operations for the phishing interface.&nbsp;<\/p>\n\n\n\n<p>The code includes logic for:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managing the user interface behavior.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Handling transitions between frames.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rendering core page elements.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implementing a state machine for the phishing page.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Validating user inputs (e.g., email, password, OTP).&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"888\" height=\"696\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image77.png\" alt=\"\" class=\"wp-image-13454\"\/><figcaption class=\"wp-element-caption\"><em>Figure 24: Code fragment for phishing page State Machine<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Execution Chain Summary&nbsp;<\/h2>\n\n\n\n<p>The complete execution chain, combining all mechanisms from Stages 1\u20137, is visualized below:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1850\" height=\"4289\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/2-3.png\" alt=\"\" class=\"wp-image-13388\"\/><figcaption class=\"wp-element-caption\"><em>Detailed breakdown of Tycoon2FA&#8217;s attack<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>With a comprehensive understanding of Tycoon 2FA\u2019s attack flow, we can now analyze newer samples and compare them to this baseline to identify changes or additions to its anti-detection mechanisms.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">New Tycoon2FA Evasion Mechanisms: Timeline&nbsp;<\/h2>\n\n\n\n<p>As we&#8217;ve discussed, Tycoon 2FA is steadily evolving, with its developers rolling out more sophisticated anti-detection mechanisms.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Let&#8217;s now examine the latest evasion methods that have emerged in attacks since October.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Attack Detected on 6 December 2024&nbsp;&nbsp;<\/h3>\n\n\n\n<p>This sample introduces new anti-detection mechanisms in <strong>Stage 2<\/strong>, enhancing the malicious payload\u2019s ability to avoid analysis and debugging environments. The following mechanisms were observed:&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #14: Debug Environment Detection<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The script checks if the page is loaded in a legitimate browser rather than a debugging environment, such as Selenium (WebDriver), PhantomJS, or Burp Suite. If a debugging runtime is detected, the attack stops, and the user is redirected to about:blank.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1043\" height=\"76\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image78.png\" alt=\"\" class=\"wp-image-13457\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image78.png 1043w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image78-300x22.png 300w\" sizes=\"(max-width: 1043px) 100vw, 1043px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 25: Code for Detecting Debugging Runtime<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><strong>Evasion Mechanism #15: Keystroke Interception<\/strong>&nbsp;<\/p>\n\n\n\n<p>The code intercepts keyboard shortcuts associated with opening browser developer tools or other debugging functions, preventing their default actions. This hinders manual analysis by users or researchers.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"674\" height=\"405\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image79.png\" alt=\"\" class=\"wp-image-13458\"\/><figcaption class=\"wp-element-caption\"><em>Figure 26: Code for Keystroke Interception<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The intercepted shortcuts include:&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>F12<\/strong>: Opens DevTools (Firefox).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ctrl + U<\/strong>: Displays page source code.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ctrl + Shift + I<\/strong>: Opens DevTools (Generic).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ctrl + Shift + C<\/strong>: Opens DevTools (Chrome).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ctrl + Shift + J<\/strong>: Opens browser console (Firefox).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ctrl + Shift + K<\/strong>: Duplicates current tab (Edge).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ctrl + H<\/strong>: Opens browser history (Generic).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Meta + Alt + I<\/strong>: Opens insert menu (varies by browser).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Meta + Alt + C<\/strong>: Copies selected text.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Meta + U<\/strong>: Shows page source or accessibility menu.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #16: Context Menu Blocking<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The script disables the right-click context menu, preventing access to browser tools or page source inspection.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"623\" height=\"92\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7a.png\" alt=\"\" class=\"wp-image-13461\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7a.png 623w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7a-300x44.png 300w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 27: Code for Disabling Context Menu<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Improved Evasion Mechanism #6: Debugger Timing Check<\/strong><\/h4>\n\n\n\n<p>Building on the rudimentary version in earlier samples, this implementation fully measures the time taken to launch a debugger. If the timing is abnormally long (suggesting a sandbox environment), the script redirects to a legitimate page, halting execution.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"708\" height=\"294\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7b.png\" alt=\"\" class=\"wp-image-13462\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7b.png 708w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7b-300x125.png 300w\" sizes=\"(max-width: 708px) 100vw, 708px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 28: Enhanced Debugger Timing Check Implementation<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Attack Detected on 17 December 2024&nbsp;&nbsp;<\/h3>\n\n\n\n<p>In <a href=\"https:\/\/app.any.run\/tasks\/9700f36a-d506-4e5e-8f96-cdddc83e37a0\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tycoon2fa_evasion&amp;utm_term=130525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">another attack from December<\/a>, the threat introduced a new capability to enhance the phishing page\u2019s authenticity, making it more convincing to victims.&nbsp;<\/p>\n\n\n\n<p><strong>Evasion Mechanism #17: Dynamic Multimedia via Legitimate CDN<\/strong>&nbsp;<br>Specifically, the phishing page dynamically loads a logo and custom background tailored to the domain of the victim\u2019s email address, increasing its visual credibility.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1495\" height=\"797\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7c.png\" alt=\"\" class=\"wp-image-13463\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7c.png 1495w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7c-300x160.png 300w\" sizes=\"(max-width: 1495px) 100vw, 1495px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 29: Phishing page with custom background<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The multimedia content is delivered through Microsoft\u2019s legitimate AADCDN network, leveraging trusted infrastructure to evade detection and reduce suspicion.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1016\" height=\"399\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7d.png\" alt=\"\" class=\"wp-image-13468\"\/><figcaption class=\"wp-element-caption\"><em>Figure 30: Use of AADCDN for loading custom logos\/backgrounds<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Attack Detected on 3 April 2025&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d40e75ba-e4e8-4b51-b4a5-6614c8be7891\" target=\"_blank\" rel=\"noreferrer noopener\">This sample<\/a> introduces multiple new evasion mechanisms across various stages, reflecting Tycoon 2FA\u2019s continued evolution in obfuscation, redirection, and anti-analysis techniques.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 1: Enhanced Obfuscation&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #18: Complex JavaScript Code<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The payload uses Base64 obfuscation for JavaScript keywords, and method calls (e.g., document.write()) are invoked via object property access, complicating static analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The next stage\u2019s content involves URL-encoding\/decoding, further obscuring the code.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"905\" height=\"187\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7e.png\" alt=\"\" class=\"wp-image-13473\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7e.png 905w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7e-300x62.png 300w\" sizes=\"(max-width: 905px) 100vw, 905px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 31: More sophisticated code in Stage 1<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 2: New Evasion Techniques&nbsp;<\/h3>\n\n\n\n<p>When Stage 2 code is deobfuscated, we can observe new evasion methods.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #19: Invisible Obfuscation<\/strong>&nbsp;<\/h4>\n\n\n\n<p>The code employs whitespace-based \u201cinvisible\u201d obfuscation, using proxy object calls and getter methods to retrieve and execute code via eval(). This technique makes the code harder to read and analyze.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7f.png\" alt=\"\" class=\"wp-image-13471\"\/><figcaption class=\"wp-element-caption\"><em>Figure 32: Invisible obfuscation code #1<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"657\" height=\"468\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-3.png\" alt=\"\" class=\"wp-image-13470\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-3.png 657w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/5-3-300x214.png 300w\" sizes=\"(max-width: 657px) 100vw, 657px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 33: Invisible obfuscation code #2<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The form sent during the transition from Stage 2 to Stage 3 is now created as a FormData object, replacing the previous HTML &lt;form&gt; element approach, reducing detectability.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"964\" height=\"211\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image82.png\" alt=\"\" class=\"wp-image-13477\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image82.png 964w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image82-300x66.png 300w\" sizes=\"(max-width: 964px) 100vw, 964px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 34: Old HTML form declaration<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"628\" height=\"174\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image85.png\" alt=\"\" class=\"wp-image-13478\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image85.png 628w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image85-300x83.png 300w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 35: New FormData declaration<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #20: Custom Fake Page Redirect<\/strong>&nbsp;<\/h4>\n\n\n\n<p>Unlike earlier samples that redirected to legitimate sites (e.g., eBay) upon failing checks, this revision redirects to a custom fake HTML page, enhancing deception and avoiding reliance on external domains.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image86-1024x552.png\" alt=\"\" class=\"wp-image-13480\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image86-1024x552.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image86-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image86-768x414.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image86.png 1494w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 36: Example of custom fake page<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><strong>Evasion Mechanism #21: Custom CAPTCHA<\/strong>&nbsp;<\/p>\n\n\n\n<p>A custom CAPTCHA replaces the previously used Cloudflare Turnstile, likely to complicate signature-based and behavioral analysis and mitigate potential issues with Cloudflare\u2019s security services.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"813\" height=\"848\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image87.png\" alt=\"\" class=\"wp-image-13482\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image87.png 813w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image87-288x300.png 288w\" sizes=\"(max-width: 813px) 100vw, 813px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 37: Custom CAPTCHA Code Fragment<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"553\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1-1024x553.png\" alt=\"\" class=\"wp-image-15890\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1-1024x553.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1-768x415.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1-740x400.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image88-1.png 1489w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 37: Custom CAPTCHA<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 5: Clipboard Protection&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #22: Disabling Clipboard Copying<\/strong>&nbsp;<\/h4>\n\n\n\n<p>In addition to filling the clipboard with junk data (as seen in earlier samples), this revision prevents copying from the login form\u2019s input fields, further hindering analysis.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"598\" height=\"202\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image89.png\" alt=\"\" class=\"wp-image-13485\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image89.png 598w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image89-300x101.png 300w\" sizes=\"(max-width: 598px) 100vw, 598px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 38: Code for Disabling Clipboard Copying<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 6: Enhanced Data Exfiltration&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #23: Custom Binary Encoding<\/strong>&nbsp;<\/h4>\n\n\n\n<p>Data exfiltration now uses binary encoding for payloads, adding an additional layer of obfuscation.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"703\" height=\"746\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-2.png\" alt=\"\" class=\"wp-image-13489\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-2.png 703w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-2-283x300.png 283w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/4-2-370x393.png 370w\" sizes=\"(max-width: 703px) 100vw, 703px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 39: Code for binary encoding of payload<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>To see the payload example, we can use <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Binary('Space',8)&amp;input=MDEwMTAwMDAgMDEwMTEwMDAgMDEwMDAwMDEgMDExMDEwMDEgMDEwMTAwMTEgMDExMTEwMDEgMDExMTAxMDAgMDExMDAwMTEgMDExMDEwMTAgMDEwMTAxMDEgMDExMDAwMTAgMDEwMTEwMDEgMDAxMTAwMTEgMDEwMDEwMTEgMDExMTAxMDEgMDEwMTEwMTAgMDEwMTEwMDAgMDEwMDAwMDEgMDExMDExMDAgMDEwMTAwMTEgMDExMDExMTAgMDExMDAxMDEgMDEwMDExMDAgMDExMDAxMDAgMDEwMDAwMDEgMDEwMTAxMTEgMDAxMTAwMDEgMDAxMTEwMDEgMDExMDExMTAgMDEwMDExMDEgMDExMDAxMDEgMDEwMDEwMDEgMDEwMDAxMTAgMDExMDExMTAgMDEwMDAxMDEgMDEwMTAwMDAgMDEwMDEwMDEgMDEwMDAxMTAgMDExMDAxMDAgMDEwMDEwMTEgMDEwMTAxMTEgMDAxMDEwMTEgMDEwMTAxMTAgMDEwMDAwMTEgMDExMDAwMDEgMDEwMTAwMTEgMDExMDExMTAgMDExMTAxMDAgMDExMDExMDEgMDEwMDAxMDAgMDExMDEwMDAgMDExMTAxMTEgMDAxMTAwMDAgMDExMTAwMDAgMDExMDAxMDAgMDEwMDEwMTEgMDExMDExMTAgMDExMDAxMDAgMDAxMTEwMDEgMDExMTAxMDAgMDExMDEwMTAgMDEwMDAwMTEgMDExMDEwMTEgMDExMTAwMDAgMDExMDEwMDEgMDAxMTAwMDAgMDEwMDAwMDEgMDExMDAwMTEgMDEwMDEwMTEgMDAxMDExMTEgMDExMDAxMTEgMDEwMTEwMDAgMDAxMTAxMDEgMDExMDExMDEgMDEwMTAxMDEgMDEwMTAwMDEgMDEwMDExMDEgMDEwMTAxMDAgMDEwMTAxMTAgMDExMDEwMTAgMDEwMDEwMDEgMDExMTAwMTAgMDEwMTAwMTEgMDExMTEwMDAgMDEwMDEwMDAgMDAxMTAxMDAgMDEwMDEwMTAgMDEwMDEwMTAgMDEwMDExMDAgMDExMDAwMTEgMDExMDAxMTAgMDExMDEwMTAgMDEwMTAwMDEgMDExMTEwMTAgMDEwMDAwMDEgMDAxMTAxMDEgMDEwMTAwMDAgMDExMTAwMTEgMDExMTAxMDEgMDAxMTEwMDAgMDEwMDAwMTAgMDEwMTAwMDEgMDEwMTAwMTAgMDEwMTAwMDEgMDAxMTAwMTAgMDAxMTEwMDAgMDEwMTAxMTEgMDEwMDAwMDEgMDEwMDAxMDEgMDEwMTEwMDAgMDAxMTAwMTEgMDExMDAwMDEgMDExMDAxMDAgMDExMTAxMDAgMDEwMDEwMDEgMDExMDAwMTAgMDEwMDAwMTEgMDExMTAxMTAgMDAxMTAxMDAgMDAxMTEwMDAgMDEwMTAxMDEgMDEwMDAwMTAgMDEwMDExMDEgMDEwMTAxMDAgMDExMTEwMDAgMDEwMTEwMDEgMDEwMDExMDEgMDExMTAwMDAgMDEwMTAxMTAgMDAxMTEwMDAgMDExMTAwMTEgMDEwMDAwMTEgMDExMDEwMDAgMDEwMDAwMTAgMDAxMTAwMTAgMDExMDAwMTEgMDExMTAxMTAgMDExMTAwMDEgMDExMDEwMTAgMDExMTAxMDAgMDEwMDAwMTEgMDExMTEwMTAgMDExMDAxMTAgMDEwMTEwMTAgMDAxMTEwMDAgMDExMDExMTEgMDEwMDExMTAgMDAxMDEwMTEgMDExMDExMDAgMDEwMDAwMDEgMDExMTAwMDAgMDEwMDAxMDAgMDAxMTAxMDEgMDExMDAwMTAgMDAxMTAxMTAgMDAxMDExMTEgMDExMTAxMTAgMDEwMDAxMDAgMDExMDEwMTEgMDEwMDEwMDAgMDEwMTAwMDAgMDAxMDExMTEgMDExMDAxMTEgMDExMTAwMTAgMDAxMTEwMDAgMDEwMTAwMTEgMDEwMDAwMTAgMDEwMTEwMTAgMDEwMDAwMDEgMDExMDAwMTAgMDExMDExMDAgMDExMTAwMDAgMDEwMTAwMDAgMDExMDExMTEgMDEwMTEwMDEgMDAxMTAxMDAgMDEwMTAwMTEgMDExMDAxMDEgMDEwMDAwMDEgMDExMDEwMTAgMDAxMTAwMTEgMDExMDExMTAgMDEwMDAwMTEgMDExMTAxMDEgMDExMDExMTAgMDExMTAwMTEgMDExMDAwMDEgMDEwMTAxMDAgMDEwMDAwMTEgMDAxMTAxMDAgMDEwMTAwMDAgMDEwMDEwMTAgMDExMTAxMDEgMDAxMTEwMDEgMDAxMTAwMDAgMDExMTAxMTAgMDEwMDEwMTAgMDEwMDAxMTEgMDExMTAwMTEgMDAxMDExMTEgMDEwMDEwMDAgMDEwMDExMTAgMDExMTEwMDEgMDExMTAwMTAgMDExMTAxMDEgMDEwMDExMDEgMDEwMTAwMTAgMDEwMDAxMDEgMDExMTEwMDEgMDExMTEwMDEgMDExMTAxMTEgMDAxMTAxMDEgMDEwMDExMDAgMDExMDAwMTAgMDAxMTAxMDAgMDEwMTAxMTAgMDEwMTEwMTAgMDAxMDEwMTEgMDEwMDAxMDAgMDEwMDExMDAgMDExMDAxMTAgMDEwMTAwMTAgMDExMDAxMDAgMDAxMTAxMDEgMDExMDAwMTEgMDAxMTEwMDEgMDEwMTAwMDEgMDExMDEwMDAgMDExMDEwMDAgMDExMDExMTAgMDEwMDExMDAgMDExMDAwMDEgMDExMDEwMTAgMDExMDAxMDEgMDExMDAxMDAgMDEwMTAwMTEgMDExMDAxMDAgMDExMDAxMTEgMDExMDAwMTAgMDEwMDExMDAgMDExMDExMDAgMDExMDAwMTAgMDEwMDAwMDEgMDExMTAwMTAgMDExMDAwMDEgMDExMTAxMTEgMDAxMTAwMDEgMDExMDExMTEgMDAxMTAwMDEgMDEwMDAwMTAgMDExMDExMTAgMDExMDAxMDEgMDExMTAwMDEgMDEwMDEwMTEgMDAxMTAxMDEgMDExMTAwMDAgMDAxMTAxMDEgMDAxMTAxMDAgMDExMDEwMTAgMDEwMDEwMDAgMDAxMDEwMTEgMDEwMDAxMDEgMDExMTAwMDAgMDEwMTAxMTEgMDAxMTAxMDEgMDEwMTAwMTEgMDAxMTAxMTEgMDEwMDExMTAgMDExMDExMDAgMDExMDAwMTEgMDExMTAxMTAgMDEwMTAwMDEgMDEwMTEwMDAgMDEwMDEwMTEgMDExMDEwMTEgMDEwMDExMTEgMDExMTAxMTEgMDExMDAxMTEgMDAxMTExMDEgMDAxMTExMDE\" target=\"_blank\" rel=\"noreferrer noopener\">CyberChef.<\/a> The result is decrypted data.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The decryption key is IV: <strong>1234567890123456<\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"211\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8b.png\" alt=\"\" class=\"wp-image-13490\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8b.png 969w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8b-300x65.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8b-768x167.png 768w\" sizes=\"(max-width: 969px) 100vw, 969px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 40: Example of decrypted payload<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Attack Detected on 14 April 2025&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/3bb9892b-4c3d-4c5e-a44d-d569cab8578e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tycoon2fa_evasion&amp;utm_term=130525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">This sample<\/a> introduces a more complex method for launching the Stage 1 payload, leveraging redirect chains to obscure the attack\u2019s entry point.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #24: Extended Redirect Chain&nbsp;<\/strong>&nbsp;<\/h4>\n\n\n\n<p>Clicking the initial phishing link triggers a redirect to Google Ads, followed by another redirect to a malicious URL that uses the following format:&nbsp;&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hxxps:\/\/&lt;domain&gt;\/?&lt;2nd_domain&gt;=&lt;base64_payload&gt; <\/code><\/pre>\n\n\n\n<p>A script then extracts the Base64 payload from location.search(), decodes it, and constructs the URL for the Stage 1 payload.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This extended redirect chain makes it harder to trace the attack\u2019s origin.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"226\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1-1024x226.png\" alt=\"\" class=\"wp-image-13494\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1-1024x226.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1-300x66.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1-768x170.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1-370x82.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1-270x60.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1-740x164.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8c-1.png 1294w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 41: Code for calculating phishing page URL<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Tycoon 2FA has become more sophisticated in initiating its malicious payload, employing a longer redirect chain to obscure the entry point of the attack.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The process is as follows:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1004\" height=\"291\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-2.png\" alt=\"\" class=\"wp-image-13495\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-2.png 1004w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-2-300x87.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-2-768x223.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-2-370x107.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-2-270x78.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/3-2-740x214.png 740w\" sizes=\"(max-width: 1004px) 100vw, 1004px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 42: New redirect chain to Stage 1<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Additionally, in POST requests, the cf-turnstile-response field (previously used for Cloudflare validation) is now filled with a placeholder value (qweqwe), confirming Tycoon 2FA\u2019s shift away from Cloudflare.&nbsp;<\/p>\n\n\n\n<p><strong>Evasion Mechanism #25: Rotating CAPTCHAs<\/strong>&nbsp;<\/p>\n\n\n\n<p>This revised version replaces the previously used custom CAPTCHA with Google reCAPTCHA.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1-1024x577.png\" alt=\"\" class=\"wp-image-15889\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1-740x417.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8e-1.png 1496w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 43: Use of Google reCAPTCHA in Tycoon 2FA<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Historical data shows Tycoon 2FA has cycled through different CAPTCHAs, such as <a href=\"https:\/\/github.com\/fabianwennink\/IconCaptcha-PHP\" target=\"_blank\" rel=\"noreferrer noopener\">IconCaptcha<\/a> (observed in a <a href=\"https:\/\/app.any.run\/tasks\/82aee4e2-cc72-407b-aead-6a0e280a763b\" target=\"_blank\" rel=\"noreferrer noopener\">submission on April 7, 2025<\/a>).&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"543\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8f-1024x543.png\" alt=\"\" class=\"wp-image-13497\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8f-1024x543.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8f-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8f-768x407.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8f-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8f-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8f.png 1490w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 44: Example of IconCaptcha in Tycoon 2FA&nbsp;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The use of varying CAPTCHAs complicates signature-based detection.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Attack Detected on 23 April 2025&nbsp;<\/h3>\n\n\n\n<p>Around this period, Tycoon 2FA introduced a new <a href=\"https:\/\/x.com\/anyrun_app\/status\/1914999622881235340\" target=\"_blank\" rel=\"noreferrer noopener\">anti-detection mechanism focused on browser fingerprinting<\/a> to detect sandbox environments and bot activity.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7c54c46d-285f-491c-ab50-6de1b7d3b376\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tycoon2fa_evasion&amp;utm_term=130525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox session<\/a>&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #26: Browser Fingerprinting<\/strong><\/h4>\n\n\n\n<p>After opening the phishing link, a page is loaded requesting image element and executing a Base64-encoded script in case of an error.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"299\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1-1024x299.png\" alt=\"\" class=\"wp-image-13503\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1-1024x299.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1-300x88.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1-768x224.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1-1536x449.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1-370x108.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1-270x79.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image90-1.png 1746w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 45: Suspicious onerror handler in image element<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/09\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nFollow along a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p>After decoding with <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Base64('A-Za-z0-9%2B\/%3D',true,false)JavaScript_Beautify('%5C%5Ct','Auto',true,true)Syntax_highlighter('auto%20detect')&amp;input=S0daMWJtTjBhVzl1S0NsN2RtRnlJR1U5VzEwc1lqMTdmVHQwY25sN1puVnVZM1JwYjI0Z1l5aGhLWHRwWmlnaWIySnFaV04wSWowOVBYUjVjR1Z2WmlCaEppWnVkV3hzSVQwOVlTbDdkbUZ5SUdZOWUzMDdablZ1WTNScGIyNGdiaWhzS1h0MGNubDdkbUZ5SUdzOVlWdHNYVHR6ZDJsMFkyZ29kSGx3Wlc5bUlHc3BlMk5oYzJVZ0ltOWlhbVZqZENJNmFXWW9iblZzYkQwOVBXc3BZbkpsWVdzN1kyRnpaU0FpWm5WdVkzUnBiMjRpT21zOWF5NTBiMU4wY21sdVp5Z3BmV1piYkYwOWEzMWpZWFJqYUNoMEtYdGxMbkIxYzJnb2RDNXRaWE56WVdkbEtYMTlabTl5S0haaGNpQmtJR2x1SUdFcGJpaGtLVHQwY25sN2RtRnlJR2M5VDJKcVpXTjBMbWRsZEU5M2JsQnliM0JsY25SNVRtRnRaWE1vWVNrN1ptOXlLR1E5TUR0a1BHY3ViR1Z1WjNSb095c3JaQ2x1S0dkYlpGMHBPMlpiSWlFaElsMDlaMzFqWVhSamFDaHNLWHRsTG5CMWMyZ29iQzV0WlhOellXZGxLWDF5WlhSMWNtNGdabjE5WWk1elkzSmxaVzQ5WXloM2FXNWtiM2N1YzJOeVpXVnVLVHRpTG5kcGJtUnZkejFqS0hkcGJtUnZkeWs3WWk1dVlYWnBaMkYwYjNJOVl5aDNhVzVrYjNjdWJtRjJhV2RoZEc5eUtUdGlMbXh2WTJGMGFXOXVQV01vZDJsdVpHOTNMbXh2WTJGMGFXOXVLVHRpTG1OdmJuTnZiR1U5WXloM2FXNWtiM2N1WTI5dWMyOXNaU2s3Q21JdVpHOWpkVzFsYm5SRmJHVnRaVzUwUFdaMWJtTjBhVzl1S0dFcGUzUnllWHQyWVhJZ1pqMTdmVHRoUFdFdVlYUjBjbWxpZFhSbGN6dG1iM0lvZG1GeUlHUWdhVzRnWVNsa1BXRmJaRjBzWmx0a0xtNXZaR1ZPWVcxbFhUMWtMbTV2WkdWV1lXeDFaVHR5WlhSMWNtNGdabjFqWVhSamFDaG5LWHRsTG5CMWMyZ29aeTV0WlhOellXZGxLWDE5S0dSdlkzVnRaVzUwTG1SdlkzVnRaVzUwUld4bGJXVnVkQ2s3WWk1a2IyTjFiV1Z1ZEQxaktHUnZZM1Z0Wlc1MEtUdDBjbmw3WWk1MGFXMWxlbTl1WlU5bVpuTmxkRDBvYm1WM0lFUmhkR1VwTG1kbGRGUnBiV1Y2YjI1bFQyWm1jMlYwS0NsOVkyRjBZMmdvWVNsN1pTNXdkWE5vS0dFdWJXVnpjMkZuWlNsOWRISjVlMkl1WTJ4dmMzVnlaVDFtZFc1amRHbHZiaWdwZTMwdWRHOVRkSEpwYm1jb0tYMWpZWFJqYUNoaEtYdGxMbkIxYzJnb1lTNXRaWE56WVdkbEtYMTBjbmw3WWk1bWNtRnRaVDEzYVc1a2IzY3VjMlZzWmlFOVBYZHBibVJ2ZHk1MGIzQjlZMkYwWTJnb1lTbDdZaTVtY21GdFpUMGhNSDEwY25sN1lpNTBiM1ZqYUVWMlpXNTBQV1J2WTNWdFpXNTBMbU55WldGMFpVVjJaVzUwS0NKVWIzVmphRVYyWlc1MElpa3VkRzlUZEhKcGJtY29LWDFqWVhSamFDaGhLWHRsTG5CMWMyZ29ZUzV0WlhOellXZGxLWDEwY25sN2RtRnlJSEE5Wm5WdVkzUnBiMjRvS1h0OUxBcHhQVEE3Y0M1MGIxTjBjbWx1WnoxbWRXNWpkR2x2YmlncGV5c3JjVHR5WlhSMWNtNGlJbjA3WTI5dWMyOXNaUzVzYjJjb2NDazdZaTUwYjNOMGNtbHVaejF4ZldOaGRHTm9LR0VwZTJVdWNIVnphQ2hoTG0xbGMzTmhaMlVwZlhSeWVYdDJZWElnYlQxa2IyTjFiV1Z1ZEM1amNtVmhkR1ZGYkdWdFpXNTBLQ0pqWVc1MllYTWlLUzVuWlhSRGIyNTBaWGgwS0NKM1pXSm5iQ0lwTEhJOWJTNW5aWFJGZUhSbGJuTnBiMjRvSWxkRlFrZE1YMlJsWW5WblgzSmxibVJsY21WeVgybHVabThpS1R0aUxuZGxZbWRzUFh0MlpXNWtiM0k2YlM1blpYUlFZWEpoYldWMFpYSW9jaTVWVGsxQlUwdEZSRjlXUlU1RVQxSmZWMFZDUjB3cExISmxibVJsY21WeU9tMHVaMlYwVUdGeVlXMWxkR1Z5S0hJdVZVNU5RVk5MUlVSZlVrVk9SRVZTUlZKZlYwVkNSMHdwZlgxallYUmphQ2hoS1h0bExuQjFjMmdvWVM1dFpYTnpZV2RsS1gxbWRXNWpkR2x2YmlCb0tHRXNaaXhrS1h0MllYSWdaejFoTG5CeWIzUnZkSGx3WlZ0bVhUdGhMbkJ5YjNSdmRIbHdaVnRtWFQxbWRXNWpkR2x2YmlncGUySXVjSEp2ZEc4OUlUQjlPMlFvS1R0aExuQnliM1J2ZEhsd1pWdG1YVDFuZlhSeWVYdG9LRUZ5Y21GNUxDSnBibU5zZFdSbGN5SXNablZ1WTNScGIyNG9LWHR5WlhSMWNtNGdaRzlqZFcxbGJuUXVZM0psWVhSbFJXeGxiV1Z1ZENnaWRtbGtaVzhpS1M1allXNVFiR0Y1Vkhsd1pTZ2lkbWxrWlc4dmJYQTBJaWw5S1gxallYUmphQ2hoS1h0OWZXTmhkR05vS0dNcGUyVXVjSFZ6YUNoakxtMWxjM05oWjJVcGZTaG1kVzVqZEdsdmJpZ3BlMkl1WlhKeWIzSnpQUXBsTzNaaGNpQmpQV1J2WTNWdFpXNTBMbU55WldGMFpVVnNaVzFsYm5Rb0ltWnZjbTBpS1N4b1BXUnZZM1Z0Wlc1MExtTnlaV0YwWlVWc1pXMWxiblFvSW1sdWNIVjBJaWs3WXk1dFpYUm9iMlE5SWxCUFUxUWlPMk11WVdOMGFXOXVQWGRwYm1SdmR5NXNiMk5oZEdsdmJpNW9jbVZtTzJndWRIbHdaVDBpYUdsa1pHVnVJanRvTG01aGJXVTlJbVJoZEdFaU8yZ3VkbUZzZFdVOVNsTlBUaTV6ZEhKcGJtZHBabmtvWWlrN1l5NWhjSEJsYm1SRGFHbHNaQ2hvS1R0a2IyTjFiV1Z1ZEM1aWIyUjVMbUZ3Y0dWdVpFTm9hV3hrS0dNcE8yTXVjM1ZpYldsMEtDbDlLU2dwZlNrb0tUc0s\" target=\"_blank\" rel=\"noreferrer noopener\">CyberChef<\/a>, the script reveals functionality for:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collecting browser environment details: screen parameters, browser\/platform name, URL, host, protocol, console properties, and document body.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"349\" height=\"368\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image91.png\" alt=\"\" class=\"wp-image-13504\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image91.png 349w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image91-285x300.png 285w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image91-270x285.png 270w\" sizes=\"(max-width: 349px) 100vw, 349px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 46: Code for collecting execution environment data<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Gathering additional data: timezone, JavaScript runtime internals, iframe checks, and graphical interface properties.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"589\" height=\"809\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-2.png\" alt=\"\" class=\"wp-image-13505\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-2.png 589w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-2-218x300.png 218w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-2-370x508.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/6-2-270x371.png 270w\" sizes=\"(max-width: 589px) 100vw, 589px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 47: Code for collecting browser properties<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Collecting miscellaneous technical information.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The collected data is formatted as JSON, inserted into an invisible form, and sent to the attacker\u2019s server via a POST request.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"385\" height=\"253\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image93.png\" alt=\"\" class=\"wp-image-13506\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image93.png 385w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image93-300x197.png 300w\" sizes=\"(max-width: 385px) 100vw, 385px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 48: Invisible form for sending fingerprint data<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1021\" height=\"436\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image94-1.png\" alt=\"\" class=\"wp-image-13511\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image94-1.png 1021w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image94-1-300x128.png 300w\" sizes=\"(max-width: 1021px) 100vw, 1021px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 49: Example of sent fingerprint data<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The server analyzes the fingerprint data and returns a response with a Location header, leading to one of two outcomes:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Redirect to a Legitimate Page<\/strong>: If checks fail (e.g., sandbox detected), the user is redirected to a legitimate site like Emirates, Tesla, or SpaceX.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"636\" height=\"296\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-2.png\" alt=\"\" class=\"wp-image-13513\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-2.png 636w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-2-300x140.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-2-370x172.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/7-2-270x126.png 270w\" sizes=\"(max-width: 636px) 100vw, 636px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 50: Example of failed C2 check redirect<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Redirect to Stage 1 Payload<\/strong>: If checks pass, the user is directed to the Tycoon 2FA Stage 1 phishing page.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"641\" height=\"301\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-1.png\" alt=\"\" class=\"wp-image-13514\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-1.png 641w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/8-1-300x141.png 300w\" sizes=\"(max-width: 641px) 100vw, 641px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 51: Example of successful transition to phishing page<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This mechanism also allows the attacker to geographically restrict the operation of the malware, enabling Tycoon2FA to launch in certain regions while terminating the attack process in others.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Attack Detected on 6 May 2025&nbsp;<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Evasion Mechanism #27: Obfuscation through Encryption<\/strong>&nbsp;<\/h4>\n\n\n\n<p>In <a href=\"https:\/\/app.any.run\/tasks\/c43d00a5-60d9-433a-8aee-d359eaadf0ab\" target=\"_blank\" rel=\"noreferrer noopener\">this sample<\/a>, we can observe that the Tycoon2FA operator began using AES encryption for payload obfuscation, not just for uploading\/downloading stolen and service data in the final stages of execution.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1141\" height=\"928\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image97-1.png\" alt=\"\" class=\"wp-image-13516\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image97-1.png 1141w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image97-1-300x244.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image97-1-1024x833.png 1024w\" sizes=\"(max-width: 1141px) 100vw, 1141px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 52: Code for obfuscation via encryption<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In all other parts, the execution chain of the new samples remains similar to the original.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">All Tycoon2FA Evasion Mechanisms&nbsp;<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-237\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"28\"\n           data-wpID=\"237\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        #\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Sample\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Date Observed\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Basic Obfuscation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"13\"                     data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/7a87388b-8e07-4944-8d65-1422f56d303f\/?utm_source=anyrunblog&utm_medium=article&utm_campaign=tycoon2fa_evasion&utm_term=130525&utm_content=linktoservice\" target=\"_blank\">https:\/\/app.any.run\/tasks\/7a87388b-8e07-4944-8d65-1422f56d303f\u00a0<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"13\"                     data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1 October 2024\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Nomatch Check\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        3\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Current Page Location Check\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Redirect to Fake Litespeed 404 Page on Failed Checks\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        5\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Cloudflare Turnstile\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Debugger Timing Check\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        7\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C2 Server Authorization for Payload Execution\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        8\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Base64\/XOR Obfuscation\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Encryption of C2 Control\/Exfiltrated Data\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        10\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Victim Browser Detection\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        11\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Clipboard Content Manipulation\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        12\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        C2 Request Routing\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        13\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Redirect API Validation\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        14\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Debug Environment Detection (Selenium, etc.)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"3\"                     data-cell-id=\"C15\"\n                    data-col-index=\"2\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/57f31060-cc3e-4a65-9fa9-f460ede5f39c\/?utm_source=anyrunblog&utm_medium=article&utm_campaign=tycoon2fa_evasion&utm_term=130525&utm_content=linktoservice\" target=\"_blank\">https:\/\/app.any.run\/tasks\/57f31060-cc3e-4a65-9fa9-f460ede5f39c\u00a0<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"3\"                     data-cell-id=\"D15\"\n                    data-col-index=\"3\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6 December 2024\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        15\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Keystroke Interception\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        16\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Context Menu Blocking\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A18\"\n                    data-col-index=\"0\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        17\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B18\"\n                    data-col-index=\"1\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Use of Legitimate CDN for Corporate Logos\/Backgrounds\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C18\"\n                    data-col-index=\"2\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/9700f36a-d506-4e5e-8f96-cdddc83e37a0\/?utm_source=anyrunblog&utm_medium=article&utm_campaign=tycoon2fa_evasion&utm_term=130525&utm_content=linktoservice\" target=\"_blank\">https:\/\/app.any.run\/tasks\/9700f36a-d506-4e5e-8f96-cdddc83e37a0\u00a0<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D18\"\n                    data-col-index=\"3\"\n                    data-row-index=\"17\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        17 December 2024\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A19\"\n                    data-col-index=\"0\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        18\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B19\"\n                    data-col-index=\"1\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Complex JavaScript Code\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"6\"                     data-cell-id=\"C19\"\n                    data-col-index=\"2\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/d40e75ba-e4e8-4b51-b4a5-6614c8be7891\/?utm_source=anyrunblog&utm_medium=article&utm_campaign=tycoon2fa_evasion&utm_term=130525&utm_content=linktoservice\" target=\"_blank\">https:\/\/app.any.run\/tasks\/d40e75ba-e4e8-4b51-b4a5-6614c8be7891\u00a0<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"6\"                     data-cell-id=\"D19\"\n                    data-col-index=\"3\"\n                    data-row-index=\"18\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        03 April 2025\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A20\"\n                    data-col-index=\"0\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        19\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B20\"\n                    data-col-index=\"1\"\n                    data-row-index=\"19\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Invisible (Hangul) Obfuscation\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A21\"\n                    data-col-index=\"0\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        20\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B21\"\n                    data-col-index=\"1\"\n                    data-row-index=\"20\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Redirect to Custom Fake Page on Failed Checks\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A22\"\n                    data-col-index=\"0\"\n                    data-row-index=\"21\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        21\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B22\"\n                    data-col-index=\"1\"\n                    data-row-index=\"21\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Use of Custom CAPTCHA Instead of Cloudflare\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A23\"\n                    data-col-index=\"0\"\n                    data-row-index=\"22\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        22\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B23\"\n                    data-col-index=\"1\"\n                    data-row-index=\"22\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Disabling Clipboard Copying\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A24\"\n                    data-col-index=\"0\"\n                    data-row-index=\"23\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        23\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B24\"\n                    data-col-index=\"1\"\n                    data-row-index=\"23\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Binary Encoding for Exfiltrated Data\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A25\"\n                    data-col-index=\"0\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        24\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B25\"\n                    data-col-index=\"1\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Extended Redirect Chain Before Payload Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"C25\"\n                    data-col-index=\"2\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/3bb9892b-4c3d-4c5e-a44d-d569cab8578e\/?utm_source=anyrunblog&utm_medium=article&utm_campaign=tycoon2fa_evasion&utm_term=130525&utm_content=linktoservice\" target=\"_blank\">https:\/\/app.any.run\/tasks\/3bb9892b-4c3d-4c5e-a44d-d569cab8578e\u00a0<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"2\"                     data-cell-id=\"D25\"\n                    data-col-index=\"3\"\n                    data-row-index=\"24\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        7 April 2025 - 14 April 2025\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A26\"\n                    data-col-index=\"0\"\n                    data-row-index=\"25\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        25\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B26\"\n                    data-col-index=\"1\"\n                    data-row-index=\"25\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Use of Different CAPTCHAs (reCAPTCHA, IconCaptcha, etc.)\u00a0                    <\/td>\n                                                                <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A27\"\n                    data-col-index=\"0\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        26\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B27\"\n                    data-col-index=\"1\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Browser Fingerprinting\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C27\"\n                    data-col-index=\"2\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/7c54c46d-285f-491c-ab50-6de1b7d3b376\/?utm_source=anyrunblog&utm_medium=article&utm_campaign=tycoon2fa_evasion&utm_term=130525&utm_content=linktoservice\" target=\"_blank\">https:\/\/app.any.run\/tasks\/7c54c46d-285f-491c-ab50-6de1b7d3b376\u00a0<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D27\"\n                    data-col-index=\"3\"\n                    data-row-index=\"26\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        23 April 2025\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A28\"\n                    data-col-index=\"0\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        27\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B28\"\n                    data-col-index=\"1\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Obfuscation via Encryption\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C28\"\n                    data-col-index=\"2\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"https:\/\/app.any.run\/tasks\/c43d00a5-60d9-433a-8aee-d359eaadf0ab\/?utm_source=anyrunblog&utm_medium=article&utm_campaign=tycoon2fa_evasion&utm_term=130525&utm_content=linktoservice\" target=\"_blank\">https:\/\/app.any.run\/tasks\/c43d00a5-60d9-433a-8aee-d359eaadf0ab\u00a0<\/a>                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D28\"\n                    data-col-index=\"3\"\n                    data-row-index=\"27\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        6 May 2025\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-237'>\ntable#wpdtSimpleTable-237{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-237 td, table.wpdtSimpleTable237 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong>&nbsp;<\/h2>\n\n\n\n<p>The operators and developers of the Tycoon 2FA Phishing-as-a-Service (PhaaS) framework continue to actively enhance their product, focusing on complicating analysis of the malicious software.&nbsp;<\/p>\n\n\n\n<p>Tycoon 2FA is adopting increasingly sophisticated anti-bot techniques, such as rotating CAPTCHAs (e.g., Google reCAPTCHA, IconCaptcha, custom CAPTCHAs) and browser fingerprinting, to protect its infrastructure from crawlers and Safebrowsing solutions.&nbsp;<\/p>\n\n\n\n<p>The analysis indicates that there are several different versions or types of Tycoon 2FA active at the same time. This is evident because the methods used to avoid detection vary across different samples and time periods. Some techniques show up, disappear, and come back later.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Alongside the primary focus on Microsoft Outlook authentication phishing, variants targeting Google account authentication have been observed:&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/browses\/b9c0b778-df32-4073-a580-18d7fc330518\">https:\/\/app.any.run\/browses\/b9c0b778-df32-4073-a580-18d7fc330518<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/a487cada-21b9-48e2-a7f3-470e3eddab0d\">https:\/\/app.any.run\/tasks\/a487cada-21b9-48e2-a7f3-470e3eddab0d<\/a><\/p>\n\n\n\n<p>Despite the addition of new evasion techniques, some methods lack sophistication and remain relatively easy to bypass:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Obfuscation<\/strong>: Most obfuscation relies on public tools like obfuscate.io, which can be reversed using deobfuscate.io.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Limited JavaScript Exploitation<\/strong>: Tycoon 2FA does not fully leverage advanced JavaScript runtime capabilities, such as prototype manipulation, reflection mechanisms, or other dynamic code restructuring techniques.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In certain aspects, Tycoon 2FA\u2019s evasion mechanisms seem quite amateur. For example, across all observed samples, C2 payloads and exfiltrated data are encrypted\/decrypted using hardcoded keys and initialization vectors (1234567890123456 for both key and IV). Ideally, unique keys should be generated per session to enhance security.&nbsp;<\/p>\n\n\n\n<p>The core architecture of Tycoon 2FA remains unchanged, relying on three domains:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Primary phishing domain<\/strong>: Hosts the phishing page.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Controller domain<\/strong>: Authorizes or denies further execution based on protective checks.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Exfiltration domain<\/strong>: Receives stolen data.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Similarly, the execution chain of the framework has remained consistent, enabling detection through behavioral analysis despite the introduction of new evasion mechanisms.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Recommendations for Detecting Tycoon 2FA&nbsp;<\/h2>\n\n\n\n<p>Given the constant changes in the source code of Tycoon 2FA phishing pages, signature-based analysis is largely ineffective, and behavioral analysis is essential for reliable detection.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Tycoon 2FA employs a \u201ctriangle\u201d of Command-and-Control (C2) domains from a <a href=\"https:\/\/blog.sekoia.io\/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">specific pool<\/a> of top-level domains (TLDs), including .ru, .es, .su, .com, .net, and .org. It also consistently loads a predictable set of JavaScript libraries, CSS stylesheets, and other web content, which can be leveraged for detection: Libraries:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/code.jquery.com\/jquery-3.6.0.min.js\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/code.jquery.com\/jquery-3.6.0.min.js<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/fent\/randexp.js\/releases\/download\/v0.4.3\/randexp.min.js\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/github.com\/fent\/randexp.js\/releases\/download\/v0.4.3\/randexp.min.js<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/crypto-js\/4.1.1\/crypto-js.min.js\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/crypto-js\/4.1.1\/crypto-js.min.js<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Okta CSS:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/ok4static.oktacdn.com\/assets\/js\/sdk\/okta-signin-widget\/7.18.0\/css\/okta-sign-in.min.css\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/ok4static.oktacdn.com\/assets\/js\/sdk\/okta-signin-widget\/7.18.0\/css\/okta-sign-in.min.css<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/ok4static.oktacdn.com\/assets\/loginpage\/css\/loginpage-theme.e0d37a504604ef874bad26435d62011f.css\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/ok4static.oktacdn.com\/assets\/loginpage\/css\/loginpage-theme.e0d37a504604ef874bad26435d62011f.css<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Misc hyperlinks\/web-content:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/ok4static.oktacdn.com\/fs\/bcg\/4\/gfsh9pi7jcWKJKMAs1t7\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/ok4static.oktacdn.com\/fs\/bcg\/4\/gfsh9pi7jcWKJKMAs1t7<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.okta.com\/privacy\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.okta.com\/priv<\/a><a href=\"https:\/\/www.okta.com\/privacy\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">a<\/a><a href=\"https:\/\/www.okta.com\/privacy\" target=\"_blank\" rel=\"noreferrer noopener\">cy<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.godaddy.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.godaddy.com\/<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/sso.godaddy.com\/v1\/account\/reset?app=o365&amp;realm=pass\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/sso.godaddy.com\/v1\/account\/reset?app=o365&amp;amp;realm=pass<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.godaddy.com\/legal\/agreements\/privacy-policy?target=_blank\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.godaddy.com\/legal\/agreements\/privacy-policy?target=_blank<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.godaddy.com\/legal\/agreements\/cookie-policy\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.godaddy.com\/legal\/agreements\/cookie-policy<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>To detect Tycoon 2FA, security teams can implement a heuristic based on the following behavioral patterns observed in a single session:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>C2 Domain Triangle<\/strong>: Communication with a set of domains from the TLD pool (e.g., .ru, .es, .su, .com, .net, .org).&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Resource Loading<\/strong>: Retrieval of the specific JavaScript libraries, CSS stylesheets, or web content listed above.&nbsp;&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Session Redirect<\/strong>: A redirect to the official Microsoft authentication page at the end of the session.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Then there is a high probability that the activity involves Tycoon 2FA phishing.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers keep improving ways to avoid being caught, making it harder to detect and investigate their attacks. The Tycoon 2FA phishing kit is a clear example, as its creators regularly add new tricks to bypass detection systems.&nbsp; In this study, we\u2019ll take a closer look at how Tycoon 2FA\u2019s anti-detection methods have changed over the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13534,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-13375","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Evolution of Tycoon 2FA Defense Evasion Mechanisms<\/title>\n<meta name=\"description\" content=\"Explore technical analysis all evasion mechanisms employed by the Tycoon 2FA phishing kit to beat detection systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"raptur3\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"27 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\"},\"author\":{\"name\":\"raptur3\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline\",\"datePublished\":\"2025-05-13T12:29:24+00:00\",\"dateModified\":\"2025-09-19T09:58:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\"},\"wordCount\":3899,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\",\"name\":\"Evolution of Tycoon 2FA Defense Evasion Mechanisms\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-05-13T12:29:24+00:00\",\"dateModified\":\"2025-09-19T09:58:15+00:00\",\"description\":\"Explore technical analysis all evasion mechanisms employed by the Tycoon 2FA phishing kit to beat detection systems.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"raptur3\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\"caption\":\"raptur3\"},\"description\":\"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Evolution of Tycoon 2FA Defense Evasion Mechanisms","description":"Explore technical analysis all evasion mechanisms employed by the Tycoon 2FA phishing kit to beat detection systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/","twitter_misc":{"Written by":"raptur3","Est. reading time":"27 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/"},"author":{"name":"raptur3","@id":"https:\/\/any.run\/"},"headline":"Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline","datePublished":"2025-05-13T12:29:24+00:00","dateModified":"2025-09-19T09:58:15+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/"},"wordCount":3899,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/","name":"Evolution of Tycoon 2FA Defense Evasion Mechanisms","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-05-13T12:29:24+00:00","dateModified":"2025-09-19T09:58:15+00:00","description":"Explore technical analysis all evasion mechanisms employed by the Tycoon 2FA phishing kit to beat detection systems.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"raptur3","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","caption":"raptur3"},"description":"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13375"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=13375"}],"version-history":[{"count":88,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13375\/revisions"}],"predecessor-version":[{"id":15891,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13375\/revisions\/15891"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/13534"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=13375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=13375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=13375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}