{"id":16400,"date":"2025-10-21T10:31:58","date_gmt":"2025-10-21T10:31:58","guid":{"rendered":"\/cybersecurity-blog\/?p=16400"},"modified":"2025-10-22T06:31:48","modified_gmt":"2025-10-22T06:31:48","slug":"tykit-technical-analysis","status":"publish","type":"post","link":"\/cybersecurity-blog\/tykit-technical-analysis\/","title":{"rendered":"Tykit Analysis: New Phishing Kit\u00a0Stealing Hundreds of Microsoft Accounts in Finance\u00a0"},"content":{"rendered":"\n<p>Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. One striking detail was how the SVG embeds JavaScript that rebuilds the payload with XOR and then executes it directly via eval() to redirect victims to a phishing page.&nbsp;<\/p>\n\n\n\n<p>A quick look at the indicators we found showed that nearly all related cases used the same exfiltration addresses. Even more telling: the client-side logic and obfuscation techniques were unchanged across samples, and the communication with the C2 servers was implemented in several steps, with validation of the victim\u2019s current authorization state at each stage.&nbsp;<\/p>\n\n\n\n<p>All this suggests the threat has a certain level of maturity; it\u2019s not just an unusual delivery method, but something that behaves like a <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-track-phishkits\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing kit<\/a>.&nbsp;<\/p>\n\n\n\n<p>To test that hypothesis, measure the scale of the problem, and be able to tell this threat apart from others, we performed a technical analysis of the samples and labeled the family <strong>Tykit (Typical phishing kit)<\/strong>. Here\u2019s what we found.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The first samples appeared in the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s Interactive Sandbox<\/strong><\/a> in <strong>May 2025<\/strong>, with peak activity observed in <strong>September\u2013October 2025<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It mimics <strong>Microsoft 365 login pages<\/strong>, targeting corporate account credentials of numerous organizations.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The threat utilizes various evasion tactics like hiding code in SVGs or layering redirects.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <strong>client-side code<\/strong> executes in several stages and uses basic anti-detection techniques.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The most affected industries include construction, professional services, IT, finance, government, telecom, real estate, education, and others across <strong>US, Canada, LATAM<\/strong>, EMEA, SE Asia and Middle East.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Discovery &amp; Pivoting: How ANY.RUN Detected the Threat&nbsp;<\/h2>\n\n\n\n<p>Beginning with the analysis session in the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=how_ti_saves_money&amp;utm_term=151025&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Sandbox<\/a>, we quickly found the artifacts needed to expand the context:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/78f68113-7e05-44fc-968f-811c6a84463e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<p>The same SVG image was used for redirection (SHA256: a7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"488\" height=\"306\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/1-1.png\" alt=\"\" class=\"wp-image-16407\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/1-1.png 488w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/1-1-300x188.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/1-1-370x232.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/1-1-270x169.png 270w\" sizes=\"(max-width: 488px) 100vw, 488px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 1 Redirecting SVG image<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The fake Microsoft 365 login page was hosted on the domain loginmicr0sft0nlineeckaf[.]52632651246148569845521065[.]cc; the URL contained the parameter \/?s=, which could be useful for further searching.&nbsp;<\/p>\n\n\n\n<p>A POST request was sent to the server segy2[.]cc, targeting the URL \/api\/validate and containing data in the request body.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect threats faster with ANY.RUN\u2019s Interactive Sandbox\u00a0 <br> See full attack chain in seconds <span class=\"highlight\">for immediate response\u00a0<\/span> &nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=tykit_analysis&#038;utm_term=211025&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nGet started with business email\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"509\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2-1024x509.png\" alt=\"\" class=\"wp-image-16408\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2-1024x509.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2-300x149.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2-768x382.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2-370x184.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2-270x134.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2-740x368.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/2-2.png 1405w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 2: Possible request to the C2 server<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s try pivoting this, using a <a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktolookup#%7B%2522query%2522:%2522sha256:%255C%2522a7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892%255C%2522%2520OR%2520domainName:%255C%2522%5Eloginmicr*.cc$%255C%2522%2520OR%2520domainName:%255C%2522%5Esegy*%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">sha256:&#8221;a7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892&#8243; OR domainName:&#8221;^loginmicr*.cc$&#8221; OR domainName:&#8221;^segy*&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p>The result was encouraging: <strong>189 related analysis sessions<\/strong>, most of them with a <em>Malicious<\/em> verdict. The earliest analysis containing the searched indicators dates back to <strong>May 7, 2025<\/strong>:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/3b6df18e-b52b-4320-a859-173ab7a387ed\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View the earliest session with TYkit<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"692\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1-1024x692.png\" alt=\"\" class=\"wp-image-16409\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1-1024x692.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1-300x203.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1-768x519.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1-370x250.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1-270x183.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1-740x500.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/3-1.png 1383w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 3: Search results using TI Query<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Bingo! The same activity was observed several months earlier; phishing campaigns featuring URLs with the parameter \/?s=, and requests sent to the server segy[.]cc, whose domain name is almost identical to the original one.&nbsp;<\/p>\n\n\n\n<p>A search using domainName:&#8221;^segy.&#8221; revealed a few more related domains:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"355\" height=\"311\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-1.png\" alt=\"\" class=\"wp-image-16410\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-1.png 355w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-1-300x263.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/4-1-270x237.png 270w\" sizes=\"(max-width: 355px) 100vw, 355px\" \/><figcaption class=\"wp-element-caption\"><strong>Fig. 4: Additional segy domains*<\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>With several hundred submissions recorded between May and October 2025, all sharing nearly identical patterns, this could hardly be a coincidence. The template-based infrastructure, identical attack scenarios, and a set of URLs resembling C2 API endpoints; could this be a phishing kit?&nbsp;<\/p>\n\n\n\n<p>It was necessary to analyze the <strong>JavaScript code<\/strong> from the phishing pages to see whether there were any recurring elements across samples, how sophisticated the code was, how many execution stages it included, and whether it implemented any mechanisms to prevent analysis.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nCatch attacks early with instant IOC enrichment in TI Lookup\u00a0 <br> Power your proactive defense with <span class=\"highlight\">data from 15K SOCs<\/span>&nbsp;  \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=tykit_analysis&#038;utm_term=211025&#038;utm_content=linktoregistration\" target=\"_blank\" rel=\"noopener\">\nStart investigation\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Technical Analysis: How the Attack Unfolds&nbsp;<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"350\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-1024x350.png\" alt=\"\" class=\"wp-image-16411\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-1024x350.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-300x103.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-768x263.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-1536x526.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-2048x701.png 2048w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-370x127.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-270x92.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/5-1-740x253.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 5: &nbsp;Execution chain of Tykit attack <\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s look at another analysis session that reproduces the credentials-entry stage; a critical phase, because most phishing kits reveal themselves fully at the point of exfiltration:&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: SVG as the delivery vector&nbsp;<\/h3>\n\n\n\n<p>The attack vector remains an SVG image that redirects the browser. The image uses the same design, but this time includes a working check-stub that prompts the user to \u201cEnter the last 4 digits of your phone number\u201d (in reality any value is accepted).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"519\" height=\"510\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-1.png\" alt=\"\" class=\"wp-image-16412\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-1.png 519w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-1-300x295.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-1-70x70.png 70w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-1-370x364.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/6-1-270x265.png 270w\" sizes=\"(max-width: 519px) 100vw, 519px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 6: SVG file with the \u201ccheck\u201d<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Step 2: Trampoline and CAPTCHA stage&nbsp;<\/h3>\n\n\n\n<p>After the check is submitted, the page redirects to a trampoline script, which then forwards the browser to the main phishing page.&nbsp;<\/p>\n\n\n\n<p>Example: hxxps:\/\/o3loginrnicrosoftlogcu02re[.]1uypagr[.]com\/?s=&nbsp;<\/p>\n\n\n\n<p>The value of the s= parameter is the victim\u2019s email encoded in Base64.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"809\" height=\"610\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1.png\" alt=\"\" class=\"wp-image-16413\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1.png 809w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1-300x226.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1-768x579.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1-370x279.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1-270x204.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1-740x558.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/7-1-80x60.png 80w\" sizes=\"(max-width: 809px) 100vw, 809px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 7: Trampoline code that forwards to the main phishing page<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Next, a page with a CAPTCHA loads; the site uses the <strong>Cloudflare Turnstile<\/strong> widget as anti-bot protection. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"634\" height=\"768\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1.png\" alt=\"\" class=\"wp-image-16414\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1.png 634w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1-248x300.png 248w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1-370x448.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/8-1-270x327.png 270w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 8: &nbsp;Anti-bot protection on the phishing page using Cloudflare Turnstile<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>It\u2019s worth noting that the client-side code includes basic anti-debugging measures, for example, it blocks key combinations that open DevTools and disables the context menu.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"395\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-2-1.png\" alt=\"\" class=\"wp-image-16429\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-2-1.png 669w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-2-1-300x177.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-2-1-370x218.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-2-1-270x159.png 270w\" sizes=\"(max-width: 669px) 100vw, 669px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 9: Basic anti-debug protections in the page source<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Step 3: Credential capture and C2 logic&nbsp;<\/h3>\n\n\n\n<p>After the CAPTCHA is passed, the page reloads and renders a fake Microsoft 365 sign-in page.&nbsp;<\/p>\n\n\n\n<p>At the same time, a background POST request is sent to the C2 server at &#8216;\/api\/validate&#8217;. The request body contains JSON with the following fields:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;key&#8221;: a session key, or possibly a \u201clicense\u201d key for the phishing kit.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;redirect&#8221;: the URL to which the victim should be redirected.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;email&#8221;: the victim\u2019s email address, decoded; present if the s= parameter was populated earlier.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The logic for sending the request, validating the response, and retrieving the next stage of the payload is implemented in an obfuscated portion of the page; after deobfuscation, it looks like this:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"638\" height=\"773\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-2.png\" alt=\"\" class=\"wp-image-16416\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-2.png 638w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-2-248x300.png 248w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-2-370x448.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/10-2-270x327.png 270w\" sizes=\"(max-width: 638px) 100vw, 638px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 10: Logic for sending and validating the victim\u2019s email<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The C2 server responds with a JSON object that contains:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;status&#8221;: the C2 verdict \u2014 &#8220;success&#8221; or &#8220;error&#8221;.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;message&#8221;: the next stage, provided as HTML.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;data&#8221;: {&#8220;email&#8221;}: the victim\u2019s email address.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The next stage presents the password-entry form. The returned HTML also embeds obfuscated JavaScript that implements the logic for exfiltrating the stolen credentials to the C2 endpoint &#8216;\/api\/login&#8217; and for deciding the page\u2019s next actions (for example: show a prompt \u201cIncorrect password\u201d, redirect the user to a legitimate site to hide the fraud, etc.).&nbsp;<\/p>\n\n\n\n<p>A couple of notable snippets illustrate this behavior:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"483\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9-1024x483.png\" alt=\"\" class=\"wp-image-16415\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9-1024x483.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9-300x141.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9-768x362.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9-370x174.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9-270x127.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9-740x349.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/9.png 1184w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 11: Exfiltration of the victim\u2019s login and password<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The JSON sent in the POST \/api\/login request contains the following fields:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;key&#8221;: The key (see above for possible meaning).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;redierct&#8221;: The redirect URL (note the misspelling in the field name).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;token&#8221;: An authorization JWT. Notably, the sample token&nbsp;<br>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiZjk5M2NkZS1mOTdiLTQyYTctODcxYy1lOTk1MDgzMmM5NjgiLCJleHAiOjE2OTkxNzc0NjF9.p9-OI0LCYcOjaU1I3TMZTjNSos50txbV3_Mi1jk1u8c&nbsp;<br>decodes to an expired token; the exp claim is 1699177461, which corresponds to <strong>Sunday, November 5, 2023, 09:44:21 GMT<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;server&#8221;: The C2 server domain name.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;email&#8221;: The victim\u2019s email address.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;password&#8221;: The victim\u2019s password.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These fields are then used by the server response to control what the victim sees next and whether additional actions (debugging hooks, logging, further redirects) are triggered.&nbsp;<\/p>\n\n\n\n<p>The response to the POST \/api\/login request is a JSON object with the following fields:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;status&#8221;: &#8220;success&#8221; | &#8220;info&#8221; | &#8220;error&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;d&#8221;: &#8220;&lt;HTML payload to be shown to the user&gt;&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;message&#8221;: &#8220;Text such as &#8216;Incorrect password&#8217; when the user enters the wrong password&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;data&#8221;: { &#8220;email&#8221;: &#8220;&lt;victim email&gt;&#8221; }&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Behavior depends on the value of status:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;success&#8221;: Render the HTML payload found in &#8220;d&#8221; to the user.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;info&#8221;: Send a (likely debugging) POST request to \/x.php on the C2 server. The logic for this flow is shown in the figure below.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;error&#8221;: Display an error message (for example, \u201cIncorrect password\u201d).&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"676\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12-1024x676.png\" alt=\"\" class=\"wp-image-16418\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12-1024x676.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12-300x198.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12-768x507.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12-370x244.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12-270x178.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12-740x488.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/12.png 1044w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 12: Decision logic after the \/api\/login request<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>At this point the execution chain of the phishing page ends. In sum, the page implements a fairly involved execution mechanism: the payload is obfuscated, there are basic (nonetheless effective) anti-debugging measures, and the exfiltration logic runs through several staged steps.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Detection Rules for Identifying Tykit Activity&nbsp;<\/h2>\n\n\n\n<p>After analyzing the structure of the Tykit phishing payload and the requests sent during the attack, we developed a set of rules that allow detecting the threat at different stages of its implementation.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SVG files&nbsp;<\/h3>\n\n\n\n<p>Let\u2019s start with the SVG images themselves. While embedding JavaScript in SVGs can enable legitimate functionality (for example, interactive survey forms, animations, or dynamic UI mockups), it\u2019s frequently abused by threat actors to hide malicious payloads.&nbsp;<\/p>\n\n\n\n<p>One common way to distinguish benign code from malicious is the presence of obfuscation; techniques that hinder triage and signature-based analysis by security tools and SOC analysts.&nbsp;<\/p>\n\n\n\n<p>To improve detection rates for this vector (even without attributing samples to a specific actor), monitor for:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>General signs of code obfuscation, e.g. frequent calls to atob(), parseInt(), charCodeAt(), fromCodePoint(), and generated variable names like var _0xABCDEF01 = &#8230; often produced by tools such as Obfuscator.io.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use of the unsafe eval() call, which executes arbitrary code.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Script logic that redirects or alters the current document; calls to window.location.* or manipulation of hrefattributes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Below is a code snippet taken from an SVG used to load Tykit\u2019s phishing page:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"480\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-1024x480.png\" alt=\"\" class=\"wp-image-16419\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-1024x480.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-300x141.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-768x360.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-1536x720.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-370x174.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-270x127.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13-740x347.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/13.png 1580w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><strong><em>Fig. 13: Malicious redirect code from an SVG that loads the Tykit phishing page<\/em><\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Domains&nbsp;<\/h3>\n\n\n\n<p>In nearly all cases linked to Tykit, the operators used templated domain names. For exfiltration servers we observed domains matching the ^segy?.* pattern, for example:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]zip&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]xyz&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]cc&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]shop&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy2[.]cc&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For the main servers hosting the phishing pages, aside from abuse of cloud and object-storage services, the operators frequently registered domains that appear to be generated by a DGA (domain-generation algorithm). These domains match a pattern like: <strong>^loginmicr(o|0)s.*?\\.([a-z]+)?\\d+\\.cc$<\/strong>&nbsp;<br><strong><\/strong>&nbsp;<\/p>\n\n\n\n<p>To <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">collect all IOCs<\/a> and perform a detailed case analysis, see the TI Lookup query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktolookup#%7B%2522query%2522:%2522domainName:%255C%2522%5Eloginmicr?s*.*.cc$%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;^loginmicr?s*.*.cc$&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">C2 &amp; Exfiltration Logic&nbsp;<\/h3>\n\n\n\n<p>Finally, the main distinction between Tykit and many other phishing campaigns is the set of HTTP requests sent to the C2 that determine the next actions and handle exfiltration of victim data.&nbsp;<\/p>\n\n\n\n<p>After analyzing the JavaScript used across samples, we identified the following requests:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>GET \/?s=&lt;b64-encoded victim email&gt;&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>A series of initial requests used to pass Cloudflare Turnstile and load the phishing page; the s parameter may be empty.&nbsp;<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>POST \/api\/validate&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>The first C2 request, used to validate the supplied email. The request body contains JSON with fields (see earlier):&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;key&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;redirect&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;email&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The server responds with JSON containing:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;status&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;message&#8221; (next stage, as HTML)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;data&#8221;: {&#8220;email&#8221;}&nbsp;<\/li>\n<\/ul>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>POST \/api\/validate (variant)&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>A second variant of the validation request whose JSON body includes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;key&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;redirect&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;token&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;server&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;email&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The response has the same structure as above.&nbsp;<\/p>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>POST \/api\/login&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>The data-exfiltration request. The JSON body contains:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;key&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;redierct&#8221; (sic \u2014 note the misspelling)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;token&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;server&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;email&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;password&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The response JSON instructs how to change the state of the phishing page and includes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;status&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;d&#8221; (HTML payload to render)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;message&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;data&#8221;: {&#8220;email&#8221;}&nbsp;<\/li>\n<\/ul>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li>POST \/x.php&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Likely a debugging\/logging endpoint triggered when the previous \/api\/login response contains &#8220;status&#8221;: &#8220;info&#8221;. The JSON body includes:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;id&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;key&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;config&#8221;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The format of the server\u2019s response to this request was not determined during the investigation.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Who\u2019s Being Targeted&nbsp;<\/h2>\n\n\n\n<p>We collected several signals about the industries and countries targeted by Tykit.&nbsp;<\/p>\n\n\n\n<p>Most affected countries:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>United States&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Canada&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>South-East Asia&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>LATAM \/ South America&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EU countries&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Middle East&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Targeted industries:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Construction&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Professional services&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IT&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agriculture&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Commerce \/ Retail&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Real estate&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Education&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Design&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Government &amp; military&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Telecom&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>There are no unusual <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-ttps-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">TTPs<\/a> to call out;&nbsp; this is another wave of <a href=\"https:\/\/any.run\/cybersecurity-blog\/spearphishing-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">spearphishing<\/a> aimed at stealing Microsoft 365 credentials, featuring a multi-stage execution chain and the capability for AitM interception.&nbsp;<\/p>\n\n\n\n<p>Taken together, given the wide geographic and industry spread and the TTPs that match standard phishing kit behavior, the threat has been active for quite some time. It appears to be a typical PhaaS-style framework (hence the name <strong>TYpical phishKIT<\/strong>, or <em>Tykit<\/em>). Time will tell how it evolves.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Tykit Affects Organizations&nbsp;<\/h2>\n\n\n\n<p>Tykit is a credential-theft campaign that targets Microsoft 365 accounts via a multi-stage phishing flow. Successful compromises can lead to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Account takeover<\/strong> (email, collaboration tools, identity tokens) enabling persistent access.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data exfiltration<\/strong> from mailboxes, drives, and connected SaaS apps.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lateral movement<\/strong> inside environments where cloud identities map to internal resources.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AitM interception<\/strong> of MFA or session tokens, increasing the chance of bypassing second-factor protections.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational and reputational damage<\/strong> (incident response costs, regulatory exposure, loss of client trust).&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Sectors at higher risk reflect the campaign\u2019s targeting: construction, professional services, IT, finance, government, telecom, real estate, education, and others across US, Canada, LATAM, EMEA, SE Asia and Middle East.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Prevent Tykit Attacks&nbsp;<\/h2>\n\n\n\n<p>Tykit doesn\u2019t reinvent phishing, but it shows how small technical tweaks, like hiding code in SVGs or layering redirects, can make attacks harder to catch. Still, with better visibility and the right tools, teams can stop it before credentials are stolen.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Strengthen email and file security&nbsp;<\/h3>\n\n\n\n<p>SVG files may look safe but can hide JavaScript that executes in the browser. Ensure your security gateway actually inspects SVG content, not just extensions. Use sandbox detonation and Content Disarm &amp; Reconstruction (CDR) to uncover hidden payloads. The <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN Sandbox<\/strong><\/a> is particularly effective for detonating such files and exposing their redirects, scripts, and network calls in seconds.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Use phishing-resistant MFA&nbsp;<\/h3>\n\n\n\n<p>Tykit highlights how traditional MFA can be bypassed. Switch to phishing-resistant methods like FIDO2 or certificate-based MFA, disable legacy protocols, and enforce Conditional Access in Microsoft 365. Reviewing OAuth app consents and token lifetimes regularly helps minimize exposure.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Monitor for key indicators&nbsp;<\/h3>\n\n\n\n<p>Watch for outbound requests to domains such as segy* or loginmicr(o|0)s.*.cc, and POST requests to \/api\/validate, \/api\/login, or \/x.php. <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Threat Intelligence Lookup<\/a> can quickly connect these IOCs to other related phishing activity, giving analysts context in minutes.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Automate detection and threat hunting&nbsp;<\/h3>\n\n\n\n<p>Configure your SIEM or XDR to alert on suspicious Base64 query parameters (like \/?s=) or requests following Tykit\u2019s structure. Integrating <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktofeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Threat Intelligence Feeds<\/a> ensures new indicators, fresh domains, hashes, and URL patterns, are automatically available for detection.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Educate and respond fast&nbsp;<\/h3>\n\n\n\n<p>Regular awareness training helps users recognize that even \u201cimage\u201d files can trigger phishing chains. If an incident occurs, isolate affected accounts, revoke sessions, and reset credentials.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Using <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a> during incident response can accelerate this process: analysts can safely replay the infection chain, confirm what data was exfiltrated, and extract accurate IOCs within minutes. This shortens MTTR and helps strengthen detections for the next wave of similar campaigns.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion: Lessons from a \u201cTypical\u201d Phishing Kit&nbsp;<\/h2>\n\n\n\n<p>We reviewed another sobering example of how phishing remains front and center in the cyber-threat landscape, and how regularly new tools appear to carry out these attacks; each one differing from its predecessors in some way.&nbsp;<\/p>\n\n\n\n<p>We labeled this example <strong>Tykit<\/strong>, examined its technical details, and derived several detection and hunting rules that, taken together, will help detect new samples and monitor the campaign\u2019s evolution.&nbsp;<\/p>\n\n\n\n<p>Tykit doesn\u2019t include a full arsenal of evasion and anti-detection techniques, but, like its more mature counterparts, it implements AitM-style data interception and methods to bypass multi-factor protections. It also relies on a quasi-distributed network architecture: servers are assigned dynamic domain names and roles are separated between \u201cdelivery\u201d and \u201cexfiltration.\u201d&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Empowering Faster Analysis with ANY.RUN&nbsp;<\/h3>\n\n\n\n<p>Investigating campaigns like Tykit can be time-consuming, from detecting a single suspicious SVG to uncovering the entire phishing infrastructure behind it. <strong>ANY.RUN<\/strong> helps analysts turn hours of manual work into minutes of interactive analysis.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>See the full attack chain in under 60 seconds.<\/strong>&nbsp;<br>Detonate SVGs, phishing pages, or any other file type in real time and instantly observe redirects, scripts, and payload execution.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Reduce investigation time.<\/strong>&nbsp;<br>With live network mapping, script deobfuscation, and dynamic IOCs, analysts can skip static triage and focus directly on what matters.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Cut MTTR by more than 20 minutes per case.<\/strong>&nbsp;<br>Quick visibility into C2 communications, credential-capture logic, and data exfiltration flows allows teams to respond faster and with higher confidence.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Boost proactive defense.<\/strong>&nbsp;<br>Using <strong>ANY.RUN <\/strong><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a>, SOC teams can pivot from a single domain or hash to hundreds of related submissions, revealing shared infrastructure and campaign patterns to enrich detection rules for catching future attacks.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Strengthen detections with fresh intelligence.<\/strong>&nbsp;<br>Automatically enrich your security tools with new indicators with&nbsp;<strong>TI Feeds <\/strong>sourced from live sandbox analyses and community contributions.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>For SOC teams, MSSPs, and threat researchers, ANY.RUN provides the speed, depth, and context needed to stay ahead of campaigns like Tykit, and the next one that follows.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/#register?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktoregistration#register\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>See every stage of the attack. Strengthen your detections. Try ANY.RUN now<\/strong><\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>About ANY.RUN&nbsp;<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;to streamline malware investigations worldwide.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Speed up triage and response by detonating suspicious files in&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>, observing malicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with&nbsp;<a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktofeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>, it provides actionable data on cyberattacks to improve detection and deepen your understanding of evolving threats.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=tykit_analysis&amp;utm_term=211025&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Explore more ANY.RUN\u2019s capabilities during 14-day trial\u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>IOCs:&nbsp;<\/strong><\/p>\n\n\n\n<p>SHA256 of observed SVG files:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ECD3C834148D12AF878FD1DECD27BBBE2B532B5B48787BAD1BDE7497F98C2CC8&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A7184BEF39523BEF32683EF7AF440A5B2235E83E7FB83C6B7EE5F08286731892&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Observed domains &amp; domain patterns:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]zip&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]xyz&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]cc&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]shop&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy2[.]cc&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>^loginmicr(o|0)s.*?\\.([a-z]+)?\\d+\\.cc$&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Observed URLs:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GET \/?s=&lt;b64_victim_email&gt;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST \/api\/validate&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST \/api\/login&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST \/x.php&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. One striking detail was how the SVG embeds JavaScript that rebuilds the payload with XOR and then executes it directly via eval() to redirect victims to a phishing page.&nbsp; A quick look at the indicators we [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16404,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-16400","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Tykit Analysis: New Phishing Kit in Finance &amp; Construction\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover a technical analysis of Tykit, a new phishing kit targeting NA and EU companies in finance, construction, and telecom.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"raptur3\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t    \"@context\": \"https:\/\/schema.org\",\n\t    \"@graph\": [\n\t        {\n\t            \"@type\": \"Article\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#article\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\"\n\t            },\n\t            \"author\": {\n\t                \"name\": \"raptur3\",\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"headline\": \"Tykit Analysis: New Phishing Kit\u00a0Stealing Hundreds of Microsoft Accounts in Finance\u00a0\",\n\t            \"datePublished\": \"2025-10-21T10:31:58+00:00\",\n\t            \"dateModified\": \"2025-10-22T06:31:48+00:00\",\n\t            \"mainEntityOfPage\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\"\n\t            },\n\t            \"wordCount\": 3202,\n\t            \"commentCount\": 1,\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"keywords\": [\n\t                \"ANYRUN\",\n\t                \"cybersecurity\",\n\t                \"malware analysis\"\n\t            ],\n\t            \"articleSection\": [\n\t                \"Malware Analysis\"\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"CommentAction\",\n\t                    \"name\": \"Comment\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#respond\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebPage\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\",\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\",\n\t            \"name\": \"Tykit Analysis: New Phishing Kit in Finance & Construction\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"datePublished\": \"2025-10-21T10:31:58+00:00\",\n\t            \"dateModified\": \"2025-10-22T06:31:48+00:00\",\n\t            \"description\": \"Discover a technical analysis of Tykit, a new phishing kit targeting NA and EU companies in finance, construction, and telecom.\",\n\t            \"breadcrumb\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#breadcrumb\"\n\t            },\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"ReadAction\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"BreadcrumbList\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#breadcrumb\",\n\t            \"itemListElement\": [\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 1,\n\t                    \"name\": \"Home\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 2,\n\t                    \"name\": \"Malware Analysis\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 3,\n\t                    \"name\": \"Tykit Analysis: New Phishing Kit\u00a0Stealing Hundreds of Microsoft Accounts in Finance\u00a0\"\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebSite\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"description\": \"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"SearchAction\",\n\t                    \"target\": {\n\t                        \"@type\": \"EntryPoint\",\n\t                        \"urlTemplate\": \"https:\/\/any.run\/?s={search_term_string}\"\n\t                    },\n\t                    \"query-input\": \"required name=search_term_string\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Organization\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"logo\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"width\": 1,\n\t                \"height\": 1,\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"image\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"sameAs\": [\n\t                \"https:\/\/www.facebook.com\/www.any.run\/\",\n\t                \"https:\/\/twitter.com\/anyrun_app\",\n\t                \"https:\/\/www.linkedin.com\/company\/30692044\",\n\t                \"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"Person\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"raptur3\",\n\t            \"image\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png\",\n\t                \"caption\": \"raptur3\"\n\t            },\n\t            \"description\": \"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.\",\n\t            \"url\": \"#molongui-disabled-link\"\n\t        }\n\t    ]\n\t}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tykit Analysis: New Phishing Kit in Finance & Construction\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover a technical analysis of Tykit, a new phishing kit targeting NA and EU companies in finance, construction, and telecom.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/","twitter_misc":{"Written by":"raptur3","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/"},"author":{"name":"raptur3","@id":"https:\/\/any.run\/"},"headline":"Tykit Analysis: New Phishing Kit\u00a0Stealing Hundreds of Microsoft Accounts in Finance\u00a0","datePublished":"2025-10-21T10:31:58+00:00","dateModified":"2025-10-22T06:31:48+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/"},"wordCount":3202,"commentCount":1,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/","name":"Tykit Analysis: New Phishing Kit in Finance & Construction\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-10-21T10:31:58+00:00","dateModified":"2025-10-22T06:31:48+00:00","description":"Discover a technical analysis of Tykit, a new phishing kit targeting NA and EU companies in finance, construction, and telecom.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Tykit Analysis: New Phishing Kit\u00a0Stealing Hundreds of Microsoft Accounts in Finance\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"raptur3","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3.png","caption":"raptur3"},"description":"Network Analyst at ANY.RUN. Keen to become a 'cybersec Swiss Army knife' man. Enjoys reading and writing deep-dive tech research.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16400"}],"collection":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=16400"}],"version-history":[{"count":10,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16400\/revisions"}],"predecessor-version":[{"id":16430,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16400\/revisions\/16430"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/16404"}],"wp:attachment":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=16400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=16400"},{"taxonomy":"post_tag","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=16400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}