EXECUTIVE SUMMARY
Tycoon2FA operators have rebounded following a takedown that seized 330 domains. The rebuilt campaign uses six layers of obfuscation, targeting a range of sectors and regions worldwide. The attackers' primary goal is to steal credentials, leveraging the platform's ability to act as an adversary-in-the-middle (AiTM) relay engine. The infection chain begins with an AWS S3-hosted lure page, which redirects the victim to a link management platform and then a fake CAPTCHA gate.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Tycoon2FA operators have rebounded following a takedown that seized 330 domains. The rebuilt campaign uses six layers of obfuscation, targeting a range of sectors and regions worldwide. The attackers' primary goal is to steal credentials, leveraging the platform's ability to act as an adversary-in-the-middle (AiTM) relay engine. The infection chain begins with an AWS S3-hosted lure page, which redirects the victim to a link management platform and then a fake CAPTCHA gate.[emaillocker id="1283"]
These layers serve to filter out security researchers and automated scanners, ensuring only real targets reach the credential harvesting payload. The payload is encrypted using a custom scheme based on a Linear Congruential Generator, adding to the campaign's overall obfuscation. Once inside, the malware uses a seven-stage attack chain to evade detection and maintain control. The attackers also employ a kill switch to remotely control the campaign's activity.
This threat is significant due to its ability to evade modern detection techniques. Tycoon2FA's use of six layers of obfuscation and a custom encryption scheme makes it challenging to detect and recover from. Organisations should take defensive actions to protect themselves, including patching vulnerabilities, monitoring for suspicious activity, maintaining up-to-date backups, and deploying robust endpoint protection. Additionally, enabling Conditional Access policies and deploying token protection can help prevent session token replay and limit an attacker's ability to use stolen credentials.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Resource Development | T1583.003 | Acquire Infrastructure | Virtual Private Server |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Defense Evasion | T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools |
| Defense Evasion | T1622 | Debugger Evasion | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
REFERENCES:
The reports contain further technical details:
https://abnormal.ai/blog/tycoon2fa-post-takedown-rebuild