A phishing kit named Tykit uses SVG files embedding obfuscated JavaScript to rebuild payloads, redirect users through trampoline/CAPTCHA steps, and exfiltrate Microsoft 365 credentials via staged POST requests to C2 endpoints. Analysis links many samples to templated domains (e.g., segy*.cc, loginmicr*…*.cc) and consistent client-side logic, indicating a mature PhaaS-style infrastructure. #Tykit #segy2.cc
Keypoints
- Tykit delivers phishing via SVG images containing obfuscated JavaScript that redirects victims and reconstructs payloads for execution.
- Campaign targets Microsoft 365 credentials across many industries and regions, using fake login pages and staged exfiltration flows.
- Client-side logic is multi-stage (SVG -> trampoline -> CAPTCHA -> credential page) with anti-debugging measures and layered redirects.
- Exfiltration and control are handled by templated C2 endpoints (e.g., POST /api/validate, POST /api/login, POST /x.php) and dynamic domains like segy* and loginmicr*.
- Indicators across hundreds of sandbox sessions show near-identical patterns, supporting classification as a phishing kit (Tykit) / PhaaS-style framework.
- Detection rules focus on SVGs with obfuscation and eval(), Base64 ?s= parameters, and POSTs to the identified API endpoints; ANY.RUN TI Lookup can pivot on these IOCs.
- Mitigations include inspecting SVG content, using phishing-resistant MFA (FIDO2), conditional access, SIEM/XDR detection rules, and interactive sandboxing for rapid incident response.
MITRE Techniques
- [T1204] User Execution – Malicious SVG prompts user interaction and redirects to phishing pages (“Enter the last 4 digits of your phone number” check-stub that accepts any value).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – JavaScript embedded in SVG uses eval() to rebuild and execute payloads (“SVG embeds JavaScript that rebuilds the payload with XOR and then executes it directly via eval()”).
- [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration and C2 communications use HTTP(S) POST requests to endpoints like /api/validate and /api/login (“A POST request was sent to the server segy2[.]cc, targeting the URL /api/validate”).
- [T1287] Compromise Infrastructure – Use of templated/DGA-like domains for hosting and exfiltration (e.g., ^loginmicr(o|0)s.*?.([a-z]+)?d+.cc$, segy*.cc) to hide infrastructure patterns (“operators used templated domain names… domains matching the ^segy?.* pattern”).
- [T1566.001] Phishing: Spearphishing Link – Phishing pages mimic Microsoft 365 sign-in and capture credentials via staged HTML forms and POST /api/login (“the page renders a fake Microsoft 365 sign-in page” and “exfiltrating the stolen credentials to the C2 endpoint ‘/api/login’”).
- [T1621] Multi-stage Channels – Multi-stage client-side execution chain (SVG -> trampoline -> CAPTCHA -> credential capture -> staged C2 validation) controlling flow and payload retrieval (“client-side code executes in several stages and uses basic anti-detection techniques”).
- [T1192] Spearphishing Attachment – Abuse of SVG files as attachments or embedded images to deliver malicious script content (“SVG files may look safe but can hide JavaScript that executes in the browser”).
Indicators of Compromise
- [File Hash ] Observed malicious SVG files – A7184BEF39523BEF32683EF7AF440A5B2235E83E7FB83C6B7EE5F08286731892, ECD3C834148D12AF878FD1DECD27BBBE2B532B5B48787BAD1BDE7497F98C2CC8
- [Domain ] Phishing page / delivery domains – loginmicr0sft0nlineeckaf[.]52632651246148569845521065[.]cc, o3loginrnicrosoftlogcu02re[.]1uypagr[.]com
- [Domain ] Exfiltration / C2 domains – segy[.]cc, segy2[.]cc, segy[.]zip (and segy[.]xyz, segy[.]shop)
- [URL Path ] Request patterns / API endpoints – GET /?s= (Base64 email in s= parameter), POST /api/validate, POST /api/login, POST /x.php
- [HTTP Body Field ] JSON fields used in C2 communications – “key”, “redirect”/”redierct” (sic), “token”, “server”, “email”, “password” (used in POST /api/login and /api/validate)
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/tykit-technical-analysis/