Keypoints
- Tycoon 2FA is an AiTM phishing kit (PhaaS) first observed August 2023 and widely deployed with 1,100+ associated domains.
- The kit uses email attachments/QR codes to distribute phishing pages that mimic Microsoft authentication and relay inputs to legitimate Microsoft APIs.
- Phishing pages present a Cloudflare Turnstile challenge to filter bots; JavaScript only loads malicious resources after the challenge succeeds.
- Heavy JavaScript obfuscation and pseudorandom resource names were added in the mid‑February 2024 release to improve stealth and evade analysis.
- WebSockets (socket.io) are used to exfiltrate credentials and 2FA interactions in real time; the attacker captures session cookies to replay sessions and bypass MFA.
- Tracking heuristics include characteristic CSS/JS filenames (older versions) and new indicators such as the central C2 response hash and Turnstile text for the updated kit.
- Sekoia linked the PhaaS operator to Telegram promotions, an administration panel, and a Bitcoin wallet used for payments, indicating commercialized operations.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Delivered phishing pages via email attachments and QR codes to redirect users (‘Email attachments redirecting users to Tycoon 2FA phishing pages, distributed in October 2023’).
- [T1204] User Execution – Relies on victims clicking URLs or opening attachments to initiate the phishing flow (‘When a user clicks on the phishing URL, it is redirected to a page embedding a Cloudflare Turnstile challenge’).
- [T1056] Input Capture – Captures user inputs (email, password, 2FA codes) from the fake authentication pages (‘Capture and exfiltrate the user inputs’).
- [T1539] Steal Web Session Cookie – Intercepts and stores session cookies after successful MFA to replay sessions and bypass MFA (‘the server in the middle captures session cookies… Stolen cookies allow attackers to replay a session and therefore bypass the MFA’).
- [T1071.001] Application Layer Protocol: Web Protocols – Uses WebSockets and HTTPS-based web protocols for C2 and interaction with victims (‘Initiate a WebSocket with the C2 server (same domain as the phishing page), using the downloaded library “socket.io.min.js”‘).
- [T1041] Exfiltration Over C2 Channel – Exfiltrates harvested credentials and status via WebSockets to the C2 server (‘the C2 server collects harvested data and status of the operations using WebSockets’).
- [T1027] Obfuscated Files or Information – Employs heavy JavaScript obfuscation (variable renaming, XOR, base64) to hinder analysis (‘The code is obfuscated using numerous variable renaming with hexadecimal patterns… string manipulation… and other code transformations’).
- [T1036] Masquerading – Presents convincing Microsoft authentication pages to deceive victims (‘display a page mimicking Microsoft authentication’).
- [T1090] Proxy – Uses commercial proxy servers to relay requests between victims and legitimate Microsoft APIs for the AiTM relay (‘Using commercial proxy servers, the Tycoon 2FA phishing pages relay the user inputs… to the legitimate Microsoft authentication API’).
Indicators of Compromise
- [Domain] Tycoon infrastructure and phishing hosts – codecrafterspro[.]com, tycoongroup[.]ws, and 1,100+ other domains associated with the kit.
- [Filenames / Resources] Characteristic resource names used by the kit – pages-godaddy.css, pages-okta.css, and myscr[0-9]{6}.js (older versions) or /web6/assets/js/pages-head-web.min.js (used in various builds).
- [Hash] Central C2 response (used in heuristics) – SHA256: 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9.
- [Bitcoin Address] Payment wallet linked to operator – 19NReVFKJsYYCCFLq1uNKYrUqQE2bB4Jwx (used in Telegram posts and tracked transactions).
<li/[URL] Example phishing and WebSocket endpoints – hxxps://i9152.cisele0[.]com/NOZcbtTxxEiGj/, hxxps://i9152.cisele0[.]com/web6socket/socket.io/?type=User&appnum=1&EIO=4&transport=websocket.
Tycoon 2FA technical summary:
Tycoon 2FA operates as an AiTM reverse-proxy phishing kit that relays victims’ authentication flows to legitimate Microsoft endpoints. Distribution uses email attachments and QR-code redirects to small HTML decoys which then load a Cloudflare Turnstile challenge; only after the challenge succeeds does the page fetch heavily obfuscated JavaScript and 2FA-related payloads. The obfuscated JavaScript fingerprints the browser, opens a socket.io WebSocket to an attacker C2 on the phishing domain, and dynamically constructs fake Microsoft login and 2FA pages that forward entered credentials and 2FA responses through commercial proxies to the real Microsoft API.
During the authentication sequence, the kit captures email, password, OTP/push responses, and session identifiers via WebSocket messages and HTTP POSTs; the attacker-side server stores session cookies returned from the legitimate service so sessions can be replayed to bypass MFA. The February 2024 update increased stealth by delaying malicious resource retrieval until after Turnstile validation, using pseudorandom resource names, extended filtering for datacenter/Tor IPs and bot User-Agents, and applying stronger JS obfuscation (base64 + XOR + variable mangling), complicating static and automated detection.
For tracking and detection, combine legacy filename heuristics (pages-godaddy.css, pages-okta.css, myscr[0-9]{6}.js) with new indicators: the Turnstile page text (“this page is running browser checks to ensure your security”), the central C2 response hash (SHA256: 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9), limited initial request counts/data lengths in scans, and observed phishing hosts such as i9152.cisele0[.]com and codecrafterspro[.]com.