Keypoints
- Tycoon Group is a commercially sold phishing-as-a-service (PaaS) marketed on Telegram with features to bypass MFA and improve link persistence via Cloudflare integration.
- Attack chain uses trusted cloud services (e.g., DocuSign, OneDrive, SharePoint, Google Drive) as redirectors or decoy hosts to mask final phishing pages.
- Landing pages consist of an index.php loader and an obfuscated JavaScript (myscr*.js) that reconstructs the phishing HTML via large decimal arrays, Base64/XOR obfuscation, and opaque predicates.
- Cloudflare Turnstile can be integrated for human verification to evade bots and add telemetry to the phisher’s dashboard.
- Credential exfiltration uses socket.io (WebSocket) to send structured messages (routes like “enteremail”/”enterpassword”) to the attacker’s server in real time.
- Tycoon supports stealing ADFS session cookies and provides a “Get Cookies” capability (JavaScript file) enabling attackers to set stolen cookies in a browser for account takeover.
- Investigators published YARA detection strings and a tracked list of landing URLs (gist) for detection and response.
MITRE Techniques
- [T1566] Phishing – Use of phishing emails and landing pages to harvest credentials (‘The Tycoon Group uses phishing emails that redirect victims to malicious landing pages designed to steal credentials.’)
- [T1204] User Execution – Victims click links in emails that redirect through decoy documents or trusted services to trigger the phishing page (‘Redirection is accomplished by clicking a lick in the email. This leads to either to a decoy document… or directly to the primary phishing landing page’).
- [T1539] Steal Web Session Cookie – Theft of ADFS cookies to enable session reuse and persistent access (‘the group introduced support for enabling subscribers to steal Active Directory Federation Services (ADFS) cookies’).
- [T1056] Input Capture – Phishing pages capture usernames and passwords entered into fake login forms (‘The phishing pages capture user inputs, such as usernames and passwords.’)
- [T1027] Obfuscated Files or Information – Landing pages use Base64, XOR, long decimal arrays, and opaque predicates to hide malicious JavaScript (‘a combination of Base64 encoding and XOR operations to hide the JavaScript link’ and ‘very long array of characters represented as decimal integers’).
- [T1036] Masquerading – Phishing pages mimic legitimate login pages (Microsoft 365, Gmail) to deceive victims (‘mimicking a Microsoft 365 login page’ and introduction of Gmail display/login themes).
- [T1071] Application Layer Protocol – Use of WebSocket (socket.io) for real-time browser-to-server communication and exfiltration (‘uses a JavaScript WebSocket library known as socket.io to establish communication with the phisher’s server’).
- [T1048] Exfiltration Over Alternative Protocols – Credentials and cookies are exfiltrated over WebSocket instead of typical HTTP POSTs (‘The stolen credentials and session cookies are exfiltrated using WebSocket communication to the phisher’s server.’)
- [T1016] System Network Configuration Discovery – WebSocket exchanges include IP and browser type which can be used for reconnaissance (‘the JavaScript on the phishing page transmits … unique ID … browser type, and IP’).
Indicators of Compromise
- [Landing URLs] Tycoon landing pages – https://gist.github.com/drole/1469713841ab9a5121011e2eb88c5e87 (tracked list of Tycoon landing URLs)
- [File names] Phishing landing components – index.php, myscr<4-6 digits>.js (myscr####.js used to generate the phishing HTML)
- [YARA strings] Detection signatures seen in YARA rule – “emailcheck”, “ccturnhtml”, /src=”http.{2,99}/myscrd{4,6}.js”/ (YARA rule included in the article)
- [Third-party services abused] Redirector/hosting services – docusign.com, onedrive.live.com (and other cloud services used as redirectors/decoys such as SharePoint, Google Drive, Dropbox)
The technical attack flow begins with phishing emails that hide final destinations behind trusted cloud services (DocuSign, OneDrive, SharePoint, Google Drive, etc.), using those platforms as redirectors or hosts for decoy documents. When a victim clicks a link, they are directed to a Tycoon landing page where index.php loads an obfuscated JavaScript (myscr*.js). That JavaScript reconstructs the phishing HTML from a long decimal array and obfuscated strings (Base64 + XOR) and employs opaque predicates and bot-prevention checks to evade crawlers and anti-spam systems.
Before showing the fake login form, the page can perform Cloudflare Turnstile human verification (enabled per subscriber keys) to filter bots. Once validated, the fake theme (Microsoft 365, Gmail, etc.) is rendered and credential inputs are sent in real time to the attacker using socket.io WebSocket connections: the page sends an initial handshake (payload size, ping interval, unique ID), then transmits structured messages with routes like “enteremail” and “enterpassword” that include the credentials, a session id (sid), browser type, and IP. The server replies with control responses (e.g., error messages) and the session stream persists for interactive control.
The Tycoon admin panel lets subscribers generate campaigns, toggle features, and retrieve harvested data including usernames, passwords, and session cookies. A “Get Cookies” button provides a JavaScript file that sets stolen session cookies in a victim’s browser, enabling session reuse and account takeover (including ADFS-based SSO). Detection mitigations cited include YARA rules (strings like “emailcheck” and myscr*.js patterns) and tracking known landing URLs for blocklisting and forensic analysis.