[[{“value”:”
A sophisticated phishing campaign leveraging shared infrastructure between two prominent cybercriminal operations has emerged as a significant threat to Office 365 users worldwide.
The Tycoon2FA Phishing-as-a-Service platform, which has been active since August 2023, has established operational connections with the notorious Storm-1575 group, also known as Dadsec, creating a formidable alliance in the cybercrime ecosystem.
This collaboration represents a concerning evolution in phishing tactics, where established threat actors are sharing resources and infrastructure to amplify their attack capabilities against enterprise targets.
The attack methodology employed by this joint operation centers on adversary-in-the-middle (AiTM) techniques specifically designed to circumvent multi-factor authentication protections.
.webp)
Cybercriminals distribute phishing emails containing malicious attachments or embedded links that redirect victims through a complex chain of compromised domains and redirection services.
The campaign utilizes unique PHP resources including “res444.php”, “cllascio.php”, and “.000.php” as payload delivery mechanisms, with the latter two representing the most recent adaptations observed as of March 2025.
.webp)
These attacks typically begin with social engineering lures themed around human resources, finance, or security alerts to establish credibility and encourage victim engagement.
Trustwave analysts identified a rapidly expanding network comprising thousands of phishing pages linked to the Tycoon2FA campaign since July 2024, indicating the scale and persistence of this threat.
The infrastructure analysis revealed consistent patterns across the operation, including templated webpages sharing unique HTML body hashes, deployment of custom Cloudflare Turnstile challenges to protect phishing pages from automated analysis, and enhanced anti-analysis features that monitor for penetration testing tools and keystroke detection related to web inspection.
The campaign’s impact extends beyond simple credential theft, as the AiTM capabilities allow attackers to capture session cookies and authentication tokens, enabling them to maintain persistent access even after victims change their passwords.
Technical Infection Mechanism and Payload Delivery
The Tycoon2FA infection chain demonstrates sophisticated technical complexity designed to evade detection and maintain persistence throughout the attack lifecycle.
.webp)
When victims access the initial phishing link, they encounter a multi-stage redirection process that begins with domains leveraging Cyber Panel, an open-source web hosting platform, typically using .RU top-level domains with specific alphanumeric patterns.
The domains feature 5-10 character lengths with subdomains extending 15-20 characters, creating a consistent fingerprint for tracking purposes.
The core payload delivery mechanism relies on JavaScript-based decryption routines embedded within the malicious PHP files.
These files contain Base64-encoded content that undergoes a two-stage deobfuscation process, beginning with Caesar cipher techniques shifted backward by five positions before standard Base64 decoding.
The decoded content reveals critical parameters for AES-CBC decryption, including the encoded data payload, salt values for PBKDF2 key derivation, initialization vectors, and passphrases required for successful decryption.
let randpattern = null;
if(route == "checkemail"){randpattern = /(pq|rs)[A-Za-z0-9]{0,10}(y2|12|30)[A-Za-z0-9]{2,7}(cv|wx)(3[1-9]|40)/gi}Following successful decryption, the malware generates dynamic JavaScript that creates self-navigating anchor elements, programmatically directing users to the final phishing destination.
The system incorporates multiple fallback mechanisms, including decoy pages that mimic legitimate platforms such as Microsoft Word Online or media players when direct credential harvesting fails.
Throughout this process, the infrastructure collects comprehensive victim intelligence including IP addresses, geolocation data, browser fingerprints, and user-agent strings, which are then transmitted to command-and-control servers using AES encryption with hardcoded keys to obfuscate the communication channel.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
The post Tycoon2FA Infra Used by Dadsec Hacker Group to Steal Office365 Credentials appeared first on Cyber Security News.
“}]]
Read More Cyber Security News