Full Report
Phishing-as-a-Service (PhaaS) platforms have significantly reshaped the phishing threat landscape in recent years. Since September 2023, Trustwave’s Threat Intelligence Team has been tracking a large-scale phishing campaign distributed via email, attributed to "Storm-1575". Storm-1575 is known for developing and distributing a PhaaS platform with adversary-in-the-middle (AiTM) capabilities, known as "Dadsec". The team’s recent investigations have revealed that the infrastructure used by Dadsec is also connected to a new campaign leveraging the "Tycoon2FA" Phishing-as-a-Service (PhaaS) platform. In a previous report, the team analyzed the latest evasion techniques employed by Tycoon2FA to bypass endpoint protection and security detection mechanisms. This blog post provides an in-depth analysis of the ongoing developments in Tycoon2FA and its role in recent phishing campaigns. It also examines the infrastructure supporting both Dadsec and Tycoon2FA, highlighting key overlaps that suggest a shared operational framework. By investigating shared infrastructure components, this report uncovers the connections between these phishing kits and their broader influence within the PhaaS ecosystem. Introduction Tycoon2FA and Dadsec have been actively used in phishing campaigns since 2023. These phishing kits provide a user-friendly interface with customizable phishing templates and integrated automation features. Researchers from Sekoia identified several key similarities between the Tycoon 2FA phishing platform and the Dadsec phishing kit, suggesting a shared development lineage or direct adaptation. This connection suggests a potential adaptation of previous tactics, where infrastructure and codebase elements from earlier campaigns have been repurposed. Figure 1. Comparison of Tycoon2FA and Dadsec Dashboard (Source: Sekoia). As we analyzed the latest updates to the Tycoon2FA phishing kit, we refined our tracking queries to expose the infrastructure supporting its newest campaign. Our investigation revealed a rapidly growing network of thousands of phishing pages linked to the Tycoon2FA campaign since July 2024. The following patterns were identified within the latest campaign: Hosting templated webpages that share a unique HTML body hash and page title. Use of unique PHP resources (“res444.php”, “cllascio.php”, and “.000.php”) as payload delivery mechanisms. The latter two are the latest alternative file names of the malicious PHP in their latest campaign of Tycoon2FA as of March 2025. Deployment of a custom Cloudflare Turnstile page to safeguard the phishing page. Enhanced anti-analysis features, including monitoring of penetration-testing tools, keystroke detection related to web inspection, and other anti-dev tools mechanisms such as disabling the right-click context menu on the browser for defense evasion. Use of various decoy pages to enhance credibility and mislead victims. A fallback phishing page designed to mimic legitimate platforms such as Microsoft Word Online or Media Player. Integration of an auto sign-in feature that activates if a username is embedded in the phishing configuration. Utilization of various AES decryption routines to obfuscate code and conceal C2 communication. Figure 2. Monthly distribution of detected phishing pages from July 2024 to January 2025 related to Tycoon2FA. Overlap between Dadsec and Tycoon2FA Operation Around September 2023, our telemetry detected multiple phishing campaigns attributed to Storm-1575 (Dadsec), targeting users with fake Microsoft 365 credential harvesting pages. The attack begins with an email using various lures to entice the recipient into accessing a shared file, often including an HTML attachment. The phishing link typically follows this format: hxxps://selligenttier.naylorcampaigns[.]com/ hxxps://704movers[.]com/uwcz/IvhRh/ URL Pattern Legend: Initial URL Redirection URL Base64 Encoded Email Address When accessed, the initial link redirects the user to a webpage with a specific URL structure. These URLs lead victims to phishing sites designed to impersonate Microsoft login pages. Analysis of these URLs uncovered several consistent patterns: The domain leverages "Cyber Panel" an open-source web hosting platform. The victim’s username was already pre specified in the URL. The domain has “.RU” top-level domain (TLD). The domains are 5-10 alphanumeric characters long. The subdomains are 15-20 alphanumeric characters long. hxxps://srciek0t8a31dz4.o4dnumvbqy[.]ru/qg2vpf/0dfrL4CL3sfYEEcLSXP1B7RAxX7tZhwbt5xbGT23YbHqHJuZa19OsFKMrfGkeZILgEC2A1aoUXhEoGhODvbL6HxN3ub? id=== URL Pattern Legend: Initial URL Email Address Figure 3. Network indicators from the 2023 Dadsec Phishing campaign (Source: urlquery.net). The domains identified in the extracted redirection URLs from the initial phishing link resolve to a shared set of IP addresses and Autonomous System Numbers (ASNs), notably AS19871 (NETWORK-SOLUTIONS-HOSTING). There is a consistent interaction between these IP addresses and malicious files, primarily HTML and PDF, strongly indicating their active role in phishing campaigns. Figure 4. Graph visualization of Phishing Campaign IOCs. Further pivoting reveals numerous newly registered domains that follow a similar generic pattern and are linked to the same IP addresses. Additionally, these newly registered websites contain a unique PHP file named "res444.php", which serves as a key component of the phishing kit. Figure 5. Newly registered domains sharing the same webpage template. (Source: urlscan.io). These domains often feature a web UI with a title page displaying "Works Creatively". The repeated use of identical templates across multiple domains suggests a centralized phishing infrastructure. Figure 6. URL results containing “res444.php” (Source: urlscan.io). This PHP file is consistently found across multiple domains but is stored in different subdirectories. The following is an example of its drop location: Figure 7. Open directory hosting “res444.php”. By leveraging these artifacts, our team was able to trace the latest resources deployed by the Tycoon2FA actor. In earlier campaigns, they consistently used the PHP file “res444.php” as part of its phishing toolkit. However, in the latest campaign—observed as early as March 2025—Tycoon2FA introduced new PHP filenames, including: “cllascio.php” “.000.php” Figure 8. Recent variant filenames observed in Tycoon2FA payload delivery infrastructure. Tycoon2FA PhaaS Analysis Tycoon2FA has been active since August 2023 and is suspected to be a clone of the DadSec platform. It includes an MFA bypass feature and incorporates a Cloudflare security challenge. The phishing kit leverages the AiTM (Adversary-in-the-Middle) technique, utilizing an attacker-controlled server to host the phishing webpage. This server intercepts victim inputs, relays them to the legitimate service, and prompts the MFA request. Once the user completes the MFA challenge and authentication is successful, the attacker-controlled server captures session cookies. These stolen cookies enable attackers to replay the session and bypass MFA, even if the victim later changes their credentials. The image below provides a detailed breakdown of the latest operations associated with the Tycoon 2FA phishing kit: Figure 9. Overview of Tycoon 2FA PhaaS Operation. Stage 1 – Initial Access Threat actors leveraging Tycoon2FA primarily distribute their phishing pages through URL redirects or QR codes embedded within email attachments or the email body. The service offers ready-made phishing templates with file attachments, making it easier to run cybercrime campaigns. Figure 10. Email attachment examples linked to Tycoon 2FA PhaaS. For instance, some phishing HTML or PDF files use themes related to human resources, finance, or security alerts to entice victims into following the steps that ultimately lead to credential theft and bypassing multi-factor authentication (MFA). These files typically contain two key parts: Variable that stores the victim’s email. A blob of base64 encoded text. Figure 11. HTML file used to decode the URL leading to a PHP resource. The HTML code contains JavaScript, which dynamically retrieves additional content from the PHP file hosted on the phishing domain. Based on the code structure and execution flow, the final URL follows this pattern: hxxps://americanwealthllc[.]com/cgi-bin/res444.php?2-68747470733a2f2f687265662e6c692f3f68747470733a2f2f376b437a2e6e636570726f73746f2e636f6d2f37387172632f-quail URL Pattern Legend: Initial URL PHP File (res444.php, cllascio.php, or .000.php) Digit (2 or 4) Encoded Redirection URL (Phishing Kit) Email Address Placeholder (Name of Animal or Plant) Note: As of January 2025, the placeholder email address in the phishing kit’s redirection URL structure has changed to a randomized pattern (e.g. _0x207c, _0x0442, and _0x53a1). This shift suggests an attempt to further obfuscate the redirection mechanism, making it harder to detect these IOCs through conventional pattern recognition.
Analysis Summary
# Tool/Technique: Tycoon2FA Phishing Kit
## Overview
Tycoon2FA is a Phishing-as-a-Service (PhaaS) platform that provides adversaries with a user-friendly interface, customizable phishing templates, and integrated automation features. It is used to conduct large-scale phishing campaigns, primarily targeting credential harvesting (e.g., Microsoft 365 login pages). It shares operational links and code lineage with the "Dadsec" phishing kit.
## Technical Details
- Type: Tool (Phishing Kit/PhaaS Platform)
- Platform: Web/Server-side (PHP scripts)
- Capabilities: Adversary-in-the-middle (AiTM) capabilities, credential harvesting, anti-analysis features, automated redirection, and obfuscation via AES decryption.
- First Seen: In active campaigns since 2023 (Dadsec/Tycoon2FA overlap noted around September 2023).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by HTML attachment usage in initial lures)
- T1566.002 - Spearphishing Link
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information
- T1027.002 - Command and Scripting Interpreter Obfuscation (Implied by AES decryption routines)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Designed to impersonate legitimate login pages (e.g., Microsoft login pages) to capture user credentials.
- **Payload Delivery:** Utilizes unique PHP resources such as `res444.php`, `cllascio.php`, and `.000.php` to deliver the malicious payload or manage the session.
- **Data Exfiltration:** Gathers and transmits credentials, IP address, geolocation, and browser information via AJAX POST requests.
- **Geolocation Tracking:** Can query external services (like "geojs") to determine the victim's geographical location.
### Advanced Features
- **Adversary-in-the-Middle (AiTM):** The platform incorporates AiTM capabilities for advanced session hijacking or interception.
- **Anti-Analysis/Evasion:** Implements several techniques to frustrate security analysis:
- Monitoring for penetration-testing tools.
- Keystroke detection related to web inspection.
- Disabling the right-click context menu to hinder automated examination.
- **Cloudflare Turnstile Integration:** Deploys a custom Cloudflare Turnstile page to filter traffic before reaching the main phishing page.
- **Code Obfuscation:** Uses various AES decryption routines to obfuscate code and conceal Command and Control (C2) communication.
- **Decoy Pages:** Utilizes decoy pages mimicking legitimate services like Microsoft Word Online or Media Player to mislead victims.
- **Auto Sign-in Feature:** Can automatically sign in if a username is embedded within the phishing configuration data.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the text)
- File Names: `res444.php`, `cllascio.php`, `.000.php`
- Registry Keys: N/A
- Network Indicators:
- Shared IP addresses and ASNs, notably **AS19871 (NETWORK-SOLUTIONS-HOSTING)**.
- Domains often leverage the ".RU" Top-Level Domain (TLD).
- URL structures often contain pre-specified victim usernames.
- Behavioral Indicators:
- Hosting templated webpages sharing a unique HTML body hash and page title.
- AJAX POST requests used to transmit collected victim data (credentials, browser info).
- Logging of page visits via AJAX requests to track user interaction.
## Associated Threat Actors
- Storm-1575 (Attributed to developing and distributing the initial Dadsec PhaaS platform).
- Operators actively using the Tycoon2FA platform (active since 2023/2024).
## Detection Methods
- Signature-based detection: Look for the presence of specific PHP filenames (`res444.php`, etc.).
- Behavioral detection: Monitor for outbound AJAX requests submitting sensitive POST data from a web server context, especially when coupled with user-agent analysis indicative of a common victim browser.
- YARA rules if available: N/A (Not provided, but pattern matching on HTML structure/unique page titles could be effective).
## Mitigation Strategies
- Prevention measures: Email filtering to block suspected phishing attempts, especially those leveraging HTML attachments or short URL patterns leading to new domains.
- Hardening recommendations: Implement multi-factor authentication (MFA) universally to mitigate credential harvesting success, even if users fall for the phishing site. Train users to inspect the URL path and TLDs carefully.
## Related Tools/Techniques
- Dadsec Phishing Kit (Identified as having a shared development lineage or being adapted from predecessor code).