{
  "name": "Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale",
  "slug": "inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale",
  "description": "Tycoon2FA emerged as a prominent phishing-as-a-service platform in August 2023, enabling large-scale campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it provided adversary-in-the-middle capabilities to bypass multifactor authentication. The kit allowed impersonation of trusted brands like Microsoft 365 and Gmail, intercepting session cookies and credentials. It employed sophisticated evasion techniques including anti-bot screening, browser fingerprinting, and custom CAPTCHAs. Tycoon2FA's infrastructure evolved to use diverse, short-lived domains and complex redirect chains. Its success stemmed from closely mimicking legitimate authentication processes while covertly intercepting user credentials and session tokens.",
  "published": "2026-03-04T18:42:43+00:00",
  "created_at": "2026-03-04T18:42:43+00:00",
  "modified_at": "2026-03-05T08:48:02+00:00",
  "created_at_opencti": "2026-03-04T18:42:43+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-04",
    "adversary-in-the-middle",
    "credential-theft",
    "evasion techniques",
    "multifactor authentication bypass",
    "phishing-as-a-service",
    "session token interception",
    "tycoon2fa"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://kzagniw.es/LI6vGlx7@1wPztdy"
      },
      {
        "id": "",
        "name": "https://astro.thorousha.ru/vojd4e50fw4o!g/$ENCODED"
      },
      {
        "id": "",
        "name": "https://immutable.nathacha.digital/T@uWhi6jqZQH7/#?EMAIL_ADDRESS"
      },
      {
        "id": "",
        "name": "https://mysql.vecedoo.online/JB5ow79@fKst02/#EMAIL_ADDRESS"
      },
      {
        "id": "",
        "name": "https://backend.vmfuiojitnlb.es/CGyP9!CbhSU22YT2/"
      },
      {
        "id": "",
        "name": "https://piwf.ariitdc.es/kv2gVMHLZ@dNeXt/$EMAIL_ADDRESS"
      },
      {
        "id": "",
        "name": "https://q9y3.efwzxgd.es/MEaap8nZG5A@c8T/*EMAIL_ADDRESS"
      },
      {
        "id": "",
        "name": "https://mock.zuyistoo.today/pry1r75TisN5S@8yDDQI/$EMAIL_ADDRESS"
      },
      {
        "id": "",
        "name": "https://qonnfp.wnrathttb.ru/Fe2yiyoKvg3YTfV!/$EMAIL_ADDRESS"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:20438e3de9af9e39",
        "name": "Tycoon2FA",
        "slug": "tycoon2fa"
      }
    ],
    "intrusion_sets": [
      {
        "id": "36e71c95-1e4f-44e2-b5fa-1e949beaf719",
        "name": "Storm-1747",
        "slug": "storm-1747"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e",
        "name": "T1185"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf",
        "name": "T1584"
      },
      {
        "id": "444de5e0-bd7f-4700-b700-26320057dd80",
        "name": "T1110"
      },
      {
        "id": "7e3e3784-9547-42ca-b888-482972d14be3",
        "name": "T1528"
      },
      {
        "id": "c9de6d3f-08cf-448d-8b9f-9aeff59fc48f",
        "name": "T1550"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "2969e5a7-1049-4df8-b1ba-8a0675de6b94",
        "name": "T1589"
      },
      {
        "id": "3528fd00-a96d-42d8-80ac-95b1e980ab8b",
        "name": "T1606"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "29f7ff93-033b-4f8d-8691-5bcaa438c80f",
        "name": "T1592"
      },
      {
        "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099",
        "name": "T1098"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "6efb8bea-11d7-418d-a429-9f4a3e6c50f6",
        "name": "T1087"
      },
      {
        "id": "5dee2969-7083-430e-9083-73bab54c3a18",
        "name": "T1590"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "mock.zuyistoo.today"
      },
      {
        "id": "",
        "name": "qonnfp.wnrathttb.ru"
      },
      {
        "id": "",
        "name": "immutable.nathacha.digital"
      },
      {
        "id": "",
        "name": "q9y3.efwzxgd.es"
      },
      {
        "id": "",
        "name": "mysql.vecedoo.online"
      },
      {
        "id": "",
        "name": "astro.thorousha.ru"
      },
      {
        "id": "",
        "name": "backend.vmfuiojitnlb.es"
      },
      {
        "id": "",
        "name": "piwf.ariitdc.es"
      },
      {
        "id": "",
        "name": "kzagniw.es"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69a88b33567744351e1bf5d3",
    "https://www.microsoft.com/en-us/security/blog/2026/03/04/inside-tycoon2fa-how-a-leading-aitm-phishing-kit-operated-at-scale/"
  ]
}