Phishing-as-a-Service (PhaaS) platforms have significantly reshaped the phishing threat landscape in recent years.

Since September 2023, Trustwave’s Threat Intelligence Team has been tracking a large-scale phishing campaign distributed via email, attributed to “Storm-1575”. Storm-1575 is known for developing and distributing a PhaaS platform with adversary-in-the-middle (AiTM) capabilities, known as “Dadsec“. The team’s recent investigations have revealed that the infrastructure used by Dadsec is also connected to a new campaign leveraging the “Tycoon2FA” Phishing-as-a-Service (PhaaS) platform. In a previous report, the team analyzed the latest evasion techniques employed by Tycoon2FA to bypass endpoint protection and security detection mechanisms.

This blog post provides an in-depth analysis of the ongoing developments in Tycoon2FA and its role in recent phishing campaigns. It also examines the infrastructure supporting both Dadsec and Tycoon2FA, highlighting key overlaps that suggest a shared operational framework. By investigating shared infrastructure components, this report uncovers the connections between these phishing kits and their broader influence within the PhaaS ecosystem.

 

Introduction

Tycoon2FA and Dadsec have been actively used in phishing campaigns since 2023. These phishing kits provide a user-friendly interface with customizable phishing templates and integrated automation features. Researchers from Sekoia identified several key similarities between the Tycoon 2FA phishing platform and the Dadsec phishing kit, suggesting a shared development lineage or direct adaptation. This connection suggests a potential adaptation of previous tactics, where infrastructure and codebase elements from earlier campaigns have been repurposed.

Figure 1. Comparison of Tycoon2FA and Dadsec Dashboard
Figure 1. Comparison of Tycoon2FA and Dadsec Dashboard (Source: Sekoia).

As we analyzed the latest updates to the Tycoon2FA phishing kit, we refined our tracking queries to expose the infrastructure supporting its newest campaign. Our investigation revealed a rapidly growing network of thousands of phishing pages linked to the Tycoon2FA campaign since July 2024. The following patterns were identified within the latest campaign:

  • Hosting templated webpages that share a unique HTML body hash and page title.
  • Use of unique PHP resources (“res444.php”, “cllascio.php”, and “.000.php”) as payload delivery mechanisms. The latter two are the latest alternative file names of the malicious PHP in their latest campaign of Tycoon2FA as of March 2025.
  • Deployment of a custom Cloudflare Turnstile page to safeguard the phishing page.
  • Enhanced anti-analysis features, including monitoring of penetration-testing tools, keystroke detection related to web inspection, and other anti-dev tools mechanisms such as disabling the right-click context menu on the browser for defense evasion.
  • Use of various decoy pages to enhance credibility and mislead victims.
  • A fallback phishing page designed to mimic legitimate platforms such as Microsoft Word Online or Media Player.
  • Integration of an auto sign-in feature that activates if a username is embedded in the phishing configuration.
  • Utilization of various AES decryption routines to obfuscate code and conceal C2 communication.

Figure 2. Monthly distribution of detected phishing pages from July 2024 to January 2025 related to Tycoon2FA.
Figure 2. Monthly distribution of detected phishing pages from July 2024 to January 2025 related to Tycoon2FA.

 

Overlap between Dadsec and Tycoon2FA Operation

Around September 2023, our telemetry detected multiple phishing campaigns attributed to Storm-1575 (Dadsec), targeting users with fake Microsoft 365 credential harvesting pages. The attack begins with an email using various lures to entice the recipient into accessing a shared file, often including an HTML attachment. The phishing link typically follows this format:

hxxps://selligenttier.naylorcampaigns[.]com/<redacted> hxxps://704movers[.]com/uwcz/IvhRh/ <redacted>

URL Pattern Legend:

  • Initial URL
  • Redirection URL
  • Base64 Encoded Email Address

When accessed, the initial link redirects the user to a webpage with a specific URL structure. These URLs lead victims to phishing sites designed to impersonate Microsoft login pages. Analysis of these URLs uncovered several consistent patterns:

  • The domain leverages “Cyber Panel” an open-source web hosting platform.
  • The victim’s username was already pre specified in the URL.
  • The domain has “.RU” top-level domain (TLD).
  • The domains are 5-10 alphanumeric characters long. 
  • The subdomains are 15-20 alphanumeric characters long.

hxxps://srciek0t8a31dz4.o4dnumvbqy[.]ru/qg2vpf/0dfrL4CL3sfYEEcLSXP1B7RAxX7tZhwbt5xbGT23YbHqHJuZa19OsFKMrfGkeZILgEC2A1aoUXhEoGhODvbL6HxN3ub? id=<Redacted Email Address>==

URL Pattern Legend:

  • Initial URL
  • Email Address

Figure 3. Network indicators from the 2023 Dadsec Phishing campaign
Figure 3. Network indicators from the 2023 Dadsec Phishing campaign (Source: urlquery.net).

The domains identified in the extracted redirection URLs from the initial phishing link resolve to a shared set of IP addresses and Autonomous System Numbers (ASNs), notably AS19871 (NETWORK-SOLUTIONS-HOSTING). There is a consistent interaction between these IP addresses and malicious files, primarily HTML and PDF, strongly indicating their active role in phishing campaigns.

Figure 4. Graph visualization of Phishing Campaign IOCs.
Figure 4. Graph visualization of Phishing Campaign IOCs.

Further pivoting reveals numerous newly registered domains that follow a similar generic pattern and are linked to the same IP addresses. Additionally, these newly registered websites contain a unique PHP file named “res444.php“, which serves as a key component of the phishing kit.

Figure 5. Newly registered domains sharing the same webpage template
Figure 5. Newly registered domains sharing the same webpage template. (Source: urlscan.io).

These domains often feature a web UI with a title page displaying “Works Creatively“. The repeated use of identical templates across multiple domains suggests a centralized phishing infrastructure.

Figure 6. URL results containing res444.php
Figure 6. URL results containing “res444.php” (Source: urlscan.io).

This PHP file is consistently found across multiple domains but is stored in different subdirectories. The following is an example of its drop location:

Figure 7. Open directory hosting res444.php
Figure 7. Open directory hosting “res444.php”.

By leveraging these artifacts, our team was able to trace the latest resources deployed by the Tycoon2FA actor. In earlier campaigns, they consistently used the PHP file “res444.php” as part of its phishing toolkit. However, in the latest campaign—observed as early as March 2025—Tycoon2FA introduced new PHP filenames, including:

  • cllascio.php
  • .000.php

Figure 8. Recent variant filenames observed in Tycoon2FA payload delivery infrastructure
Figure 8. Recent variant filenames observed in Tycoon2FA payload delivery infrastructure.

 

Tycoon2FA PhaaS Analysis

Tycoon2FA has been active since August 2023 and is suspected to be a clone of the DadSec platform. It includes an MFA bypass feature and incorporates a Cloudflare security challenge. The phishing kit leverages the AiTM (Adversary-in-the-Middle) technique, utilizing an attacker-controlled server to host the phishing webpage. This server intercepts victim inputs, relays them to the legitimate service, and prompts the MFA request. Once the user completes the MFA challenge and authentication is successful, the attacker-controlled server captures session cookies. These stolen cookies enable attackers to replay the session and bypass MFA, even if the victim later changes their credentials.

The image below provides a detailed breakdown of the latest operations associated with the Tycoon 2FA phishing kit:

Figure 9. Overview of Tycoon 2FA PhaaS Operation
Figure 9. Overview of Tycoon 2FA PhaaS Operation.

 

Stage 1 – Initial Access

Threat actors leveraging Tycoon2FA primarily distribute their phishing pages through URL redirects or QR codes embedded within email attachments or the email body. The service offers ready-made phishing templates with file attachments, making it easier to run cybercrime campaigns.

Figure 10. Email attachment examples linked to Tycoon 2FA PhaaS.
Figure 10. Email attachment examples linked to Tycoon 2FA PhaaS.

For instance, some phishing HTML or PDF files use themes related to human resources, finance, or security alerts to entice victims into following the steps that ultimately lead to credential theft and bypassing multi-factor authentication (MFA). These files typically contain two key parts:

  • Variable that stores the victim’s email.
  • A blob of base64 encoded text.

Figure 11. HTML file used to decode the URL leading to a PHP resource.
Figure 11. HTML file used to decode the URL leading to a PHP resource.

The HTML code contains JavaScript, which dynamically retrieves additional content from the PHP file hosted on the phishing domain. Based on the code structure and execution flow, the final URL follows this pattern:

hxxps://americanwealthllc[.]com/cgi-bin/res444.php?2-68747470733a2f2f687265662e6c692f3f68747470733a2f2f376b437a2e6e636570726f73746f2e636f6d2f37387172632f-quail

URL Pattern Legend:

  • Initial URL
  • PHP File (res444.php, cllascio.php, or .000.php)
  • Digit (2 or 4)
  • Encoded Redirection URL (Phishing Kit)
  • Email Address Placeholder (Name of Animal or Plant)

Note: As of January 2025, the placeholder email address in the phishing kit’s redirection URL structure has changed to a randomized pattern (e.g. _0x207c, _0x0442, and _0x53a1). This shift suggests an attempt to further obfuscate the redirection mechanism, making it harder to detect these IOCs through conventional pattern recognition.