Tycoon2FA phishing toolkit releases major update to enhance anti-detection capabilities

Phishing as a Service (PhaaS) platform upgrades anti-detection capabilities
Tycoon2FA, a phishing toolkit discovered by cybersecurity company Sekoia in 2023, recently released a major update that significantly improved its anti-detection capabilities. The toolkit now uses a number of advanced evasion techniques, including custom verification codes implemented through HTML5 canvas, invisible Unicode characters inserted in obfuscated JavaScript, and anti-debugging scripts.

New obfuscation technique interferes with static analysis
Trustwave research report points out: "Recent Tycoon2FA phishing pages use a clever obfuscation technique that uses invisible Unicode characters with JavaScript Proxy objects to effectively increase the difficulty of static analysis and delay script execution until runtime." Researchers demonstrated this technique in a real case, and the relevant analysis can be viewed through the Urlscan.io session.


Customized CAPTCHA system evades detection
Tycoon2FA abandoned third-party CAPTCHA services such as Cloudflare Turnstile and adopted a customized solution based on HTML5 canvas. Through random text, noise and distortion effects, the new system can not only evade detection and reduce fingerprint characteristics, but also effectively hinder the operation of automated analysis tools.

Multiple anti-debugging mechanisms extend the attack cycle
The phishing-as-a-service platform deploys multiple anti-debugging scripts that can block developer tools, detect automated programs, disable right-click functions, and identify paused execution states. When analysis behavior is detected, the system automatically jumps to the rakuten.com website, which not only enhances concealment but also extends the survival cycle of phishing activities.



Security defense recommendations
The research report concluded: "The latest update of Tycoon2FA has clearly turned to the direction of covert evasion. Although there is no breakthrough in a single technology, the combination of technologies will greatly increase the difficulty of detection and response." The report also provides Yara rules for detection and recommends that security teams use behavior-based monitoring, browser sandbox environment, and deep detection of JavaScript patterns to deal with these new attack methods.