Tycoon 2FA Infrastructure Expansion: A DNS Perspective | DNSFilter

Our analysis of Tycoon 2FA infrastructure has revealed significant operational changes, including the platform's coordinated expansion surge in Spanish (.es) domains starting April 7, 2025, and evidence suggesting highly targeted subdomain usage patterns. This blog shares our findings from analyzing 11,343 unique FQDNs (fully qualified domain names) and provides 65 root domain indicators of compromise (IOCs) to help network defenders implement more effective blocking strategies.

Background

Tycoon 2FA is a sophisticated phishing-as-a-service (PhaaS) platform that has been active since August 2023, specializing in adversary-in-the-middle (AiTM) attacks to bypass multi-factor authentication. The platform operates through a "C2 triangle" architecture consisting of three infrastructure components that can be hosted on different (or sometimes the same) FQDNs: phishing landing pages, target check/gateway APIs that return filtering decisions, and credential collection servers. This distributed approach uses ephemeral subdomains across slightly longer-lived root domains.

Individual threat actors handle victim targeting and luring, while the centralized Tycoon infrastructure manages the technical aspects of credential harvesting and session token theft. Rather than hosting phishing infrastructure themselves, attackers simply need to direct victims to specific links that leverage the shared Tycoon platform.

The platform typically employs several attack vectors: compromised web pages hosting "View Document" buttons that redirect to Tycoon infrastructure, malicious attachments containing embedded lures, and direct phishing emails. Once victims reach the Tycoon infrastructure, they encounter pages that often mimic Cloudflare verification screens before presenting fake Microsoft 365 login portals designed to harvest credentials and session cookies.

— This picture shows the differences between a real and fake Microsoft login page, but sometimes there are no differences to spot. Checking the domain before entering credentials and having strict web filtering are still important to reduce compromise.

Tycoon 2FA's infrastructure strategy relies on short-lived, burnable FQDNs (individual subdomains) hosted on longer-lived root domains, creating a two-tier system. Our analysis, based on internal DNS resolver data, suggests this design may facilitate target-specific campaigns, as 99.6% of individual subdomains receive fewer than 10 DNS queries (median: 2 queries), indicating most subdomains serve very limited, potentially individualized purposes rather than broad campaign distribution. The platform continuously evolves its obfuscation techniques to slow down detection and analysis.

Novel Findings

Coordinated Expansion into Spanish (.es) Domains

While ANY.RUN has previously noted Tycoon 2FA's use of .es domains, our data reveals a coordinated operational surge in .es infrastructure starting April 7, 2025. Our monitoring shows 13 domains simultaneously going live on this date, representing a significant scaling of Spanish TLD (top level domain) operations that has not been previously quantified.

Key observations about the .es infrastructure:

• Coordinated deployment: 13 domains went live simultaneously on April 7, 2025
  
  
• Higher subdomain generation: .es domains demonstrate significantly more intensive subdomain generation compared to .ru infrastructure
  
  
• Sustained operations: Multiple .es domains remain currently active with 18 domains showing activity through June 2025

Enhanced Obfuscation Techniques

Our analysis confirms that Tycoon 2FA continues refining its evasion methods. We've observed augmentations to publicly documented obfuscation techniques, including:

• Implementation of Base91 encoding alongside traditional Base64
  
  
• Nested encoding schemes going 1-2 layers deep within encrypted blobs
  
  
• These changes appear designed to defeat automated decryption scripts rather than represent fundamental shifts in obfuscation methodology

Evidence of Target-Specific Subdomain Operations

Analysis of DNS query patterns across our 11,343 unique FQDN dataset reveals compelling evidence that Tycoon 2FA may employ target-specific subdomain generation:

• 99.6% of subdomains received fewer than 10 total DNS queries
• 94.3% received fewer than 5 queries
• Median query count: 2 queries per subdomain

This usage pattern suggests most subdomains are created for specific campaigns or individual targets rather than broad distribution, explaining the platform's massive subdomain generation rates while maintaining operational security through compartmentalization.

Target-Specific Subdomain Strategy

Our analysis of 11,343 unique FQDNs across 65 root domains reveals sophisticated operational targeting:

• Root domain persistence: Average operational lifetime of 29.2 days
  
  
• FQDN specialization: 99.6% of individual subdomains receive fewer than 10 DNS queries in their lifespan (median: 2 queries)
  
  
• Campaign specificity: Low query volumes suggest subdomains may be generated for specific targets or campaigns
  
  
• Generation intensity: Average of 174 unique subdomains per root domain, with the most active domain hosting 619 subdomains

Indicators of Compromise

The following table contains 65 root domains we believe are associated with Tycoon 2FA infrastructure. Network defenders should implement wildcard blocking at the root domain level (e.g., *.domain.tld) to achieve maximum coverage against this threat.

Defensive Recommendations

1. Implement wildcard domain blocking for all 65 root domains listed above
   
   
2. Monitor for subdomain pattern matching: Look for 4-6 character randomized subdomains on these domains

References and Prior Work

This research builds upon extensive community analysis of the Tycoon 2FA platform:

• Sekoia.io: Tycoon 2FA analysis
• Trustwave SpiderLabs: Tycoon system breakdown
• ANY.RUN: Tycoon 2FA evasion analysis
• eSentire: Tycoon 2FA secrets analysis
• Proofpoint: Tycoon 2FA MFA bypass
• Barracuda Networks: Tycoon 2FA inspection evasion
• Trustwave: Tycoon2FA new evasion techniques for 2025
• IG3THACK3D4U: Anti-Bot tactics from PhaaS
• eSentire IOC repositories

The coordinated expansion of .es infrastructure and the target-specific subdomain operational model demonstrate Tycoon 2FA's continued evolution as a sophisticated PhaaS threat. The platform's ability to generate thousands of specialized subdomains for individualized targeting, combined with persistent root domain infrastructure, creates a formidable challenge for traditional security approaches. By understanding these operational patterns and implementing root domain-level controls, defenders can achieve significantly better coverage against this advanced platform.