The Tycoon2FA phishing kit, first discovered by Sekoia in 2023, has undergone significant updates that enhance its evasion capabilities.

These updates represent a strategic shift towards stealth and evasion, making it increasingly challenging for cybersecurity teams to detect and respond to threats.

One of the key features of the updated kit is its use of invisible Unicode characters in obfuscated JavaScript, complicating static analysis and deferring script execution until runtime.

Additionally, anti-debugging scripts have been implemented to block developer tools, detect automation, prevent right-click actions, and identify paused executions.

In situations where analysis is suspected, the phishing kit redirects users to rakuten.com, further obscuring its activities and prolonging phishing campaigns.

Among the new features, Tycoon2FA now employs a custom CAPTCHA created using HTML5 canvas, which replaces third-party CAPTCHAs like Cloudflare Turnstile.

Experts recommend that security teams implement behavior-based monitoring, browser sandboxing, and deeper inspection of JavaScript patterns to counter these advanced tactics.