WebsiteGear Logo Log In
New User? Sign Up
About | Contact | FAQ
HOME ACCOUNT PRODUCTS NEWS ARTICLES DIRECTORY CLASSIFIEDS FORUMS TOOLS
* Find Web Hosting Deals on WebsiteGear Classifieds !
  Home News Web Hosting Domain Name Industry Friday, April 3, 2026 
Add Press Release News | News Feeds Feeds | Email This News Email


DNSFilter Research Warns Tycoon 2FA Expanding Phishing-as-a-Service Operation
Wednesday, July 9, 2025

65 root domain indicators of compromise identified in growing campaign

WASHINGTON, July 8, 2025 /PRNewswire/ -- DNSFilter researchers have discovered that the Tycoon 2FA phishing-as-a-service (PhaaS) platform has significantly expanded its operations, including surging use of Spanish (.es) domains. This expansion marks a strategic evolution in Tycoon 2FA's infrastructure design, demonstrating enhanced obfuscation techniques and highly targeted subdomain usage patterns. Understanding this shift is critical for defenders aiming to disrupt these operations, as traditional detection methods may fail against such ephemeral and compartmentalized infrastructure.

Tycoon 2FA is a sophisticated PhaaS platform that has been active since August 2023, specializing in adversary-in-the-middle attacks to bypass multi-factor authentication. Tycoon 2FA's infrastructure strategy relies on short-lived, burnable Fully Qualified Domain Names (FQDNs) hosted on longer-lived root domains, creating a two-tier system.

DNSFilter's researchers analyzed 11,343 unique FDQNs and found:

    --  Coordinated surge in Spanish domain infrastructure - 13 .es domains were
        activated simultaneously on April 7, and researchers have seen sustained
        activity using .es domains through June.
    --  Enhanced obfuscation techniques -Tycoon 2FA continues to refine its
        evasion methods, using tactics like nested encoding schemes that go deep
        within encrypted blobs and implementation of Base91 encoding alongside
        traditional Base64.
    --  Evidence of target-specific subdomain operations - Tycoon 2FA is likely
        using this approach, which entails creating or identifying subdomains
        within a larger domain name specifically tailored to a particular
        purpose, audience or target. Among the evidence of this is that 99.6% of
        subdomains received fewer than 10 total DNS queries.

DNSFilter researchers also identified 65 root domain indicators of compromise (IOCs), which will help network defenders implement more effective blocking strategies. Read the team's full findings here.

Will Strafach, Head of Security Intelligence & Solutions, DNSFilter, said: "Our research underscores the fact that bad actors continue to evolve their methods and become more sophisticated. Our research into Tycoon 2FA gives enterprise security teams actionable intelligence to enhance threat detection and reduce dwell time by focusing on persistent root domains. To stay safer amid this surge, organizations need to implement wildcard domain blocking for all 65 root domains that DNSFilter found and monitor for subdomain pattern matching."

About the company:
DNSFilter is a cybersecurity company that protects every click, leveraging AI-driven content filtering and threat protection to block threats 10 days earlier than competitors. DNSFilter's solution secures workers anywhere they are, helping to boost productivity, minimize compliance risk, and protect corporate brands on public Wi-Fi networks. Unlike traditional filtering solutions, DNSFilter deploys in minutes instead of days and is trusted by more than 43,000 organizations worldwide. Learn more about how DNSFilter is the first and last line of defense for corporate and hybrid networks at dnsfilter.com.

Media Contact
Shannon Van Every
Force4 Technology Communications
Shannon@force4.co

View original content to download multimedia:https://www.prnewswire.com/news-releases/dnsfilter-research-warns-tycoon-2fa-expanding-phishing-as-a-service-operation-302499781.html

SOURCE DNSFilter



Email This News Email | Submit To Slashdot Slashdot | Submit To Digg.com Digg | Submit To del.icio.us Del.icio.us | News Feeds Feeds

RELATED NEWS ARTICLES
Nav Weekly Recap: 11 Tech Press Releases You Need to See | Jan 22, 2026
Nav Sup AI Sets New Benchmark Record with 52.15% on Humanity's Last Exam | Jan 22, 2026
Nav DEADLINE ANNOUNCED FOR 2026 NEW TOP-LEVEL DOMAIN APPLICATIONS | Jan 22, 2026
Nav Trigent Partners with WeWork India to Expand its GCC Footprint | Jan 22, 2026
Nav Skunk Works® and XTEND Expand Joint All Domain Command and Control for Advanced Mission Execution | Jan 22, 2026
Nav Altair HyperWorks 2026 Delivers Design and Simulation at Scale with AI | Jan 22, 2026
Nav Exia Labs Brings Keystone to the U.S. Navy via DIU's Blue Object Management Challenge | Jan 22, 2026
Nav Glasswall Brings Defense-Level File Sanitization to Every Government Agency and Business Using Microsoft 365 | Jan 22, 2026
Nav Genpact Named a Leader in ISG Provider Lens(TM) 2025 for Insurance GCCs and Agentic AI Services | Jan 22, 2026
Nav Buyers Edge Platform Appoints Jaime Selga to Lead Expansion Across the Middle East, Africa & Asia | Jan 22, 2026
NEWS SEARCH
Survey Software
Survey Software
Click Tracking Software
Click Tracking
Poll Software
Poll Software
Rating Software
Rating Software
FEATURED NEWS | POPULAR NEWS
Submit News | View More News View More News
Copyright © 2003-2026 WebsiteGear Inc. All rights reserved. WEBSITEGEAR® is a registered trademark of WebsiteGear Inc.