Stealthier Tycoon2FA phishing kit appears as PhaaS platforms fuel SVG exploitation

Threat detection and endpoint security systems are being better evaded by a new iteration of the Tycoon2FA phishing-as-a-service kit, reports BleepingComputer.

Aside from leveraging invisible Unicode characters to conceal binary details within JavaScript and allow normal execution while bypassing manual and static analyses, the updated Tycoon2FA PhaaS kit has also replaced Cloudflare Turnstile with a custom CAPTCHA solution to better circumvent domain reputation systems, an analysis from Trustwave revealed. Additional stealth is also being enabled by a new anti-debugging JavaScript allowing the discovery of PhantomJS and other browser automation tools, said Trustwave researchers, who noted the new kit to allow redirections to decoy or legitimate pages upon the detection of suspicious activity. Another Trustwave report showed that Tycoon2FA and other PhaaS kits have facilitated a 1,800% increase in phishing intrusions exploiting malicious Scalable Vector Graphics files between April 2024 and March 2025. Such findings highlight the importance of blocking SVG attachments and implementing phishing-resistant multi-factor authentication.