Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by the notorious hacker group Storm-1575, also known as “Dadsec.”

Since September 2023, this group has been leveraging a Phishing-as-a-Service (PhaaS) platform called Tycoon2FA to target Microsoft 365 users, aiming to harvest credentials through meticulously crafted phishing pages.

This campaign, active since at least August 2023, showcases a disturbing evolution in phishing tactics, blending advanced evasion techniques with shared infrastructure between Dadsec and Tycoon2FA, pointing to a highly coordinated and interconnected PhaaS ecosystem.

Sophisticated Phishing Campaign Targets Microsoft 365 Users

Investigations reveal that Tycoon2FA, suspected to be a clone or adaptation of Dadsec’s own phishing kit, employs an Adversary-in-the-Middle (AiTM) approach to intercept user inputs and bypass multi-factor authentication (MFA).

By hosting phishing pages on attacker-controlled servers, the platform captures session cookies and authentication tokens, enabling persistent access to compromised accounts even if victims change their passwords.

The campaign begins with deceptive emails containing HTML attachments or QR codes that redirect users to fake Microsoft login pages, often pre-filling the victim’s email address to enhance credibility.

Since July 2024, researchers have detected thousands of such phishing pages, supported by unique PHP resources like “res444.php,” and newer variants such as “cllascio.php” and “.000.php” introduced in March 2025, showcasing the adaptability of the threat actors.

Shared Infrastructure Reveals Deep Connections in PhaaS Ecosystem

A critical finding is the overlap in infrastructure between Dadsec and Tycoon2FA, suggesting a shared operational framework.

Domains linked to both platforms resolve to common IP addresses and Autonomous System Numbers (ASNs), notably AS19871 (NETWORK-SOLUTIONS-HOSTING), and often utilize the Russian top-level domain “.RU” with consistent URL patterns embedding victim data.

These domains, frequently hosted on Cyber Panel, display templated webpages with identical HTML body hashes and titles like “Works Creatively,” indicating a centralized phishing toolkit.

Tycoon2FA further enhances its deception with custom Cloudflare Turnstile challenges and anti-analysis features, such as keystroke detection and disabling browser inspection tools, while deploying decoy pages mimicking legitimate platforms like Microsoft Word Online to lure unsuspecting users.

The technical sophistication of Tycoon2FA is evident in its use of obfuscation techniques like AES decryption and Base64 encoding to conceal command-and-control (C2) communications, alongside dynamic content adjustment based on browser detection.

Once credentials are entered, the phishing portal encrypts and exfiltrates data ranging from email addresses to geolocation details via services like “geojs” to remote servers for validation.

This campaign’s ability to tailor phishing experiences, combined with its growing infrastructure, underscores the escalating threat posed by PhaaS platforms.

As these tools evolve, security teams must enhance intrusion analysis, adapt detection mechanisms, and foster collaboration within the cybersecurity community to counter the persistent and complex risks presented by groups like Storm-1575 and platforms like Tycoon2FA.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!