Tycoon2FA PhaaS Platform Evolves with MFA Bypass and Stealth Tactics
- SISA Weekly Threat Watch -

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of CVE-2024-48887, a critical flaw in FortiSwitch that allows unauthenticated password changes through crafted HTTP requests, posing a severe risk to network infrastructure. Meanwhile, the Paper Werewolf group launched a targeted cyber-espionage campaign using PowerModul, a stealthy PowerShell-based backdoor, to infiltrate Russian critical sectors via phishing lures and modular implants. The Tycoon2FA PhaaS platform has also evolved, bypassing multi-factor authentication (MFA) on Microsoft 365 and Gmail using Unicode-laced JavaScript, fake CAPTCHAs, and obfuscated SVG files. Researchers have further identified ResolverRAT, a fileless malware targeting healthcare and pharma industries globally through phishing emails and in-memory DLL injection for stealthy persistence. Additionally, a new controller component tied to BPFDoor, a Linux backdoor that leverages the Berkeley Packet Filter (BPF), has surfaced. It enables firewall evasion, reverse shells, and password-based lateral movement across networks. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Critical Unauthenticated Password Change Vulnerability in FortiSwitch
Fortinet has disclosed a critical vulnerability (CVE-2024-48887) in its FortiSwitch product line, allowing remote unauthenticated attackers to change admin passwords via crafted HTTP/HTTPS requests to the GUI. With a CVSS score of 9.3, the flaw is severe and exploitable without login credentials or local access. While no active exploitation has been reported, Fortinet products are frequently targeted once vulnerabilities are public.
The issue affects multiple versions from 6.4.0 to 7.6.0 and has been patched in newer releases. Fortinet recommends organizations immediately upgrade to secure versions, disable GUI access if not required, restrict access to trusted IPs, and monitor logs for unauthorized changes. Discovered internally, the vulnerability is classified under CWE-620 (Unverified Password Change).
Admins should also enforce strong passwords, back up configs, and run post-patch scans. Prompt remediation is essential to prevent potential compromise and maintain control over network infrastructure.
2. Paper Werewolf Targets Russian Infrastructure with Advanced PowerModul Implant
A cyber-espionage campaign by Paper Werewolf (also known as GOFFEE) targeted Russian sectors including government, energy, media, and telecom between July and December 2024, using a new PowerShell-based backdoor called PowerModul. The group, active since 2022, is known for phishing attacks, RATs, credential theft, and disruption tactics such as changing employee passwords.
Initial access was gained through macro-enabled Office documents or RAR archives containing disguised executables. Key implants include PowerModul, PowerTaskel, QwakMyAgent, and Owowa, used for script execution, privilege escalation, and stealing Outlook credentials. Tools like FlashFileGrabber and a USB worm helped steal and spread data via removable media.
The group has advanced its methods, now using VBA in Word documents, obfuscated shellcode, and modular agents. They’re also tied to Sapphire Werewolf and an enhanced version of the Amethyst stealer.
Recommendations to mitigate this risk include blocking macros and executables in email, using EDR tools, monitoring USB activity, auditing IIS modules, and tracking signs of credential compromise.
3. Tycoon2FA PhaaS Platform Evolves with MFA Bypass and Stealth Tactics
The Tycoon2FA Phishing-as-a-Service (PhaaS) platform has rapidly advanced, now capable of bypassing multi-factor authentication (MFA) on Microsoft 365 and Gmail using sophisticated evasion techniques. First identified in late 2023, Tycoon2FA now embeds Unicode in JavaScript, HTML5-based CAPTCHA, and anti-debugging scripts to hide malicious activity and avoid analysis.
A major development is the switch to self-hosted CAPTCHA, making phishing pages harder to trace. Additionally, phishing attacks using SVG files have surged by 1,800% over the past year. These files, disguised as voicemails or document icons, contain obfuscated JavaScript that redirects users to fake login pages.
To mitigate risks, organizations should block SVG attachments, implement phishing-resistant MFA like FIDO2, and deploy tools that detect obfuscated code and Unicode-based encoding. Ongoing employee training, browser isolation, and anomaly detection are also recommended to stay ahead of this evolving phishing threat landscape.
4. Stealthy In-Memory RAT Targets Healthcare and Pharma Sectors Globally
ResolverRAT is a newly discovered Remote Access Trojan targeting the healthcare and pharmaceutical sectors globally. Identified by Morphisec, this stealthy malware spreads through phishing emails disguised as legal or copyright notices, localized by region. Victims are lured into downloading a legitimate-looking executable, which uses reflective DLL injection to load ResolverRAT directly into system memory, avoiding detection.
What sets ResolverRAT apart is its fileless execution, use of the .NET ResourceResolve event, and advanced sandbox evasion. It achieves persistence by hiding XOR-obfuscated keys across registry paths and dropping copies into sensitive folders like Startup and Program Files. For command-and-control, it connects to attacker servers at randomized intervals and transfers stolen data in chunked formats.
Campaigns have been observed in languages like Italian, Hindi, Turkish, and more, underscoring its global reach. Defense strategies include monitoring memory-based threats, securing registry paths, enabling script auditing, and training staff against phishing lures.
5. New BPFDoor Controller Bypasses Firewalls to Enable Persistent Linux Server Access
BPFDoor, a stealthy Linux backdoor used for long-term cyber espionage, has resurfaced with a newly discovered controller module, expanding its capabilities in targeted attacks across telecom, finance, and retail sectors in countries like South Korea, Malaysia, and Egypt. Suspected to be linked to the Earth Bluecrow group, the malware leverages the Berkeley Packet Filter (BPF) to bypass firewalls, maintain persistence, and enable covert lateral movement.
The controller facilitates real-time reverse shells, connection redirection, and confirmation of infected systems using password-authenticated commands. With multi-protocol support (TCP, UDP, ICMP) and optional encryption, it avoids standard detection methods. A unique “magic byte” trigger within network packets activates the backdoor, even on restricted networks.
Although attribution remains tentative due to a 2022 source code leak, its use of kernel-level stealth, direct mode access, and password-validated control mark it as a sophisticated threat. Organizations should deploy kernel-level monitoring, enforce Linux hardening, and hunt for BPF-based anomalies to mitigate risk.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.