Tycoon Phishing Kit Activity Report - May 2025
Summary
Tycoon phishing kit operations demonstrated significant activity escalation throughout May 2025, with 2,842 total detections representing a concentrated campaign targeting Microsoft Office 365 credentials. The month showed a notable surge in the final week with activity levels nearly tripling compared to mid-month periods.
Note: This summary was generated with the assistance of AI.
Timeline Analysis
- Week 1 (May 1–7): 724 detections – High volume with a broad usage across multiple infrastructures.
- Week 2 (May 8–14): 493 detections – 32% drop in activity indicates a pause for refinement.
- Week 3 (May 15–21): 374 detections – Continued decline. Minimal detections may reflect active avoidance of early takedown.
- Week 4 (May 22–31): 1,251 detections – Sharp 234% increase marks the month's peak. This escalation likely timed with end-of-month financial workflows to maximize success in credential harvesting and potential BEC exploitation.
Key Findings
Infrastructure Summary
- Primary CDN: Cloudflare (ASN #13335) – 85%+ of operations
- Secondary Infrastructure: Microsoft Azure, Amazon AWS, Google Cloud
Target Patterns
- Exclusive focus on Microsoft Office 365 credential harvesting
- Base64-encoded victim email addresses in URLs
- Enterprise email systems specifically targeted
- BEC preparation indicators
Common Domain Patterns
- Spanish .es TLD exploitation:
*.es - Russian .ru TLD exploitation:
*.ru - Cloud storage abuse: Azure, Google Cloud buckets
- Legitimate site compromise: .gob.mx, business domains
Anomalies & Activity Shifts
- Campaign Timing: Final week surge aligns with business cycles
- Geographic Diversification: From Chile/Brazil to global infra
Relevant Links
Phishing Landscape Analysis: May 2025
Summary
May 2025 demonstrated significant independent phishing activity with 8,338 total reports outside major phishing kit operations. The data reveals a mature threat actor ecosystem using cloud infrastructure, advanced brand impersonation, and diverse targeting strategies. Activity stayed consistently high, with cloud-hosted campaigns making up over 32% of all phishing infrastructure.
Note: This summary was generated with the assistance of AI.
Timeline Analysis
- Week 1 (May 1–7): 2,401 reports – Strong opening driven by established social media and financial phishing campaigns.
- Mid-month (May 15–22): 1,846 reports – Sustained targeting with continued abuse of Vercel and GitHub infrastructure.
- Week 4 (May 24–31): High volume continued, with an end-of-month surge aligned with government impersonation and financial cycles.
- Cloud-hosted campaigns: 2,726 instances, reflecting a strategic pivot toward resilient, decentralized infrastructure.
Key Findings
Infrastructure Dominance
- Cloudflare: ASN #13335, most-used CDN for hosting phishing content
- Amazon Web Services: Vercel.app, S3 buckets, EC2 instances widely abused
- GitHub Pages & Vercel: Top platforms for impersonation and clone sites
- TLD Usage: High abuse of .win, .xyz, .chat, .pro, and cloud-linked subdomains
Campaign Categories
- Social Media (35%): Facebook/Meta phishing dominated by 50+ Vercel variants
- Streaming Services (25%): Netflix, Amazon clones on GitHub.io
- Financial (20%): Chase, PayPal, Outlook phishing remained persistent
- Government (12%): E-devlet, DMV, French tax authority impersonations
- Crypto (8%): WalletConnect, DeFi spoofing campaigns
Technical Evolution
- Sophisticated redirect chains using sites like ringaraja.net, telehaber.com
- Standardized use of Base64 email encoding in phishing URLs
- Legit-looking assets from jsdelivr, cdnjs, and bootstrapcdn
- Emerging IPFS (dweb.link) use for hosting phishing content
Anomalies & Activity Shifts
- Geographic Shifts: Growth in Asia (China, Japan) and new activity in Lithuania, Turkey
- Cloud over bulletproof: Legitimate providers increasingly favored over traditional bulletproof hosting
- Hotel/Travel phishing surge: Booking.com-style clones using chained redirects
- Telegram impersonation spike: 200+ alerts on coordinated campaigns
- Technical anomalies: Long URLs, reused GitHub templates, and parallel Vercel deployments