Microsoft, Europol, and industry partners announced a coordinated action to disrupt the service responsible for tens of millions of fraudulent emails reaching over 500,000 organizations each month worldwide. In addition, Microsoft published new analysis on the Tycoon2FA phishing-as-a-service (PhaaS) platform, which emerged in August 2023 and quickly became one of the most widely used adversary-in-the-middle (AiTM) phishing kits. The service was operated by a threat actor tracked as Storm-1747 and supported phishing campaigns that delivered tens of millions of messages monthly to more than 500,000 organizations across multiple sectors including government, healthcare, finance, education, and non-profits. The platform allowed attackers to impersonate authentication portals for services such as Microsoft 365, Outlook, SharePoint, OneDrive, and Gmail while providing operators with a centralized dashboard for configuring campaigns, managing infrastructure, and tracking compromised accounts. Tycoon2FA worked by acting as a proxy between the victim and the legitimate authentication service. When a target entered credentials on the phishing page, the kit relayed those credentials to the legitimate service in real time, triggered the MFA challenge, and captured the resulting authenticated session cookie once MFA was completed. This allowed attackers to access accounts without needing the password again and sometimes even after password resets if active sessions were not revoked. To evade detection, the platform used techniques such as dynamic CAPTCHA challenges, heavy code obfuscation, browser fingerprinting, geolocation filtering, redirect chains through legitimate services, and rapid domain rotation with short-lived phishing subdomains often lasting only 24–72 hours.

Impact: Tycoon2FA lowered the barrier to large-scale MFA bypass attacks by providing ready-to-use infrastructure and tooling for phishing operators. By capturing session cookies rather than just credentials, attackers could maintain authenticated access to targeted accounts and perform follow-on actions such as mailbox rule manipulation, data theft, additional phishing campaigns, or financial fraud. Because these campaigns mimic legitimate authentication flows and rely on real MFA interactions, organizations that rely solely on traditional MFA methods such as SMS or one-time passcodes remain vulnerable to account compromise through AiTM phishing.

Recommendation: Organizations should prioritize phishing-resistant authentication methods such as FIDO2 security keys, passkeys, Windows Hello for Business, or other passwordless MFA technologies to reduce the risk of session-cookie interception attacks. Enforce strict governance of authentication and identity systems by revoking active sessions when credentials are reset, auditing MFA device registrations, removing unauthorized inbox rules, and monitoring for suspicious sign-ins or token reuse. Email security controls such as link rewriting, time-of-click URL analysis, and automated phishing remediation should be enabled to reduce user exposure to malicious links and attachments. In addition, organizations should monitor for abnormal authentication behavior, suspicious redirect chains, and connections to known AiTM infrastructure while training users to recognize phishing attempts that impersonate common business workflows such as document sharing or account notifications.

Unit 42 disclosed an ongoing activity cluster it tracks as CL-UNK-1068, which it has observed since at least 2020 targeting organizations across South, Southeast, and East Asia. The activity has affected high-value sectors including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications. Unit 42 assesses with high confidence that the operators are a Chinese threat actor and with moderate-to-high confidence that the primary objective is cyberespionage, though it said cybercriminal motivation cannot be fully ruled out. The activity relies on a broad toolset spanning Windows and Linux environments. Unit 42 observed the attackers using web shells such as GodZilla and a variation of AntSword for initial access, then stealing configuration files and other sensitive data from compromised servers. The group used legitimate Python executables for DLL side-loading, custom and community-sourced tools such as ScanPortPlus, FRP, Xnote, Mimikatz, LsaRecorder, DumpIt, Volatility, and SQL Server Management Studio Password Export Tool, along with multiple batch scripts for reconnaissance, credential theft, privilege escalation, log clearing, and file archiving. Unit 42 also described use of techniques such as Base64-encoding archived data with certutil and printing it through the web shell for exfiltration, rather than directly uploading files. This is confirmed operational activity observed over multiple campaigns, not proof-of-concept behavior.

Impact: The reported activity presents a significant risk to organizations in targeted sectors because it combines stealthy persistence, credential theft, reconnaissance, tunneling, and cross-platform tooling that can support long-term access and sensitive data theft. Unit 42 specifically observed theft of website configuration files, SQL-related data, browser artifacts, sensitive spreadsheet files, and database backups. The combination of open-source tools, custom malware, DLL side-loading, and living-off-the-land techniques makes the activity harder to distinguish from legitimate administrative behavior and may allow the threat actor to maintain covert access for extended periods.

Recommendation: Organizations should prioritize detection of behavioral patterns highlighted by Unit 42 rather than relying only on static indicators. Investigate misuse of legitimate Python binaries for DLL side-loading, deployment of unauthorized tunneling tools such as FRP, execution of custom reconnaissance batch scripts such as hp.bat, hpp.bat, rar.bat, or rr.bat, and suspicious use of WinRAR, certutil, type, DumpIt, Volatility, Mimikatz, and SQL credential extraction utilities on servers. Review both Windows and Linux environments for evidence of credential theft, tunneling, archived data staged for exfiltration, unexpected web shell activity, and unauthorized access to web server or SQL configuration files.

Microsoft Threat Intelligence discloseda widespread ClickFix social engineering campaign observed in February 2026 that uses Windows Terminal as the primary execution mechanism to deploy Lumma Stealer. Instead of the more familiar Win + R workflow, the campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal directly. Microsoft said the lures were delivered through fake CAPTCHA pages, troubleshooting prompts, and similar verification-style themes designed to convince users to paste attacker-supplied commands. The attack begins when a user pastes a hex-encoded, XOR-compressed command into Windows Terminal. In one path, the command spawns additional Terminal and PowerShell instances, decodes the script, downloads a ZIP payload and a legitimate but renamed 7-Zip binary, and then extracts additional components. Microsoft said the follow-on activity includes retrieving more payloads, creating scheduled-task persistence, configuring Microsoft Defender exclusions, collecting machine and network data, and injecting Lumma Stealer into chrome.exe and msedge.exe using QueueUserAPC(). In a second path, the command downloads a randomly named batch script into AppData\Local, writes a VBScript into %TEMP%, re-executes through cmd.exe and MSBuild.exe, and connects to crypto blockchain RPC endpoints, which Microsoft said indicates etherhiding. Exploitation is confirmed by Microsoft’s observed campaign activity.

Impact: This campaign increases risk because it shifts ClickFix execution into Windows Terminal, which can appear more legitimate to users and may bypass detections built around Run dialog abuse. The resulting Lumma Stealer activity targets browser credential stores such as Web Data and Login Data, enabling theft of stored credentials and other browser artifacts. The observed follow-on behaviors also show potential for broader host compromise through persistence, defense evasion, system reconnaissance, and LOLBin abuse.

Recommendation: Hunt for suspicious wt.exe, PowerShell, cmd.exe, VBScript, MSBuild.exe, and renamed 7-Zip execution chains, especially where they originate from user-driven copy-and-paste activity or lead to files dropped in AppData\Local or %TEMP%. Review systems for unexpected scheduled tasks, unauthorized Microsoft Defender exclusions, outbound connections associated with crypto blockchain RPC endpoints, and signs of QueueUserAPC()-based injection into chrome.exe or msedge.exe.