Analysis

Rockstar2FA, originally known as Dadsec OTT Rockstar has been extremely active lately with thousands of URLs blocked per month. We explore the most recent version of their PhaaS pages and explore the methods utilised for defense evasion, credential harvesting and communication. Read for high fidelity EntraID and webpage indicators.

In recent investigations into advanced phishing techniques, we analysed current PaaS portals and discovered new tactics employed by what appears to be an updated iteration of previously reported PaaS platforms, tentatively named Tycoon. Recent activity observed on Telegram coincided with the rollout of anti-bot measures, indicating ongoing enhancements in defense evasion strategies.

Tycoon PAAS has upgraded, with these portals being active again we will explore the similarities and any changes.

We explore previously reported x11 linux user agent strings in Azure Account Compromises, with distinct connections to Tycoon PAAS