Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat – Cybersecurity News [April 14, 2025]

This week’s cybersecurity news roundup isn’t just another string of breaches and exploits but a blueprint of how far threat actors have come and how swiftly they are advancing and increasing their attack surface. From phishing kits outsmarting MFA to malware operating entirely in memory, attackers are sharpening their tools and aiming at high-value Sharks and industry giants, even preying upon global healthcare providers and diplomatic channels. Let’s dig into what happened and how we can leverage our defenses and stay safe online!

Tycoon2FA Phishing Kit Evolves to Bypass Microsoft 365 Security Measures

Tycoon2FA, a phishing-as-a-service platform known for bypassing multi-factor authentication (MFA) on Microsoft 365 and Gmail, has received upgrades that make it harder to detect and more effective in targeting victims.

The new techniques now enable the platform to bypass security checks, trick email filters, and mislead users with convincing decoys. Initially discovered in October 2023 by Sekoia researchers, Tycoon2FA has since evolved into a more sophisticated threat. Trustwave’s latest analysis highlights several key upgrades.

The first is the use of invisible Unicode characters in JavaScript to hide binary data, which allows malicious payloads to be executed during runtime and avoid detection by static analysis tools or manual review. The second update is a shift from using Cloudflare Turnstile to a custom CAPTCHA rendered through HTML5 canvas. This change helps evade domain fingerprinting systems and gives attackers better control over the phishing page layout. Lastly, the kit now includes anti-debugging JavaScript designed to block tools like PhantomJS and Burp Suite. If suspicious behavior is detected, users are redirected to a real site like rakuten.com or shown a decoy page.

Tycoon2FA’s continued evolution shows how phishing kits are adapting fast. Organizations should block SVG email attachments, verify senders, and adopt phishing-resistant MFA like FIDO-2 keys to stay protected.

European Diplomats Targeted in New Wave of APT29 Phishing Campaigns

Midnight Blizzard, also known as APT29, has launched a spear-phishing campaign aimed at diplomatic organizations across Europe. The operation uses updated malware and convincing lures to slip past defenses. This threat group is allegedly considered to be associated with the SolarWinds supply chain attack.

The campaign took off in January 2025 and started with an email disguised as an invite to a wine tasting sent from domains like bakenhof[.]com or silry[.]com. If the recipient fits the targeting criteria, clicking the link triggers a download of wine.zip. The archive includes a PowerPoint executable, a legitimate DLL, and the malicious GrapeLoader payload. Through DLL sideloading, the malware quietly gathers host data, maintains persistence via the Windows Registry, and reaches out to a command-and-control (C2) server to fetch further instructions.

GrapeLoader replaces earlier loaders like RootSaw, using stealthier techniques like delayed execution and memory protection tricks to avoid detection. Its job is to deliver WineLoader, a modular backdoor disguised as a VMware DLL. The component collects detailed system info and supports deeper intrusion efforts, and its obfuscation methods complicate reverse engineering and detection.

If you want to stay protected, steer clear of unsolicited email links, monitor for unusual PowerPoint or DLL activity, and ensure all software is up to date.

ResolverRAT Malware Campaign Hits Global Pharma and Healthcare Sectors

A newly discovered remote access trojan named ResolverRAT is also being actively deployed in phishing campaigns aimed at pharmaceutical and healthcare organizations across multiple countries.

First identified by Morphisec, the malware is designed to operate in memory, making it harder to detect and analyze. Recent reports by CheckPoint and Cisco Talos have documented incidents relating to similar phishing infrastructure and delivery mechanisms. ResolverRAT is delivered through phishing emails posing as legal or copyright violation notices, customized in the local language of the recipient. These messages direct targets to download a seemingly legitimate executable (hpreader.exe), which then injects the RAT into memory using reflective DLL loading.

ResolverRAT stands out for running entirely in memory and leveraging .NET ‘ResourceResolve’ events to stealthily load malicious code without triggering typical API-based security alerts. It uses a complex state machine and analysis evasion tactics, such as fake code paths and sandbox detection, making it difficult to dissect. For persistence, it adds XOR-obfuscated registry entries in up to 20 locations and installs itself in folders like Startup and LocalAppData. Plus, the communication with command-and-control servers happens at randomized intervals, and large file exfiltration is done in 16KB chunks, with built-in error handling for unreliable networks.

The malware is tailored for stealth and resilience, presenting a growing threat. Organizations should bolster email filtering, limit execution of unverified executables, and monitor memory-level activity for irregular patterns to keep it at bay.

Conduent Confirms January Cyberattack Led to Client Data Breach

The major American business services and government contractor, Conduent, has confirmed that a cyberattack in January 2025 led to the disruption in business operations.

Conduent supports over 600 government and transportation agencies and serves half of the Fortune 100. The disclosure came through a regulatory filing, revealing that personal information linked to client end-users was accessed. The organization confirmed that attackers stole files tied to a limited number of its clients.

These files, as later determined by cybersecurity experts, included the personal data of individuals connected to client operations. They are still analyzing its impact and notifying the affected clients as required by law but say there is no evidence the stolen data has been leaked or offered for sale online. Actually, this is not the first time Conduent has been targeted; the Maze ransomware group previously hit the organization in 2020.

Organizations who wish to stay protected against such breaches need to regularly audit access controls, monitor data flow, and prepare detailed breach response plans to protect both client and user information.

DaVita Suffers Ransomware Attack Over Weekend, Disrupting Operations

This week, kidney care provider DaVita confirmed a ransomware attack that hit over the weekend, encrypting parts of its network and affecting some operations.

DaVita is a Fortune 500 organization with over 76,000 employees and more than 2,600 outpatient centers across 12 countries. It disclosed in an SEC Form 8-K filing that it suffered a ransomware attack on Saturday (12 April 2025). The incident encrypted portions of its network, which is a common tactic among ransomware groups that often strike on weekends to avoid immediate detection. Upon discovering the breach, DaVita activated its response protocols, isolated affected systems, and began containment efforts.

Although some operations have been disrupted, interim measures are in place to support ongoing services. The organization has not specified when full restoration will occur but highlighted that patient care continues and they have contingency plans rolled out to maintain critical treatments.

No ransomware group has claimed responsibility so far, either. For businesses and organizations looking to stay safe, it’s best to maintain strong backup practices, conduct regular security audits, and monitor network activity closely, especially over weekends.