---
title: "Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14, 2025] | DuoCircle"
description: "Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-17-of-2025/"
---

Quick Answer

Cybersecurity stories from the week of April 14, 2025: the Tycoon2FA phishing kit added new evasion techniques to bypass Microsoft 365 multi-factor authentication, including custom CAPTCHAs and obfuscated JavaScript. APT29 (Cozy Bear) launched a new wave of phishing aimed at European diplomats. The ResolverRAT remote-access trojan campaign hit pharmaceutical and healthcare targets globally. Conduent confirmed that its January cyberattack resulted in client data theft. And kidney-care provider DaVita disclosed a weekend ransomware incident that disrupted operations. The week reinforced how phishing kits and APT operations continue to outpace baseline MFA and email defenses without layered controls in place.

Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News \[April 14, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/04/Tycoon2FA-Bypasses-Microsoft-European-Espionage-Campaign-ResolverRAT-Global-Threat---Cybersecurity-News-April-14-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-17-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Tycoon2FA%20Bypasses%20Microsoft%2C%20European%20Espionage%20Campaign%2C%20ResolverRAT%20Global%20Threat%2C%20Cybersecurity%20News%20%5BApril%2014%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-17-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-17-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-17-of-2025%2F&title=Tycoon2FA%20Bypasses%20Microsoft%2C%20European%20Espionage%20Campaign%2C%20ResolverRAT%20Global%20Threat%2C%20Cybersecurity%20News%20%5BApril%2014%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=Tycoon2FA%20Bypasses%20Microsoft%2C%20European%20Espionage%20Campaign%2C%20ResolverRAT%20Global%20Threat%2C%20Cybersecurity%20News%20%5BApril%2014%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-17-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-5743.jpg) 

This week’s [cybersecurity](/) news roundup isn’t just another string of breaches and exploits but a blueprint of how far [threat actors](/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/) have come and how swiftly they are advancing and increasing their attack surface. _From phishing kits outsmarting MFA to malware operating entirely in memory, attackers are sharpening their tools and aiming at high-value Sharks and industry giants, even preying upon global healthcare providers and diplomatic channels_. Let’s dig into what happened and how we can leverage our **defenses and stay safe online**!

## Tycoon2FA Phishing Kit Evolves to Bypass Microsoft 365 Security Measures

[Tycoon2FA, a phishing-as-a-service](https://www.proofpoint.com/us/blog/email-and-cloud-threats/tycoon-2fa-phishing-kit-mfa-bypass) platform known for **bypassing multi-factor authentication (MFA)** on Microsoft 365 and Gmail, has received upgrades that make it harder to detect and more effective in targeting victims.

The new techniques now enable the **platform to bypass security checks**, trick [email filters](/content/email-spam-filter), and mislead users with convincing decoys. Initially discovered in October 2023 by Sekoia researchers, Tycoon2FA has since evolved into a more sophisticated threat. [Trustwave’s](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025/) latest analysis highlights several key upgrades.

The first is the use of invisible Unicode characters in JavaScript to hide binary data, which allows [malicious payloads](https://www.bleepingcomputer.com/news/security/hackers-push-usb-malware-payloads-via-news-media-hosting-sites/) to be executed during runtime and avoid detection by static analysis tools or manual review. The second update is a shift from using Cloudflare Turnstile to a custom CAPTCHA rendered through **HTML5 canvas**. This change helps evade domain fingerprinting systems and gives attackers better control over the [phishing page layout](https://www.infosecurity-magazine.com/news/phishwp-plugin-enables-payment/). Lastly, the kit now includes anti-debugging JavaScript designed to block tools like PhantomJS and Burp Suite. If suspicious behavior is detected, users are redirected to a real site like rakuten.com or shown a decoy page.

[![ phishing](https://media.mailhop.org/duocircle/images/2025/04/spf-record-8843.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-8843.jpg)

Tycoon2FA’s continued evolution shows how phishing kits are adapting fast. Organizations should block SVG [email attachments](https://www.computerweekly.com/news/366605874/Phishing-links-becoming-bigger-threat-than-email-attachments), verify senders, and adopt [phishing-resistant MFA](https://www.cybersecuritydive.com/news/federal-agencies-advance-mfa/688514/) like **FIDO-2 keys to stay protected**.

## European Diplomats Targeted in New Wave of APT29 Phishing Campaigns

Midnight Blizzard, also known as [APT29](https://attack.mitre.org/groups/G0016/), has [launched a spear-phishing campaign](https://cert.pl/en/posts/2023/12/apt29-teamcity/) aimed at diplomatic organizations across Europe. The operation uses updated malware and convincing lures to **slip past defenses**. This threat group is allegedly considered to be associated with the [SolarWinds](https://attack.mitre.org/campaigns/C0024/) supply chain attack.

The **campaign took off in January 2025** and started with an email disguised as an invite to a wine tasting sent from domains like bakenhof\[.\]com or silry\[.\]com. If the recipient fits the targeting criteria, clicking the link triggers a download of wine.zip. The archive includes a PowerPoint executable, a legitimate DLL, and the [malicious GrapeLoader payload](https://cybersecuritynews.com/apt29-hackers-employs-grapeloader/). Through DLL sideloading, the malware quietly gathers host data, maintains persistence via the Windows Registry, and reaches out to a [command-and-control (C2) server](https://www.trendmicro.com/vinfo/in/security/definition/command-and-control-server) to fetch further instructions.

_GrapeLoader replaces earlier loaders like RootSaw, using stealthier techniques like delayed execution and memory protection tricks to avoid detection_. Its job is to deliver WineLoader, a modular backdoor disguised as a [VMware DLL](https://www.securityweek.com/vmware-tools-flaw-allowed-code-execution-dll-hijacking/). The component collects detailed system info and supports deeper intrusion efforts, and its obfuscation methods complicate reverse engineering and detection.

If you want to stay protected, steer clear of unsolicited email links, monitor for unusual PowerPoint or DLL activity, and ensure all **software is up to date**.

[![ malware ](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-8843.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-check-8843.jpg)

## ResolverRAT Malware Campaign Hits Global Pharma and Healthcare Sectors

A newly discovered remote access trojan named ResolverRAT is also being actively deployed in [phishing campaigns](https://hackread.com/ongoing-phishing-campaign-targets-employees/) aimed at pharmaceutical and healthcare organizations across multiple countries.

First [identified by Morphisec](https://www.morphisec.com/blog/new-malware-variant-identified-resolverrat-enters-the-maze/), the malware is designed to operate in memory, making it harder to detect and analyze. Recent reports by [CheckPoint](https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/) and [Cisco Talos](https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/) have documented incidents relating to similar phishing infrastructure and delivery mechanisms. ResolverRAT is delivered through phishing emails posing as legal or copyright violation notices, customized in the **local language of the recipient**. These messages direct targets to download a seemingly legitimate executable (hpreader.exe), which then injects the RAT into memory using reflective DLL loading.

ResolverRAT stands out for running entirely in memory and leveraging .NET ‘ResourceResolve’ events to stealthily load [malicious code](https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware) without triggering typical **API-based security alerts**. It uses a complex state machine and analysis evasion tactics, such as fake code paths and sandbox detection, making it difficult to dissect. _For persistence, it adds XOR-obfuscated registry entries in up to 20 locations and installs itself in folders like Startup and LocalAppData_. Plus, the communication with command-and-control servers happens at randomized intervals, and large file exfiltration is done in 16KB chunks, with built-in error handling for unreliable networks.

[![API-Based Security Alerts](https://media.mailhop.org/duocircle/images/2025/04/email-smtp-service-5747.jpg)](https://media.mailhop.org/duocircle/images/2025/04/email-smtp-service-5747.jpg)

The malware is tailored for stealth and resilience, presenting a growing threat. Organizations should bolster email filtering, limit execution of unverified executables, and **monitor memory-level activity** for irregular patterns to keep it at bay.

## Conduent Confirms January Cyberattack Led to Client Data Breach

The **major American business services** and government contractor, Conduent, has confirmed that a [cyberattack](https://www.crn.com/news/security/2025/conduent-discloses-theft-of-client-data-in-hack-significant-number-of-individuals-impacted) in January 2025 led to the disruption in business operations.

Conduent supports over 600 government and transportation agencies and serves half of the Fortune 100\. The disclosure came [through a regulatory filing](https://www.sec.gov/Archives/edgar/data/1677703/000167770325000067/cndt-20250409.htm), revealing that personal information linked to **client end-users was accessed**. The organization confirmed that attackers stole files tied to a limited number of its clients.

[![Cybersecurity](https://media.mailhop.org/duocircle/images/2025/04/dmarc-report-service-3849.jpg)](https://media.mailhop.org/duocircle/images/2025/04/dmarc-report-service-3849.jpg)

These files, as later determined by cybersecurity experts, included the personal data of individuals connected to client operations. They are still analyzing its impact and notifying the [affected clients](https://www.facebook.com/wisdcf/posts/911192197854862) as required by law but say there is no evidence the stolen data has been leaked or offered for sale online. Actually, this is not the **first time Conduent** has been targeted; the Maze [ransomware group](https://www.scworld.com/news/new-lockbit-linked-ransomware-group-targets-fortinet-vulnerabilities) previously hit the organization in 2020.

Organizations who wish to stay protected against such breaches **need to regularly audit access controls**, monitor data flow, and prepare detailed breach response plans to protect both client and user information.

## DaVita Suffers Ransomware Attack Over Weekend, Disrupting Operations

This week, kidney care **provider DaVita confirmed** a ransomware attack that hit over the weekend, encrypting parts of its network and affecting some operations.

[![ ransomware attack ](https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-8843.jpg)](https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-8843.jpg)

DaVita is a Fortune 500 organization with over 76,000 employees and more than 2,600 outpatient centers across 12 countries. It disclosed in an [SEC Form 8-K filing](https://www.sec.gov/Archives/edgar/data/927066/000119312525079593/d948299d8k.htm) that it suffered a [ransomware attack](https://www.darkreading.com/endpoint-security/us-leads-alliance-cut-off-ransomware-attack-payments) on **Saturday (12 April 2025)**. The incident encrypted portions of its network, which is a common tactic among ransomware groups that often strike on weekends to avoid immediate detection. Upon discovering the breach, DaVita activated its response protocols, isolated affected systems, and began containment efforts.

_Although some operations have been disrupted, interim measures are in place to support ongoing services_. The organization has not specified when full restoration will occur but highlighted that patient care continues and they have **contingency plans** rolled out to maintain critical treatments.

No ransomware group has claimed responsibility so far, either. For businesses and organizations looking to stay safe, it’s best to maintain strong backup practices, conduct regular security audits, and **monitor network activity** closely, especially over weekends.

## Topics

cyber securityNewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  Microsoft Cybersecurity Transparency, Chrome Update Required, Google Calendar Phishing, Cybersecurity News \[December 23, 2024\]  Jan 2, 2025 ](/blog/announcements/cyber-security-news-update-week-1-of-2025/)[  News 6m  Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News \[December 29, 2025\]  Jan 5, 2026 ](/blog/announcements/cyber-security-news-update-week-1-of-2026/)[  News 7m  Bybit’s $1.5B Loss, FatalRAT Hits APAC, GitVenom Targets Wallets,, Cybersecurity News \[February 24, 2025\]  Mar 3, 2025 ](/blog/announcements/cyber-security-news-update-week-10-of-2025/)[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14, 2025]","description":"Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-17-of-2025/","datePublished":"2025-04-21T16:24:18.000Z","dateModified":"2025-04-28T16:19:31.000Z","dateCreated":"2025-04-21T16:24:18.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-17-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1146,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-5743.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-17-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-17-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14, 2025]","description":"Tycoon2FA Bypasses Microsoft, European Espionage Campaign, ResolverRAT Global Threat, Cybersecurity News [April 14.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-17-of-2025/","datePublished":"2025-04-21T16:24:18.000Z","dateModified":"2025-04-28T16:19:31.000Z","dateCreated":"2025-04-21T16:24:18.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-17-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1146,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/04/spf-record-tester-5743.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```