Mastodawn

📢 Abus de Keitaro Tracker : tendances, licences crackées et collisions de cookies CTI
📝 ## 🔍 Contexte

Publié le 31 mars 2026 par Infoblox Threat Intel et Confiant...
📖 cyberveille : https://cyberveille.ch/posts/2026-04-07-abus-de-keitaro-tracker-tendances-licences-crackees-et-collisions-de-cookies-cti/
🌐 source : https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/
#Adspect_Cloaker #DarkGate #Cyberveille

Abus de Keitaro Tracker : tendances, licences crackées et collisions de cookies CTI

🔍 Contexte Publié le 31 mars 2026 par Infoblox Threat Intel et Confiant, cet article constitue la partie 3 d’une série sur l’abus du Keitaro Tracker, un système de suivi publicitaire auto-hébergé massivement détourné comme Traffic Distribution System (TDS) et outil de cloaking par des acteurs malveillants. 📊 Sources de données et tendances L’étude couvre la période du 1er octobre 2025 au 31 janvier 2026 et combine : Télémétrie DNS passive (pDNS) d’Infoblox : ~226 000 requêtes DNS sur ~13 500 domaines liés à Keitaro Plus de 8 000 nouvelles inscriptions de domaines attribuées à des acteurs malveillants, concentrées chez 5 registrars : Dynadot, Namecheap, Public Domain Registry, Global Domain Group, Sav 275 millions d’impressions publicitaires analysées via Confiant, révélant ~2 000 domaines hébergeant des instances Keitaro dans des campagnes de malvertising 120+ campagnes spam distinctes, dont 96% liées à des crypto wallet-drainers (AURA, SOL, Phantom, Jupiter) 📅 Événements notables 7 octobre 2025 : Un acteur ciblant des russophones enregistre des centaines de domaines .com via une promotion Dynadot à 6,88$ 26 novembre 2025 (Black Friday) : Le même acteur achète en masse des domaines .icu, .click, .digital 30 octobre – 1er novembre 2025 : Pic massif de requêtes DNS attribué à un acteur utilisant Keitaro pour rediriger les utilisateurs ciblés (Android/Allemagne, Windows/USA/Suisse) vers des sites de jeux d’argent en ligne ⚙️ Fonctionnalités Keitaro exploitées Routing via Campaigns/Flows : filtrage par géolocalisation IP, OS, navigateur, type d’appareil, référent, paramètres URI Cloaking : intégration avec des kits tiers comme IMKLO, HideClick, Adspect Cloaker (IA, contournement Google/TikTok/Meta) KClient JS : substitution de contenu côté client sans redirection visible Antibot : listes d’IP bloquées enrichies par des données tierces partagées sur GitHub et forums 🍪 Collisions de cookies Les instances Keitaro posent des cookies de tracking (_token, _subid, cookie alphanumérique 5 caractères pour v<11). Ces valeurs étaient utilisées comme signatures d’acteurs, mais l’analyse a révélé des collisions :

CyberVeille

Hackread.com Dec 17

⚠️ New #ClickFix malware campaign is tricking users with a fake browser “fix” prompt that leads to #DarkGate being installed via clipboard PowerShell commands. 📋

Read: https://hackread.com/clickfix-attack-fake-browser-install-darkgate-malware/

#CyberSecurity #Malware #Windows #Scam #InfoSec

New ClickFix Attack Uses Fake Browser Fix to Install DarkGate Malware

ESET Research Jul 18, 2025

#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
🔗 https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025

Tech Cybersecurity Nieuws Dec 19, 2024

Cybercriminelen misbruiken microsoft teams en anydesk voor malware-aanvallen https://www.trendingtech.news/trending-news/2024/12/50246/cybercriminelen-misbruiken-microsoft-teams-en-anydesk-voor-malware-aanvallen #cybercriminaliteit #Microsoft Teams #AnyDesk #DarkGate malware #beveiligingsmaatregelen #Trending #News #Nieuws

Cybercriminelen misbruiken microsoft teams en anydesk voor malware-aanvallen

Recentelijk zijn cybercriminelen betrapt op het misbruiken van populaire software zoals Microsoft Teams en AnyDesk om gevaarlijke malware te verspreiden. Dit a

Tech Nieuws

RedPacket Security Dec 19, 2024

DarkGate Malware Distributed Through Microsoft Teams Vishing Attack - https://www.redpacketsecurity.com/attacker-distributes-darkgate-using-ms-teams-vishing-technique/

#threatintel #Microsoft_Teams #vishing #DarkGate

DarkGate Malware Distributed Through Microsoft Teams Vishing Attack - RedPacket Security

A threat actor has been observed utilizing vishing through Microsoft Teams as a method to distribute DarkGate malware, allowing them to take remote control

RedPacket Security

Kyle 🕵️‍♂️💻Dec 17, 2024

Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware https://thehackernews.com/2024/12/attackers-exploit-microsoft-teams-and.html

#DarkGate #Malware #CyberSec

Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware

Attackers exploit Microsoft Teams calls to deploy DarkGate malware via AnyDesk. Security measures urged.

The Hacker News

SOC Prime Dec 17, 2024

A new malicious campaign uses impersonation via Microsoft Teams voice phishing (vishing), tricking the victims into downloading AnyDesk for remote access and deploying #DarkGate malware.

https://socprime.com/blog/darkgate-malware-detection/?utm_source=mastodon&utm_medium=social&utm_campaign=cert-ua&utm_content=blog-post

DarkGate Malware Attack Detection: Voice Phishing via Microsoft Teams Leads to Malware Distribution - SOC Prime

Detect DarkGate malware deployed via Microsoft Teams voice phishing using a set of dedicated Sigma rules from SOC Prime Platform.

SOC Prime

Tarnkappe.info Aug 30, 2024

📬 Keylogger versteckte sich in Erweiterung von Pidgin
#Cyberangriffe #Darkgate #Eset #Jabber #Keylogger #Pidgin https://sc.tarnkappe.info/b4019a

Keylogger versteckte sich in Erweiterung von Pidgin

Eine schädliche Erweiterung des Messengers Pidgin versteckte sich für fast sechs Wochen in einem offiziell zum Download angebotenen Plug-in.

Tarnkappe.info

Jennifer Morency

Aug 27, 2024

#Malware infiltrates #Pidgin messenger’s official plugin repository https://www.bleepingcomputer.com/news/security/malware-infiltrates-pidgin-messengers-official-plugin-repository/ I used to use Pidgin to communicate with friends on AIM and similar messenger apps. The malicious plugin was offered only as a binary, not open source code. Worryingly, it had valid signatures, and so did the malware it downloaded. #DarkGate #Jabber #messenger

Malware infiltrates Pidgin messenger’s official plugin repository

The Pidgin messaging app removed the ScreenShareOTR plugin from its official third-party plugin list after it was discovered that it was used to install keyloggers, information stealers, and malware commonly used to gain initial access to corporate networks.

BleepingComputer