📢 Doppelgänger : analyse complète de l'infrastructure d'opérations d'influence russe SDA/Structura
📝 ## 🌐 Contexte

Publié le 11 mai 2026 par DomainTools sur leur portail de recherche, ce rapport constitue une...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-13-doppelganger-analyse-complete-de-l-infrastructure-d-operations-d-influence-russe-sda-structura/
🌐 source : https://dti.domaintools.com/research/sda-structura-doppelganger-influence-ops
#IOC #Keitaro #Cyberveille

Keitaro series, Part 3: What happens when we zoom out from individual campaigns and examine the broader ecosystem of Keitaro abuse?

In the third and final installment on Keitaro, we take a step back to analyze cross‑campaign trends and the Keitaro features most frequently abused at scale. We also look at cookies and cracked versions tied to threat actors like TA2726, and share what provider engagement and takedowns actually look like in practice.

https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/

#dns #infoblox #infobloxthreatintel #threatintel #threatintelligence #cybercrime #cybersecurity #keitaro #adtech #tds

We planned one report on Keitaro abuse, but we ran out of pages before we ran out of cases.
So here’s Part 2 of 3, a medley of threats that go well beyond AI‑investment scams.

Threat actors abuse Keitaro’s traffic distribution, cloaking, and rule engine to hide malicious landing pages behind geo and device-based filters. They stack bulletproof hosting and reverse proxies to add layers of indirection, making takedown and analysis harder. In this post, we share how we overcame this using multi‑protocol, multi‑vantage telemetry. We leveraged JA4+ web server fingerprints, DNS analytics, and Confiant’s visibility into advertising supply chain data to uncover Keitaro abuse and the delivery of malware downloaders, infostealers, weaponized RMMs, wallet drainer campaigns, scams, and email spam and advertising attack vectors.

If you hunt threats distributed via adtech, these indicators can be useful pivots. https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising #infostealer #rmm #remotemonitoringmanagement #downloader #malware #spam #airdrop #cryptocurrency #ja4 #ja4_fingerprinting

🔴 A threat isn't much of a threat if it can't reach the right victims. 📦 That's why many modern threat actors rely on cloakers and traffic distribution systems (TDS) to target, route, and hide at scale. In a six‑month joint effort analyzing four months of data with Confiant, we identified 15,500 domains configured to Keitaro instances and actively used in cyber campaigns. Keitaro is a legitimate ad tracker, but it is frequently misused by cybercriminals as an all‑in‑one tracker + TDS + cloaker in scam and malware campaigns. We encounter Keitaro in our investigations nearly every day, and we set out to quantify that abuse in the broader landscape. We're publishing a three‑part series to share what we learned. Part 1 focuses on a subset of actors who leverage AI in their operations, most of whom are tied to investment scams. At the end of the report, you'll find a link to our github repository that contains thousands of related Keitaro iocs.

https://www.infoblox.com/blog/threat-intelligence/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising

We were alerted to a bike rental website that's been compromised by the Balada Injector campaign. The site is currently embedded with a malicious and obfuscated JavaScript that will redirect website visitors to an actor-controlled traffic distribution system (TDS) server located at

hXXps://soft[.]specialcraftbox[.]com/JZFYbC.

This server runs the commercial TDS management Keitaro software. The tip came from one of our employees who had started being more aware of redirects on websites after our VexTrio reporting - woot woot! The site called these domains when it triggered for the TDS on their phone:

surprisedexpert[.]com
iosvpnhelp[.]com
rubestdealfinder[.]com
slqmfq[.]top
statisticsplatform[.]com
plastformspecial[.]com

Balada TDS servers typically redirect victims to fake tech support pages, fraudulent lottery wins, or push notification scams. The threat actors exploit vulnerable versions of WordPress' Popup Builder plugin, so website owners should update the plugin or disable it (if not crucial to the website's functionality). As a follow-up, the actor may have installed additional malicious plugins. Look for and disable/delete a plugin named "wp-felody.php".

#dns #threatintel #threatintelligence #cybercrime #infosec #cybersecurity #infoblox #scam #malware #balada #tds #keitaro #javascript #injection #drivebycompromise

here is before and after obfuscation images:

New common name in TLS certificates used for #ClearFake infrastructure:
"02w65ijjohr1frm[.]com"

Still use of #Keitaro TDS

109.248.206.]49
109.248.206.]83
109.248.206.]101
109.248.206.]118
109.248.206.]138

Recent C2 domains:

poibvyctm21e.]com
eofjdo3zwxvbi57.]com
b1omodh51hw6g3d.]com
nbvcdrtyup584wd.]com

More details on ClearFake and the associated infrastructure in our blog post:

https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/