🔴 A threat isn't much of a threat if it can't reach the right victims. 📦 That's why many modern threat actors rely on cloakers and traffic distribution systems (TDS) to target, route, and hide at scale. In a six‑month joint effort analyzing four months of data with Confiant, we identified 15,500 domains configured to Keitaro instances and actively used in cyber campaigns. Keitaro is a legitimate ad tracker, but it is frequently misused by cybercriminals as an all‑in‑one tracker + TDS + cloaker in scam and malware campaigns. We encounter Keitaro in our investigations nearly every day, and we set out to quantify that abuse in the broader landscape. We're publishing a three‑part series to share what we learned. Part 1 focuses on a subset of actors who leverage AI in their operations, most of whom are tied to investment scams. At the end of the report, you'll find a link to our github repository that contains thousands of related Keitaro iocs.

https://www.infoblox.com/blog/threat-intelligence/inside-keitaro-abuse-a-persistent-stream-of-ai-driven-investment-scams/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #ai #keitaro #adtech #tds #trafficdistributionsystem #cloaker #cloaking #landscape #malvertising

We were alerted to a bike rental website that's been compromised by the Balada Injector campaign. The site is currently embedded with a malicious and obfuscated JavaScript that will redirect website visitors to an actor-controlled traffic distribution system (TDS) server located at

hXXps://soft[.]specialcraftbox[.]com/JZFYbC.

This server runs the commercial TDS management Keitaro software. The tip came from one of our employees who had started being more aware of redirects on websites after our VexTrio reporting - woot woot! The site called these domains when it triggered for the TDS on their phone:

surprisedexpert[.]com
iosvpnhelp[.]com
rubestdealfinder[.]com
slqmfq[.]top
statisticsplatform[.]com
plastformspecial[.]com

Balada TDS servers typically redirect victims to fake tech support pages, fraudulent lottery wins, or push notification scams. The threat actors exploit vulnerable versions of WordPress' Popup Builder plugin, so website owners should update the plugin or disable it (if not crucial to the website's functionality). As a follow-up, the actor may have installed additional malicious plugins. Look for and disable/delete a plugin named "wp-felody.php".

#dns #threatintel #threatintelligence #cybercrime #infosec #cybersecurity #infoblox #scam #malware #balada #tds #keitaro #javascript #injection #drivebycompromise

here is before and after obfuscation images:

New common name in TLS certificates used for #ClearFake infrastructure:
"02w65ijjohr1frm[.]com"

Still use of #Keitaro TDS

109.248.206.]49
109.248.206.]83
109.248.206.]101
109.248.206.]118
109.248.206.]138

Recent C2 domains:

poibvyctm21e.]com
eofjdo3zwxvbi57.]com
b1omodh51hw6g3d.]com
nbvcdrtyup584wd.]com

More details on ClearFake and the associated infrastructure in our blog post:

https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/