Executive Summary

The DPRK “Contagious Interview” campaign (LAZARUS) represents a mature evolution of intrusion tradecraft in which adversaries weaponize legitimate hiring workflows to induce execution of malicious code within trusted developer environments. Unlike traditional phishing or exploit-driven compromise, this model collapses initial access, execution, and credential harvesting into a single interaction, leveraging social engineering and professional trust rather than technical vulnerability.

The campaign targets software developers and technical personnel through fraudulent job interview processes conducted across platforms such as GitHub, LinkedIn, and direct messaging channels. Victims are instructed to clone and execute repositories presented as coding challenges, which contain embedded payloads designed to harvest credentials, extract session tokens, and enable rapid lateral movement into enterprise environments.

This approach aligns structurally with identity-first intrusion models observed in Muddled Libra, but is distinct in its focus on developer ecosystems and supply chain adjacency. The result is a high-speed, low-noise intrusion methodology capable of bypassing multi-factor authentication (MFA), evading endpoint detection, and enabling immediate access to high-value systems including source code repositories, CI/CD pipelines, and cloud infrastructure.

Operational Model and Attack Flow

The campaign is best understood as a controlled execution pipeline in which the adversary externalizes the execution step to the victim.

The attack sequence begins with targeted outreach masquerading as recruitment activity. Adversaries establish credibility through impersonation of recruiters or companies, often leveraging realistic job descriptions and communication patterns. Once engagement is established, the victim is invited to complete a technical assessment.

This assessment serves as the delivery mechanism. The victim is instructed to clone a repository and execute code locally, often framed as a debugging or build task. Within this repository, malicious logic is embedded either directly in source files, dependencies, or development tooling configurations.

A key innovation is the abuse of Visual Studio Code task automation. Malicious .vscode/tasks.json configurations trigger execution automatically upon opening the project, eliminating the need for explicit user action beyond normal workflow behavior.

Once executed, the payload performs environment-aware collection. This includes extraction of:

• Browser session tokens
• Git credentials and access tokens
• SSH keys
• Cloud credentials (AWS, Azure, GCP)
• API tokens (GitHub, Slack, CI/CD systems)

The compromise phase is immediately followed by exploitation. Adversaries pivot into enterprise environments using harvested credentials, often achieving access to repositories, cloud control planes, or internal systems within minutes. This mirrors the rapid escalation observed in Muddled Libra operations, where domain-level compromise can occur in under an hour .

Tradecraft and Technical Characteristics

Human-Centric Execution

The defining characteristic of this campaign is the replacement of exploit delivery with induced execution. The victim executes the payload voluntarily within a trusted context, rendering many traditional security controls ineffective.

Malware Minimalism and Obfuscation

While malware is present, it is deliberately disguised as legitimate development artifacts. Payloads are frequently implemented in:

• Node.js
• Python
• Golang

Execution is often fileless or memory-resident, and code is embedded within non-obvious file types such as fonts or images to evade detection.

Abuse of Development Tooling

The campaign exploits developer tooling as an execution substrate:

• VS Code task automation (runOn: folderOpen)
• npm package dependencies (e.g., malicious packages like jsonwebauth)
• Build scripts and test frameworks

This creates a supply-chain-adjacent effect in which the developer workstation becomes the initial compromise node.

Cloud and Web-Based Staging Infrastructure

Payload delivery and staging frequently leverage:

• Vercel-hosted endpoints
• JSON storage services
• Paste-based staging platforms

These services provide ephemeral, low-friction infrastructure that blends with legitimate traffic.

Credential-Centric Objectives

The campaign prioritizes identity artifacts over persistence mechanisms. Credential theft enables:

• Immediate lateral movement
• Access to privileged systems
• Potential downstream supply chain compromise

Infrastructure and Reuse Patterns

Unlike traditional campaigns that rely on stable infrastructure, this operation exhibits distributed and disposable infrastructure usage. However, several recurring patterns provide actionable detection opportunities:

• Use of JSON storage platforms for payload staging
• Repeated use of Vercel-hosted delivery endpoints
• Paste-based intermediate payload retrieval
• Administration via VPN services (e.g., Astrill VPN)
• Geographic clustering of operator activity (observed in China-based IP space)

The infrastructure strategy prioritizes resilience and deniability over persistence.

Strategic Assessment

The Contagious Interview campaign represents a structural shift in intrusion methodology:

Collapse of the Kill Chain

Stages that are traditionally independent –  delivery, exploitation, and execution – are merged into a single user-driven action. This reduces detection windows and eliminates reliance on technical vulnerabilities.

Identity as the Primary Attack Surface

The campaign reinforces a broader trend in which identity systems, rather than endpoints or networks, represent the primary control plane for attackers.

Developer Ecosystem as a High-Value Target

By targeting developers, adversaries gain access to:

• Source code repositories
• Software supply chains
• Cloud infrastructure
• Organizational secrets

This creates second-order effects, enabling compromise of downstream organizations.

Convergence with Ransomware and Access Brokerage

Given the alignment with identity-first intrusion models, it is highly likely that access obtained through this campaign is monetized via:

• Initial access brokerage
• Ransomware deployment
• Data exfiltration and extortion

This mirrors the operational ecosystem observed in Muddled Libra and related clusters.

Defensive Implications

Detection and mitigation require a shift away from traditional indicators toward behavioral and workflow-based monitoring:

• Monitoring execution patterns within development environments
• Detecting anomalous VS Code task behavior
• Tracking credential usage anomalies post-execution
• Restricting token scope and enforcing short-lived credentials
• Applying conditional access policies to developer and cloud systems

Organizations must treat developer workstations as high-risk identity aggregation points, not merely endpoints.

Bottom Line

This campaign is not defined by a fixed set of indicators, but by a repeatable operational pattern:

Social engineering → repository execution → credential extraction → immediate exploitation

Effective defense depends on recognizing and disrupting this pattern rather than chasing ephemeral infrastructure.

‍

Appendix A Indicators of Compromise (IOCs)

Domains / Services

• jsonkeeper[.]com
• jsonsilo[.]com
• api[.]npoint[.]io
• pastebin[.]com
• *.vercel[.]app

Malware / Tooling

• BeaverTail
• InvisibleFerret
• GolangGhost
• PyLangGhost
• jsonwebauth (npm package)
• lserver.js (associated payload file)

Infrastructure / Operational Indicators

• Use of Astrill VPN for administration
• China-based IP activity (notably Jilin region)
• Multi-provider hosting across numerous VPS providers

File / Artifact Indicators

• .vscode/tasks.json
• package.json referencing jsonwebauth
• errorHandler.js with dynamic execution logic

‍Appendix B   Hunt Methodology and Queries

GitHub / Code Search Queries

path:tasks.json runOn folderOpen (curl OR wget) (cmd OR "| sh")
path:tasks.json runOn folderOpen node (.woff OR .svg OR .jpeg OR .png)
path:tasks.json runOn folderOpen "eslint-check"
path:package.json jsonwebauth

‍Behavioral Hunt Patterns VS Code Execution Anomalies

• VS Code spawning:
  
  • curl
  • wget
  • bash
  • powershell
• Execution triggered immediately upon project open

Suspicious Node Execution

• Node.js executing non-code file types:
  
  • .woff, .svg, .png, .jpeg, .dict

Network Indicators

• Requests from developer tools to:
  
  • *.vercel.app
  • JSON storage endpoints
  • Paste services
• Non-browser processes initiating HTTP requests

Credential Abuse Signals

• Immediate use of tokens following execution of malware
• Access from new geolocations
• API usage inconsistent with developer behavior

Endpoint and Identity Correlation

• Correlate:
  
  • VS Code activity
  • Process execution
  • Network requests
  • Identity provider logs

Focus on time-bound correlation windows (0–30 minutes) post repository execution.

Detection Priority Model

1. Developer workstation telemetry
2. Identity provider anomalies
3. Cloud control plane access
4. Repository and CI/CD activity

‍

APPENDIX C: Detection Pack: Contagious Interview Campaign

Focus: VS Code abuse → task execution → script staging → credential/session exfiltration
Detection Strategy: Process lineage + command-line + network correlation
‍

1. VS Code Task Auto-Execution (Primary Signal)

Sigma: VS Code spawning shell on folder open

 category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '\Code.exe'
      - '/Code'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\bash.exe'
      - '\sh.exe'
      - '\zsh'
  selection_cmd:
    CommandLine|contains:
      - 'curl'
      - 'wget'
      - 'Invoke-WebRequest'
  condition: selection_parent and selection_child and selection_cmd
fields:
  - ParentImage
  - Image
  - CommandLine
level: high

2. VS Code → Network Payload Retrieval (Critical Correlation)

Sigma: VS Code initiating outbound HTTP

title: VS Code Network Connection to Suspicious External Services
id: 3e9c0b52-cti-vscode-network
status: experimental
logsource:
  category: network_connection
detection:
  selection_proc:
    Image|endswith:
      - '\Code.exe'
      - '/Code'
  selection_dest:
    DestinationHostname|contains:
      - 'vercel.app'
      - 'jsonkeeper.com'

3. Node Executing Non-Code Artifacts (High-Fidelity Signal)

Sigma: Node executing suspicious file types

title: Node Executing Non-Code File Types
id: cti-node-anomalous-execution
status: experimental
logsource:
  category: process_creation
detection:
  selection_node:
    Image|endswith:
      - '\node.exe'
      - '/node'
  selection_filetypes:
    CommandLine|contains:
      - '.woff'
      - '.woff2'
      - '.svg'
      - '.jpeg'
      - '.png'
      - '.dict'
  condition: selection_node and selection_filetypes
fields:
  - Image
  - CommandLine
level: critical

4. Suspicious npm Package Execution (jsonwebauth Pivot)

Sigma

title: Suspicious npm Package jsonwebauth Execution
id: cti-npm-jsonwebauth
status: experimental
logsource:
  category: process_creation
detection:
  selection:
    CommandLine|contains:
      - 'jsonwebauth'
      - 'lserver.js'
  condition: selection
fields:
  - CommandLine
level: high

5. Function Constructor Obfuscation Pattern (Execution Stage)

Sigma

title: Suspicious JavaScript Dynamic Execution Pattern
id: cti-js-function-constructor
status: experimental
logsource:
  category: process_creation
detection:
  selection:
    CommandLine|contains:
      - 'Function.constructor'
  condition: selection
level: medium

6. Multi-Stage Execution Chain (EDR Correlation Rule)

EDR Logic (pseudo-Sigma / correlation)

IF
  ParentProcess = Code.exe
AND
  ChildProcess IN (cmd.exe, powershell.exe, bash, sh)
AND
  CommandLine CONTAINS (curl OR wget OR http)
WITHIN 2 minutes
AND
  NetworkConnection TO (vercel.app OR jsonkeeper OR npoint OR pastebin)
THEN
  Alert: Contagious Interview Execution Chain
Severity: CRITICAL

7. Token / Credential Exfil Behavior

Sigma (generic but tuned)

title: Suspicious Access to Credential Stores After VS Code Execution
id: cti-post-execution-credential-access
status: experimental
logsource:
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith:
      - '\Code.exe'
  selection_child:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\ssh.exe'
  timeframe: 5m
  condition: selection_parent and selection_child
level: medium

8. Git / SSH Key Access Spike

EDR heuristic

Detect:
- Access to ~/.ssh, id_rsa, id_ed25519
- Followed by outbound connection within 60 seconds
- Parent chain includes Code.exe or node.exe

Flag as:
Credential Harvesting via Developer Workflow

9. CI/CD Pivot Detection

Sigma (optional enterprise detection)

title: Unusual GitHub Token Usage from Developer Endpoint
id: cti-github-token-abuse
status: experimental
logsource:
  category: network_connection
detection:
  selection:
    DestinationHostname|contains:
      - 'api.github.com'
  anomaly:
    UserAgent|not_contains:
      - 'git'
  condition: selection and anomaly
level: medium

10. High-Fidelity Hunt Query (EDR / SIEM)

Use this as a compound hunt:

(
  ParentProcess = Code.exe
  AND ChildProcess IN (cmd, powershell, bash)
)
OR
(
  Process = node
  AND CommandLine CONTAINS (.woff OR .svg OR .jpeg)
)
OR
(
  Process = Code.exe
  AND NetworkDomain IN (vercel.app, jsonkeeper.com, npoint.io)
)

Detection Philosophy (Important)

This pack deliberately avoids over-reliance on static IOCs because:

• Payloads are ephemeral
• Infrastructure rotates
• Code is frequently modified

Instead, it focuses on execution invariants:

1. IDE-driven execution (rare in benign workflows)
2. Shell invocation from developer tools
3. Non-standard file execution via Node
4. Immediate outbound network activity

Priority Signals (What to Alert On First)

If you need triage prioritization:

Highest confidence

• Node executing .woff / .svg
• VS Code → shell → network chain

Medium confidence

• jsonwebauth / lserver.js presence
• Vercel + developer workstation correlation

Lower (context required)

• Function.constructor usage
• GitHub API anomalies

Analytical Alignment

This detection model aligns with the same operational compression observed in Muddled Libra:

• rapid execution post-access
• minimal malware footprint
• identity/token theft as primary objective

The Unit 42 dataset reinforces this shift toward speed and identity abuse over persistence, reducing the utility of traditional detection layers .

Appendix D: MITRE ATT&CK Mapping

ATT&CK Techniques Most Strongly Associated with the Campaign

• T1566.003 – Phishing: Spearphishing via Service
  Recruiter outreach and lure delivery through LinkedIn, code-hosting platforms, and other online services.
• T1566.002 – Phishing: Spearphishing Link
  Victims are directed to malicious repositories, staged assessments, or hosted payload locations.
• T1204.001 / T1204.002 – User Execution
  Victims voluntarily execute code as part of an “interview” or “technical test.” 
• T1059.007 – Command and Scripting Interpreter: JavaScript
  Malicious npm / Node execution is central to multiple documented chains.
• T1059.006 – Command and Scripting Interpreter: Python
  PyLangGhost and related scripting components support cross-platform execution.
• T1059.004 – Command and Scripting Interpreter: Unix Shell
  Shell-based staging and download logic are documented in IDE task-abuse chains.
• T1036 – Masquerading
  Malicious content is disguised as normal interview code, repositories, tasks, or packages.
• T1027 – Obfuscated Files or Information
  Obfuscated JavaScript and disguised non-code assets are part of the execution chain.
• T1555 / T1555.003 – Credentials from Password Stores / Web Browsers
  Theft of browser credentials and related local secrets is a recurring objective.
• T1005 – Data from Local System
  Collection of local credentials, wallet information, and developer artifacts from endpoints. 
• T1071 – Application Layer Protocol
  C2 and staging are conducted over ordinary web traffic and cloud services.
• T1567 – Exfiltration Over Web Service
  Use of cloud-hosted platforms and web services for staging and likely data movement.

A Chrome extension impersonating Google's Authenticator application was identified as part of an ongoing malicious campaign active since at least early 2026. The extension appears to use Chrome's localization system and skeleton code to bypass security reviews. Despite its functional appearance, it requests broad, unnecessary permissions and contains "dormant infrastructure”. This suggests a staged deployment model, where the extension remains trustworthy on the surface while maintaining the architectural groundwork to deliver a malicious update without requiring further permission approvals from the user or the store.

This extension is linked to at least six others through a shared developer front, two of which already carry fully operational malicious payloads. These extensions utilize hidden iframes to inject attacker-controlled content into every webpage, deploy fraudulent paywalls for free services, and maintain bidirectional communication with C2 servers. The infrastructure maps directly to the AiFrame campaign, which reportedly compromised over 260,000 users from 2025 to present. This current operation marks a continued evolution of that threat, specifically implementing additional steps to bypass detection and the apparent targeting of security-conscious individuals who may inadvertently hand over their sensitive two-factor authentication (2FA) credentials to the attackers.
‍

Details

2FA Authenticator - generate secure codes in your browser. Fast, offline two-factor authentication for all your accounts. Over 30,000 downloads. Published on 2026-04-02.

The site links to 

• https[:]//chromewebstore.google[.]com/detail/2FA/ebhcbenbgjmaebpgbldimndmfomjmphd?utm_source=site (A fake Authenticator)
• https[:]//github[.]com/google/google-authenticator (the real Google Authenticator)
  ‍

The Extension

The authenticator app has severely over-privileged manifest permissions. Namely, a TOTP generator has zero need to access web page content. 

 "host_permissions": [

    "<all_urls>"
  ],

The permissions may enable the actor to read/modify content on every website; inject content scripts into any page; intercept form data, cookies, session tokens or overlay phishing pages via iframes. Though the <all_urls> host permission is not used anywhere in the initial downloaded codebase, no content scripts are declared or programmatically registered. Its presence is likely a pre-staged capability for a future malicious update, a common strategy to bypass Chrome Web Store security checks, sometimes described as a deploy clean, update dirty strategy.

Within the code for the downloaded extension there is a file “background/service-worker.js”, that handles the installation and uninstallation. Its code is minified, the following is a de-minified showing of its contents.

Here we see a google form is used to track app uninstallations

https[:]//docs.google[.]com/forms/d/e/1FAIpQLScVCo51wR7L4fAbE1KRrcbHGFPwyj9i_xsSIGG9YHue
ZxsIAA/viewform?usp=publish-editor

References to the whitelab[.]studio domain are also seen:  https[:]//authenticator.whitelab[.]studio/${lang}/welcome

The installation behavior 

• Opens https://authenticator.whitelab[.]studio/{locale}/welcome in a new tab immediately on install
• Detects the user's language and selects from 20 supported locales
• Phones home to the extension owner’s infrastructure, confirming installation and storing the user's locale preference

There is a dormant message listener “chrome.runtime.onMessage.addListener((s, t, e) => !0);” that would accept all messages from any context (popup, content scripts, other extensions). This is likely a skeleton hook. The service worker could act as a relay between injected content scripts and a C2 server. This empty listener would then be the scaffolding for that relay. A future update to the service worker or the addition of a content script would activate it without requiring a manifest change. Combined with the pre-staged <all_urls> permission, this is a fully prepared malware delivery mechanism awaiting activation.
‍

The Submitter

The app was submitted by email domain airnetic[.]space, its welcome page is sourced from authenticator.whitelab[.]studio.

‍

The site has links to multiple other Chrome Web Store extensions

Of those extensions linked from the whitelab domain, AI Agent (originally "Google Gemini") fdlagfnfaheppaigholhoojabfaapnhb, was reported by Layer X Security in February 2026. It was described as a “coordinated campaign of Chrome extensions posing as AI assistants for summarization, chat, writing, and Gmail assistance” active since 2025 that used injected iFrames and intended to steal business data, browsing history and credentials. A different activity report by Koi Research describes a similar campaign dubbed the AI Frame campaign occurring more recently that notably also used Github payloads, though no direct indicator links were observed.

Airnetic[.]space was also used as an alias gmail address airnetic.space[@]gmail[.]com for multiple AI Frame campaign extensions. A domain of the same name was registered on 2025-03-02, but it is unknown if the domain is related to this extension or actor.
‍

The infrastructure and domains used by the actor continue to be used despite the extensive public reporting by multiple security companies. Domains still resolve to the lure sites, including those hosted on Vercel and Amazon. Extensions in the Google Web Store also continue to be available with a few identified exceptions. 

‍

Whitelab’s AI Chat to PDF Extension

Looking at other extensions from the whitelab[.]studio domain:

Name: AI Chat to PDF

Publisher: ai-chat-to-pdf[.]com

Publisher Email: airtronics307[@]gmail[.]com

Google Web Store ID: nlfkaldinolmacagmiddfpnfaeclfibn

Description: Instantly export your Gemini chats to PDF: smart conversion for perfect results.

C2: appbox[.]space

The extension itself is even more overprivileged and malicious than the authenticator variant. 

• Read all tab URLs, reload arbitrary tabs
• Local + sync storage access
• Full Chrome DevTools Protocol — attach to any tab, intercept network, execute arbitrary JS, capture page content
• Trigger file downloads
• Access to every webpage
• 241KB JS injected into every page
• External websites can directly control the extension

Install: Phone Home + Force Inject Gemini

‍

Event Telemetry — POST to C2

‍

Storage Proxy — Remote Read/Write/Delete

The external website appbox.space has full remote read/write/delete access to the extension's Chrome storage. This is a remote-control storage proxy. The attacker can manipulate any persisted data without the user's knowledge.

An invisible iframe (0×0 pixels, zero opacity) is injected into every page, loading remote content from the attacker's C2 server (appbox.space/paywall/502). The user ID is passed as a URL parameter for tracking. This matches the exact technique documented by LayerX in February 2026 — but using new infrastructure (appbox.space instead of tapnetic[.]pro).

Bidirectional postMessage Communication:

Paywall Object — Remote Control Interface

Overall, the "AI Chat to PDF" extension presents itself as a utility for exporting Google Gemini conversations to PDF format, and it does technically provide that functionality using Chrome's Debugger API to attach to tabs and invoke Page.printToPDF. However, beneath this legitimate surface, the extension operates as active malware. A 241KB content script is injected into every webpage the user visits, and on Gemini-related pages, it deploys a hidden, zero-pixel iframe loading remote content from the attacker's C2 server at appbox.space/paywall/502. This invisible iframe enables bidirectional communication via postMessage, allowing the attacker to push paywall modals that attempt to charge users for access to Google's free Gemini service. Simultaneously, a MutationObserver continuously monitors the page DOM, systematically cataloging all AI conversation messages with tracking attributes for potential extraction.

Beyond the iframe injection, the extension establishes a full remote-control channel via its background service worker. This service maintains persistent connections from appbox[.]space, POSTs user event telemetry (including a persistent UUID and hardcoded campaign identifier "wallId: 502") to the C2's tracking API, and, most critically, acts as a storage proxy. This allows the external website to remotely read, write, and delete arbitrary keys in the user's Chrome storage via a Supabase authentication protocol. The manifest also reveals externally_connectable access for the C2 and a development server left in the production build. Published under the whitelab.studio umbrella (the same group behind the fake Google Authenticator), this confirms a "mixed-stage" portfolio where the actor maintains some clean apps to build a user base while others carry fully operational AiFrame-style payloads.
‍

Whitelab’s Convert Heic to jpg Extension

Looking at other extensions from the whitelab[.]studio domain:

Name: convert-heic-to-jpg

Publisher: heic-to-jpg[.]pro

Publisher Email: 

• tapnetic307[@]gmail[.]com
• convertheic2jpg[@]gmail[.]com

Google Web Store ID: nmijijenojhiaohkfedfgchgbmjnfcpp

Description: Convert HEIC to JPG swiftly & privately. Process unlimited files without server uploads. Secure and rapid conversion.

C2: onlineapp[.]pro

Yandex Tracker: 96330078 on heic-to-jpg[.]pro lure domain

‍

‍

The extension has a hidden Iframe

• Uses onlineapp[.]pro — the original AiFrame C2s from the February 2026 LayerX report, still active.
• Shadow DOM evasion — the iframe is hidden inside a Shadow DOM element (.shadowRoot), making it invisible to standard DOM inspection and most browser extension security scanners.
• C2 command execution — the "redirect" command lets the C2 server open any arbitrary URL in the user's browser.

Triple-Redundant C2 Origin Validation

Domain pivots 

‍Overlaps from whitelab[.]studio:‍

Website Title: Tapnetic | Tap into the future, powered by innovation.

Server Type: nginx or vercel

IP ISP: Vercel Inc

Name Server Domain: porkbun[.]com

Registrar: Porkbun

Email Domain: cloudflare[.]com

whitelab[.]studio

sidenox[.]stream

sidentica[.]app

softnetica[.]com
‍

A look at sidenox[.]stream site:‍

Sidenox is similar to the whitelab[.]studio site in many ways including the use of Russian language comments and mentioning apps developed but it does not provide direct links or references to those apps like whitelab did.

The apps Sidenox claims to have developed are broader including healthcare and mobile apps,going beyond the AI and file conversion apps we’ve identified directly in this cluster so far.

• AI Chat Platform: A multi-model chat application (supporting GPT, Claude, Gemini).
• E-Commerce Platform: A marketplace with real-time inventory and Stripe integration.
• Healthcare Dashboard: A HIPAA-compliant analytics dashboard.
• Mobile Apps: The text mentions they build native and cross-platform apps for iOS and Android using React Native and Swift.

‍A look at the old C2: Tapnetic | Tap into the future, powered by innovation – tapnetic[.]pro‍

claude.tapnetic[.]pro, a facebook tracking pixel is used: “762928773371443”

‍Subdomains of tapnetic[.]pro

api.tapnetic[.]pro

www.tapnetic[.]pro

xai.tapnetic[.]pro

bard.tapnetic[.]pro

grok.tapnetic[.]pro

llama.tapnetic[.]pro

claude.tapnetic[.]pro

gemini.tapnetic[.]pro

gemini.google.tapnetic[.]pro

chat-ai.tapnetic[.]pro

chatgbt.tapnetic[.]pro

chatgpt.tapnetic[.]pro

chat-gbt.tapnetic[.]pro

deepseek.tapnetic[.]pro

ask-gemini.tapnetic[.]pro

chat-bot-gpt.tapnetic[.]pro

grok-chatbot.tapnetic[.]pro

authenticator.tapnetic[.]pro

asking-chat-gpt.tapnetic[.]pro

deepseek-to-pdf.tapnetic[.]pro

chat-with-gemini.tapnetic[.]pro

‍

The Authenticator subdomain was first seen 2026-02-06 while the rest were active at least before 2025-08. The timing appears to line up with the public reporting of this C2 and the actor’s apparent pivot to the newer infrastructure detailed in this report.
‍

Overlaps from appbox[.]space‍

Appbox[.]space was seen in multiple extensions with an iframe used for C2 such as in the following sample code:

‍

Website Title: AppBox — Platform for Processing Tokenized Requests

Server Type: cloudflare

IP ISP: CloudFlare Inc.

Name Server Domain: digitalocean[.]com

Registrar: Porkbun, LLC

onlineapp[.]pro

appbox[.]space

onlineapp[.]live
‍

Overall Domain Registration Pattern:‍

Registrar: Porkbun LLC

Name Server Domain: 

• porkbun[.]com
• digitalocean[.]com

IP ISP:

• CloudFlare Inc.
• Vercel Inc.
  ‍

Conclusion

We identified similar trends of a large number of malicious Chrome browser extensions that were reported in 2025: Dual-Function Malware Found in Chrome Extensions and Deceptive Browser Extensions within the Google Store. Both of which detail common apps including file conversions, AI tools and various helper utilities. 

It is concerning to see so many of the previously reported malicious extensions still being hosted by Google’s Web Store and multiple registrars. Google in particular should be expected to have the capacity to use AI for security application of vetting these extensions and current AI capabilities would be more than adequate to identify these extensions.

Considering the scale of these extensions in at least many dozens, the persistent behavior of the actor behind them going back as early as 2024, and the potentially hundreds of thousands of impacted users, this highlights the need for more expeditious identification and disruption actions against malicious applications and infrastructure. 

Across the extensions examined, a consistent operational pattern is evident: utility software is published with legitimate functionality to attract a user base, while the underlying permissions and architecture are designed to support capabilities far beyond what the stated purpose requires. In two of three cases shown in this report, those capabilities are already active; the third—the authenticator—appears to be a "sleeper" awaiting remote activation. This developer portfolio blends clean and compromised extensions within the same storefront, a technique specifically designed to obfuscate risk and bypass the automated review systems of the Chrome Web Store.

The attribution to the AiFrame campaign rests on multiple independent indicators, including developer contact info, C2 domains, and specific paywall code patterns that converge on the same operation documented months earlier. Notably, the original command-and-control domains remain active and are still being utilized by extensions under the new branding, indicating that previous public disclosures failed to disrupt the infrastructure. With the introduction of unreported fallback domains and a new generation of C2 architecture, the actor is clearly investing in long-term resilience. At least five additional extensions in this portfolio remain unexamined and should be treated as potentially compromised.
‍

IOCs

“The old world is dying, and the new world struggles to be born; now is the time of monsters” - so spoke Italian political theorist Antonio Gramsci nearly one hundred years ago. Or, to be more accurate, around 1930 Gramsci wrote:

La crisi consiste appunto nel fatto che il vecchio muore e il nuovo non può nascere: in questo interregno si verificano i fenomeni morbosi piú svariati.‍

which has been translated directly as:

The crisis consists precisely in the fact that the old is dying and the new cannot be born; in this interregnum a great variety of morbid symptoms appear.‍

The vigilance of defenders and investigators often focuses on monsters, typically ones easy to classify and thus easy to articulate wins to management. 

What would our industry look like if instead, we triaged the morbid symptoms of our environments, of our systems? Fighting dragons feels more satisfying than covering fundamentals. How do we frame the problem, get exec on-side, but more importantly, how do we continue to motivate ourselves in a world so seemingly full of morbid symptoms, most outside our control? 

Answers usually don’t survive first contact with reality. For my part, I fall back on a mindfulness of effort. As I plan and execute, my work of 2026 includes asking myself over and over, “Am I chasing monsters, or is there an underlying morbid symptom here that means monsters spawn less, or elsewhere?”

By the way, this is a discussion on impact.

Articles

• ‍DefenseOne - AI may revive old-school tradecraft even as it transforms intelligence work - ‘“My view,” he said, “is that [HUMINT] will have to have a human element — a real, essential human element — for the foreseeable future.”’
• ‍HivePro - ClipXDaemon Clipboard Attack: Linux Malware Targeting Crypto Payments - May not be the first linux clipboard stealer out there, but it’s the first I can remember seeing. ‍
• ‍AWS Security - Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls - Really glad to see AWS Security taking advantage of their scale and scope to deploy honeypots and sharing the results; in this case, a Cisco FMC 0day. Good intermix of technical and human behaviors here to create an operational profile. ‍
• ‍GTIG - The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors - Great collaboration between GTIG, iVerify, and Lookout. The convergence of Coruna and DarkSword, especially around UNC6353, is something to watch. ‍
• ‍Kentik - Internet and Airstrikes: Tracking Iran's Extended Communication Blackout - This is a deeply interesting post to me. Unsurprisingly, we’ve got a good vantage point for internet visibility, and are still working with data from 2/28 onward to better understand what’s taking place. There’s substantial value in being able to visualize negative space, though this is often forgotten amidst the rush to categorize the seen instead.‍

Image above from Kentik post identifying distinct shutdown phases.

We’ve been busy little gremlins, recently, and our ability at DomainTools Investigations to remain timely and relevant despite being a scrappy little team continues to make me deeply proud. From us over the past month or so:

• ‍DTI - Doppelgänger / RRN Disinformation Infrastructure Ecosystem 2026 - One of the pieces I’m most proud of across the past year and a half. ‍
• ‍DTI - DPRK Malware Modularity: Diversity and Functional Specialization - Our industry does well at analyzing individual malware strains. What if we looked at a more holistic picture, though? What if we looked at all the current tracks together, what would it tell us?
• ‍‍DTI - CloudFlare Anti-Security For Phishing - Shorter piece on some veeeery interesting anti-analysis technicals amidst a larger phishing campaign. ‍
• ‍DTI - OpenAI Anti-Ads Malware - That browser plugin offering to block ads server by OpenAI’s free tier might not be as convenient as you think it is…‍
• ‍DTI - Exposure of TLS Private Key for Myclaw 360 in Qihoo 360 “Security Claw” AI Platform - We managed to work this up and put it out there within about three days of exposure, and it’s a great set of lessons, from source and scope validation to what the risk of AI looks like for most folks here, as well. And then it flared here, in a different way, last week: OpenClaw’s 8.6 sev CVE allowing any paired entity to escalate privileges without authentication. That’s likely to lead to quite a lot of downstream pain. ‍

Research Papers and Reports

• ‍Mandiant - M-Trends 2026 Report - Breach methodology. Given Mandiant’s front seat at many campaigns these days, very worth diving into. ‍
• ‍ODNI - 2026 Annual Threat Assessment of the U.S. Intelligence Community - Always worth reading, but to be read in-context like any other public product. Perception and messaging as much as content.‍

Tools and Resources

• ‍Elastic Security Labs - Supply Chain Monitor - accompanying blog post about its visibility on the Axios attack - We’re starting to see some more creative uses of AI by defenders, for which I am grateful. Nowhere near the advantage it appears to give attackers, but I’ll take what progress I can get.‍

This report details the discovery of a malicious Chrome extension, named "ChatGPT Ad Blocker", found on the Google Chrome Web Store. The extension, linked to the GitHub ID krittinkalra (also linked to AI4ChatCo and Writecream), masquerades as an ad-blocking tool but is primarily designed to steal the user’s ChatGPT conversations data by systematically copying the HTML page and sending to it to a webhook on a private Discord channel.

The identified activity appears to be an attempt to capitalize on OpenAI's policy shift to serve advertisements on its free tier by distributing malicious extensions that allege to block these ads.

‍

While the three domains identified with the website above were not fully functional at the time of discovery, in that they did not have a working pointer to the extension file, two newly created extensions by the same name and theme were found on Google’s Chrome Web store for extensions.

‍

Extension Name: ChatGPT Ad Blocker
Extension ID: ipmmidjikiklckbngllogmggoofbhjikgb
Created: February 10, 2026
Developer: krittinkalra (GitHub ID: 6893033)

‍

‍

‍

Email Domain: ai4chat[.]co

‍

‍

Malicious Extension

Upon installing the extension chrome.runtime.onInstalled fires immediately. 

This calls updateRules() to fetch remote configuration that creates a persistent alarm: chrome.alarms.create("fetchRules", {periodInMinutes: 60}) and fetches from: `https[:]//raw.githubusercontent[.]com/krittinkalra/chatgpt-ad-blocker/main/rules.json`

The alarm triggers every 60 minutes: chrome.alarms.onAlarm.addListener()and re-fetches rules.json with cache-busting: RULES_URL?t=${Date.now()}. This ensures the browser never caches configuration and would enable the attacker to remotely change the behavior of the extension without user knowledge. 

When the user browses to ChatGPT, the content.js script is injected, loading stored rules from chrome.storage.local. The current configuration was found to have the Ad-blocking function disabled. Instead, it registers a message listener for exfiltration trigger: chrome.runtime.onMessage.addListener()   

The primary purpose of the extension appears to be data harvesting. 

It appears to do this from popup.js → content.js scripts in which popup.js sends messages to content.js script: chrome.tabs.sendMessage(tab.id, {action: "GET_SANITIZED_HTML"}). The content.js script then calls getSanitizedHTML(). This function clones the entire DOM document.body.cloneNode(true) , removes rendering elements (scripts, styles, images) but preserves the text/structure of the page. It then walks text nodes, redacts only text > 150 chars if (node.nodeValue.length > 150) and returns full HTML structure with short text intact to popup.js script.  

With the prompt content from the page, popup.js then sends the captured user data to sendReport() function popup.js - sendReport(), which creates a discord embed payload content: "**New Ad Report Received**" by converting the captured HTML to Blob new Blob([htmlData], {type: 'text/html'}), builds FormData with file attachment formData.append('file', blob, 'page_dump.html') and posts to a hardcoded Discord webhook. 

https[:]//discord[.]com/api/webhooks/1470672111038103553/zkuhZvXgJ1auAbCTASubhGNF-wB2iTKVnvnp_uh3mCE8unGTTZBx49B6ZQzrEupkwr_f

‍

The Discord channel receives a message with something like:

Discord Message: "**New Ad Report Received**"
Attached File: page_dump.html
Metadata: {Timestamp}

The content of the attachment being the full ChatGPTpage structure with user prompts, conversation metadata, UI state.

Discord Channel ID: 1470671197644783657
Webhook ID: 1470672111038103553
Webhook Bot Name: "Captain Hook"
Target Domain: chatgpt[.]com/* (all paths)
GitHub Rules URL: https[:]//raw.githubusercontent[.]com/krittinkalra/chatgpt-ad-blocker/main/rules.json

Having identified the suspected Github content retrieval as part of the extension’s core logic, we investigated the account “krittinkalra” as possibly associated with this activity and noted a trend in past projects leading up to the identified malicious application. As a disclaimer, we are not attributing the alleged persona in the identified account but instead following a lead about the account itself.

• GitHub Account Age: ~12 years (created ~2014)
• Previous Activity: Android kernel development (C/C++, 2014-2020)
• Activity Gap: 5+ years dormant (October 2020 - February 2026)
• Skill Pivot: C/C++ kernel developer → JavaScript malware (no transition)

The link to Github alias “krittinkalra” is also linked to the extension on Chrome Web Store and X (formerly Twitter). On X, the persona stated they also created AI4ChatCo and Writecream.

https[:]//x[.]com/krittinkalra

https[:]//www.youtube[.]com/channel/UCnIvSeWwZ95c92a_PUiNdQQ

Writecream alleges to generate marketing content, sales emails, blog articles, and stunning visuals in seconds with AI. AI4ChatCo alleges it is an AI platform integrating models like ChatGPT and Stable Diffusion to offer advanced chatbots, content generation, and workflow automation for over 1.5 million users worldwide.

It begs the question, is there similar user data theft, privacy violations, and malware in those apps?

‍

Conclusion

Ads aren’t normally what we want to see, but malware and our private data and conversations being stolen is certainly lower on the list. This identified activity appears to be positioning to take advantage of the dramatic shift in OpenAI’s policy to serve up advertisements to its free tier users by distributing malicious Chrome extensions alleging to block ChatGPT ads. Specifically, the extension's primary purpose is data harvesting—stealing the full conversation structure, user prompts, and metadata—and exfiltrating it via a Discord webhook. Again, it begs the question, does the risk extend to other apps created by the same developer persona, krittinkalra, like AI4ChatCo and Writecream, which warrants further investigation into similar user data theft or privacy violations.

Security Advisory:

• Be Skeptical: Treat any extension, especially those that promise to block ads on high-value sites, with extreme suspicion and scrutinize its requested permissions.
• Investigate Related Services: Due to the developer's suspicious activity treat the affiliated services, AI4ChatCo and Writecream, as potentially compromised until proven otherwise.
• Caution with Out-of-Band Services: Be extremely cautious with out-of-band AI services, such as those acting as intermediaries, resellers or add-ons. There is no guarantee they are acting in your best interest regarding your privacy and security and are well positioned to read and/or modify your conversations.

‍

IOCs

Service platforms that provide protection and content delivery, like CloudFlare, have become a go-to for many web service hosts—including some malicious actors. These platforms offer inherent benefits like obfuscation, anti-bot, and anti-scanner tools. While excellent for defending legitimate customers, these very features can inadvertently shield malicious sites from proactive identification by security professionals and automated scanning services. This creates a challenging dynamic in the industry where a service provider's role in protecting its customer base competes with the broader community's need for effective security scanning.

This report details a recent Microsoft 365 credential harvesting campaign that leverages this dynamic to delay detection and risk profiling. The campaign implemented multiple anti-detection techniques including the use of CloudFlare human verification, hardcoded IP block lists, user agent checks, and multiple sites and redirects. This cluster highlights the need for service providers to consider taking on an even greater responsibility in knowing their customers and ensuring their defensive capabilities are not being abused to actively protect malicious actors.
‍

Details

‍

‍

‍

Gatekeeping and redirection paths

The site code contains a few layers of gatekeeping to ensure the visitor is a real target and not a security tool.

CloudFlare Human Verification: There's an initial CloudFlare human verification check and redirection.

Aggressive IP and User-Agent Filtering: The site code fetches details about the visitor's IP using https[:]//api.ipify[.]org/?format=json and checks it against a hardcoded blocklist. This list includes ranges belonging to major security companies (Palo Alto, FireEye) and cloud providers (AWS, Google), as well as search engine crawlers. 

It also sniffs the visitor's browser for bot-like User-Agents. If a security scanner or bot is detected (e.g., Googlebot, Bingbot, AhrefsBot, or Twitterbot), the page replaces itself with a fake "404 Not Found" message to prevent the malicious site from being indexed or flagged.

User Agent Checks:

IP Checks:

The core credential theft logic is not written in standard JavaScript. Instead, it is executed by a custom VM function (e_d007dc) that interprets an array of encoded instructions. This prevents static analysis from identifying the data-stealing parameters or the Command & Control (C2) URLs.

The framework dynamically updates its destination. When the gatekeeping checks flag, it switches the URL in the VM to a legitimate domain like Google.com, neutralizing the malicious footprint for any subsequent analysis.

Obfuscated Credential Harvesting: 

If the user passes these checks, an obfuscated script builds and redirects them to the credential harvesting URL built from an obfuscated script in the following format: `https[:]//office.suitetosecured[.]com/KuPbXodA?b=cGjQKg4&auth={}`, which it then designates an auth value that is presumably used to verify and track the user passing the gatekeeper to the next stage sites.

In reviewing the multiple phishing sites identified in this campaign, a commonality in the Cloudflare turnstile configuration was observed. The Cloudflare Turnstile sitekey (0x4AAAAAACG6TJhrsuZdpjsN) is a static identifier. Specifically, the “CG6TJhrsuZdpjsN” portion appears to be the unique identifier created when a Cloudflare user sets up the Turnstile widget in their CloudFlare dashboard. Security teams could possibly pivot on this key across telemetry sources (e.g. Shodan, Censys, URLScan) to identify newly registered phishing sites before they are utilized in campaigns.

Registration Commonalities

Nameserver: cloudflare.com

Registrar: NAMECHEAP INC

mx host: registrar-servers.com

IP ISP: CloudFlare Inc.

MX Domain:

• jellyfish[.]systems
• registrar-servers[.]com
  ‍

Conclusion

The strategic abuse of legitimate content delivery and security platforms, such as CloudFlare, by malicious actors creates a considerable obstacle to proactive security scanning and detection. The Microsoft 365 credential harvesting campaign described in this report, which also employed multiple anti-detection mechanisms, shows how these defensive features can inadvertently shield malicious sites, delay their detection, and hinder informed risk assessments. To address this evolving dynamic, service providers should accept greater responsibility in knowing their customers and ensuring their platform's security capabilities are not leveraged to actively protect malicious campaigns.

‍

IOCs

I’ve never touched a motor before in my life. 

This is about cybersecurity, I promise. Bear with me a minute. 

The ground outside the DTI Boston Satellite Office (my living room) is thick with snow. We had it easy through most of January, and then multiple blizzards. And after the first one, a piece of ice lodged in the auger of my snowblower, and the impeller belt ripped itself apart. 

Deciding I could replace the belt myself involved a bit of hubris, in retrospect. Because as noted, I’ve never touched a motor of any type before in my life. So it should not have been a surprise when I found myself sweating over the guts of my snowblower on a Thursday night trying to force the belt into place. 

It didn’t help that my machine included a third wheel of sorts, a tensioner that didn’t exist in any manual or online video about replacing the impeller belt in my exact model. But a life of spreadsheets and threat hunting did not prepare me for motor mechanics, oddly enough. 

So I reached out. Because I didn’t know, and while I tried to brute force it, and research it, nothing worked. I tried to bribe the belt into place, and threaten it, and cajole it. None of this resulted in the least amount of progress, and so I asked for help. 

There’s still a stigma in admitting you don’t know something in infosec; “information” is in the name, after all. And the sentence “I don’t know” is treated as a failure. But what we need to do is treat it as a starting point instead; “I don’t know, yet.”

I articulated the problem and showed my work. A few minutes later came a reply: “Oh. So. What you need to do is…” 

And a few minutes later the snowblower was running like new. 

Be the person that reaches out for help when you need it, and show this industry that’s okay. But also be the person that answers when you can, to show each other we’re not alone. 

‍

Articles

Almost feel like I need to add an extra section just for Google Threat Intelligence Group - they’ve spent the past few weeks putting out piece after piece of great intel. As always, grateful for folks sharing like this. ‍

GTIG - UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering - DPRK, cryptocurrency, generic domains and targeted subdomains. What’s not to love?‍

GTIG - GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use - There are some perverse incentives in the AI offsec reporting space, but very worth keeping updated on the bits of hard evidence out there. ‍

GTIG - Exposing the Undercurrent: Disrupting the GRIDTIDE Global Cyber Espionage Campaign - Actual disruption in the wild. Whether our disruption tactics overall are effective or not - that’s a bigger question, and needs to be talked about more. ‍

GTIG - Beyond the Battlefield: Threats to the Defense Industrial Base - Good review for analysts, good intro section for execs, if this area matters to you. ‍

Lots of other good reading out there this month, though, too:‍

Infoblox Threat Intel - Compromised Routers, DNS, and a TDS Hidden in Aeza Networks - One of the best DNS investigation posts I’ve ever read, and I’ve read a lot of them. Infoblox TI not only provides the results of their research, but shows in-depth steps on how to recreate it by eliciting responses from secretive recursive servers, for example. 

‍The Record - Leaked technical documents show China rehearsing cyberattacks on neighbors’ critical infrastructure - Thinking about this one in the context of Joe Slowik’s CYBERWARCON talk, which doesn’t seem to be online unfortunately. If you’re not following Joe yet, maybe start. ‍

Gitlab Threat Intelligence - GitLab Threat Intelligence Team reveals North Korean tradecraft - Excellent deep dive into both the fraudulent enterprise IT worker threat and the Contagious Interview campaign, the latter of which targets job applicants for compromise. ‍

Symantec/Carbon Black Threat Hunter Team - North Korean Lazarus Group Now Working With Medusa Ransomware - The brevity here is respectable - it’s actually a very information-dense post with some deeper implications for DPRK-targeted ecospheres.

‍‍

Research Papers and Reports

Crowdstrike - 2026 Global Threat Report - Heavy on the AI stuff, which I am always skeptical of, but I haven’t dived deeply into the guts here yet. 
‍

Tools and Resources

PulseBeat02 - yt-media-storage - Encodes any data into lossless video styles to store on Youtube, and decodes them into the original data, for exfiltration etc. I suppose if you can store a PNG on a starling, you can exfiltrate crown jewels via youtube. ‍

In the past few years, some public figures including President Donald Trump and Elon Musk began promoting investments in various crypto currencies named in their likeness or that they were prominent holders of on their social media platforms they own, Truth Social and X (formerly Twitter) respectively. $TRUMP coin for example was created on January 17, 2025 and endorsed by the official Trump Truth Social account. Likewise the $WLFI coin, in which Trump and his children are listed as co-founders and executives. $MELANIA similarly was endorsed by official Melania Trump posts on X platform. The list goes on, earning Trump the title of “Crypto President”. Elon Musk has had a longer history of high profile endorsements of crypto currency. In fact, repeated posts about pushing his viewers on X to invest in Dogecoin for example led to him calling himself the “Dogefather” on Saturday Night Live. As these figures have made posts promoting or endorsing these currencies, threat actors have begun spoofing these endorsements and promotions to trick users into crypto scams. They spoof the real social media pages and posts and promote crypto currency much like the real personas do but for their own gain.

This report documents the analysis of a cryptocurrency scam operation. The operation has been active since at least January 2025 and spans roughly 250 identified domains across multiple scam themes. Nearly all target retail crypto users, but use different approaches to get their money.

‍

Details

The investigation started with an identified set of 60 suspected scam domains sharing the same Google analytics tag ID. Upon scanning them and extracting wallet addresses from the ones that were live, we then verified those wallets against blockchain APIs, and attempted to trace the funds. That work uncovered the first campaign, a network of fake celebrity crypto giveaway sites. A shared actor wallet address and domain registration pattern then led us to a second larger set of more technical scam configurations involving fake token presale sites impersonating a wide variety of real blockchain projects.

Idol Scam Templates:

Idol scam template set is a collection of sites impersonating Elon Musk, Donald Trump, and Truth Social, all pushing the same basic pitch: send crypto and get double back. About 11 of the 60 domains were active with extractable wallets. Several share a common nameserver infrastructure at streetplug[.]me. 

On-chain, the picture was straightforward. The two most active BTC wallets received a combined ~1.5 BTC, but tracing showed all of it came from a single central funder address — not from victims. The actor was likely sending money to themselves to inflate the on-chain transaction history and make the wallets look active. A bridge address connected both wallets with a dust transaction, confirming single-actor control. Downstream, the funds moved through a 5-layer laundering pipeline ending at high-volume mixing or OTC services, some with hundreds of thousands of transactions and multiple fraud flags. One of the upstream wallets was previously reported as being owned by ChangeNow.io, a cryptocurrency swap service that allows transactions to happen wallet-to-wallet instead of involving an exchange like CoinBase or Binance. The pipeline predates this campaign. The intermediary addresses have activity going back to May 2024 with hundreds of transactions, which we suspect is an indication this infrastructure has been used for other operations previously.

We found no confirmed victim deposits in the wallets we could trace, but that doesn't mean there are no victims. The actor may use different receiving addresses than the ones displayed on the sites, or victims may exist in transaction history we couldn't access. However, what we can confirm is that the on-chain activity we traced is the actor moving their own money around.

Example scam sites “trump4u[.]org” and “trumppresent[.]top” masquerade as Truth Social posts by President Trump that purports to have signed an executive order to hand out cryptocurrency rewards to those that click the links. While it is true that President Trump has officially established a Strategic Bitcoin Reserve and a U.S. Digital Asset Stockpile, the specific posts are designed to look like related Truth Social posts to trick users into participating in a fraudulent giveaway.

Similar scam sites spoofs as a Medium platform page and masquerade as a user named “Elon Musk” such as the following screenshot of “usaevent[.]live”.

Other scam variations show Elon Musk alongside an “X” logo purportedly endorsing a Casino related site with a reward for signing up.

‍

One of the scam’s instructions:

In each of these examples, multiple layers of incentives and ploys are used to appear legitimate and pressure site visitors into being conned by the scam.. 

‍

Incentives:

‍

Fake Comments:

‍

Fake Transactions generated by code on a hardcoded interval

‍

The endgame of the scam is to convince site visitors to click on any of the three links and send money from their wallet. Links to other pages with crypto wallet addresses. 

‍

‍

Example: trumpbtc[.]top/btc/index.html from Trump variation

‍

Example: usaevent[.]live with 1musk novelty address variation

‍

Exchange Spoof / Token Presale Drain Templates:

The second style of templates use a less direct transfer style scam approach and instead masquerade as legitimate exchanges. An example is the scam site magaeth[.]bid, which impersonates MegaETH, a real Layer 2 blockchain project, using a cloned website template from bio[.]xyz. Instead of asking victims to manually send crypto, this site connects to their MetaMask wallet and initiates transactions through what looks like a smart contract interaction. Similar to the other templates, these scams also work by using various incentives to trick users into connecting their wallets. They typically appeared to use more dynamically loaded wallet exchanges instead of hardcoding like the other template examples.

The "contract" address in this example (0x134685b581EE7d987c3Caf998CA93CF31BA4Ce10) is just a regular Ethereum wallet, an EOA (Externally Owned Account) with no deployed code on any chain. The following wasn’t fully verified but we suspect the site's JavaScript constructs Web3 contract calls with a full ABI, but when those calls hit the EVM (Etherium Virtual Machine) targeting an EOA, the chain just transfers the ETH (Ether, the native cryptocurrency in Ethereum ecosystem) value and ignores the rest. The victim sees a successful transaction and thinks they bought tokens. In reality, their ETH went straight to the scammer's personal address. 

We suspect the site also has two theft mechanisms. One being a presale form that takes whatever amount the victim enters, multiplies by 0.985, and sends it to the scammer. The second being an airdrop withdrawal function that reads the victim's entire wallet balance and sends nearly all of it. If the victim doesn't have enough to be worth draining, the site tells them to deposit more first.

From this scam site, magaeth[.]bid, we suspect there were two victim transactions on Ethereum mainnet totaling 0.1521825 ETH (~$300). Both carried the buyTokens() function selector in their input data, and the first transaction's value (0.0985 ETH) matches exactly what the code would produce from a 0.1 ETH input (0.1 × 0.985). Both senders appear to be real retail users. As of finishing this investigation, the funds haven't been moved.

Expanding

Cluster 1: "X Crypto Giveaway" Template (7 domains)

These sites mimic a crypto exchange giveaway, displaying Elon Musk and/or Donald Trump branding. Victims are told to send crypto to receive double back.

‍

Three wallets use a "1musk" vanity prefix — the actor generated BTC addresses starting with "musk" to reinforce the Elon Musk impersonation. Sites share common decoy addresses in HTML (invalid/truncated strings used as visual filler).

Cluster 2: "Truth Social" Template (4 domains)

Replicate the Truth Social interface with fake posts attributed to Trump about crypto policy or giveaways.

Self-Dealing

Looking up these wallets using open services like blockchain[.]com, we can see transactions to and from the wallet addresses on the scam sites. In some cases it gives the appearance that more than 40k USD worth of transactions had been sent to or from the scammer’s wallets.

Example scammer wallet transaction history:

However, on closer inspection in chain analysis, we see these transactions are from wallets likely controlled by the scammer and are intended to trick users into thinking they are legitimate wallets.

Transaction tracing revealed the on-chain BTC activity is the actor sending money to themselves, not real victim payments.

In this example, all recent inbound transactions were from a single sender, rUg8ac5ikpTaWk5RPei8xuYkNEyUs53G1i. Both sender and scam wallet share a parent Binance hot wallet, a wallet that is connected to the internet allowing for fast trading (rDAE53VfMvftPB4ogpWGWvzkQxfht6JPxr, verified binance.com, 115M XRP). The pattern is consistent with self-transfers between Binance sub-accounts used by the scammer.

Chain Analysis

Starting from the scam wallets, funds were traced upstream (funding source) and downstream (drain destinations) through 5 layers of addresses.

Actor Wallet Pipeline:

‍

Circular flows: Drain 2 sends to Musk Drain, which sends back to Convergence Drain. Bridge sends back to Drain 2. This tangles the trail.

Bridge cross-link: The dust transaction from Bridge to Scam Wallet 2 is the definitive on-chain proof connecting both scam campaigns.

Prior activity involving what are suspected to be the scammer’s wallets suggests that this pipeline was not built for this one campaign and has considerations for larger scale.

• Convergence drain has 229 txs dating to May 2024. 
• Prior scam node bc1q0qc892... has 723 txs (transactions). 
• The intermediary, 16mJhtpey…, has 1,276 txs. 

Single-destination aggregator: 16mJhtpeyctW... has 1,276 txs but sends to exactly one address. This is either automated or purpose-built for batching before passing to a mixer.

Terminal Destinations (Suspected Mixing/Obfuscation Services)

Network Characteristics

Registration patterns and website configurations had multiple commonalities. A common google analytics tag was used across approximately 50 of the scammer’s sites as well as a registration email address.

Registration Patterns:‍

Trackers:

• Google: 
  
  • G-NK9V3KPEY4
  • G-YSMK4G52CC
  • G-5Z0ZNNED69
  • GTM-PL3G78C
  • G-R1QQ1Z50QZ
  • G-WRPVL3G32L
  • 269367857
• Matomo:
  
  • hxxps://x2025.matomo[.]cloud/
  • https://25elon.matomo[.]cloud/
• Hotjar: 4997593
• Statscounter Security: f1980b9f

Emails: 

• seunexseun[@]gmail[.]com
• juliambaldwin777[@]gmail[.]com
• ddogenews3[@]gmail[.]com
• diana.lopez88866[@]gmail[.]com
• brainyworld10[@]gmail[.]com
• fsdoplfsdopfsd[@]proton[.]me
• feliciaevanslong777[@]gmail[.]com
• ervins_cudara86[@]outlook[.]com
• konrads_celms30[@]me[.]com
• zanis_latkovska[@]aol[.]com

Website Titles:

• Elon Musk — Official BTC, ETH & DOGE Giveaway!
• Truth Social
• LitEnergy — Official Crypto Event
• NEAR Protocol | Pool Event
• MegaETH | The First Real-Time Blockchain
• Monad | The Most Performant EVM-Compatible Layer 1 Blockchain
• USA X Crypto Giveaway
• Elon Musk — X Crypto Giveaway
• Exchange | PancakeSwap
• Lottery | PancakeSwap
• Hasbulla
• Initia
• Home - Kaspa
• Earn and Borrow Crypto | World Liberty Financial
• NEAR Protocol | Pool Event
• BIO Protocol - Listing on Binance Launchpool
• BIO • Home
• Solv Protocol - Stake your Bitcoin today!
• ELSKTRADING | Welcome to ELSK Trading

MX IP: 5.189.161[.]88

The following are screenshot samples of the various scam sites associated with this activity. Notably all are overtly crypto related with one exception, an alleged virtual machine resource for AI Agents that could be “claimed” by applying from the site “avm-code[.]com”. That exception has been taken down by Cloudflare for phishing activity:

‍

‍

Conclusion

This investigation mapped a cryptocurrency scam operation spanning roughly 250 domains, two distinct theme types, and at least 24 actor-controlled wallet addresses across BTC, ETH, and XRP. The operation is suspected of being run by a Russian-speaking actor and has been active since at least January 2025.

We identified two thematic campaigns linked by a shared Ethereum wallet address and registration pattern overlaps. The first is a broad network of fake giveaway and doubler sites impersonating idolized personalities. Namely Elon Musk, Donald Trump, Truth Social, as well as various crypto projects. It is distributed across three hosting clusters including bulletproof infrastructure. The second consists of more technically advanced fake token presale sites such as megaeth[.]bid, which connects to victims' MetaMask wallets and initiates transactions that look like smart contract interactions but are actually direct transfers to the scammer's personal address.

The on-chain findings were mixed. For the giveaway sites, blockchain tracing showed the actor funding their own wallets from a central source and cycling approximately 1.5 BTC through a multi-layer laundering pipeline ending at high-volume mixing services. We found no confirmed victim deposits in those wallets. For the second themed campaign we ran down a few of the many sites such as megaeth[.]bid site, in which we confirmed two real victim transactions totaling 0.1521825 ETH (~$300). We verified both through function selector matching and value calculation alignment with the scam code. Those funds remain unmoved in the scammer's wallet.

The confirmed financial impact so far from our limited scope of chain analysis is small, roughly $300 from two victims. However,  the infrastructure tells a different story. There are hundreds of similar domains over the past year and the identified laundering pipeline has intermediary addresses with hundreds to thousands of transactions dating back to mid-2024, well before the current campaign. The terminal wallets at the end of the chain have transaction counts in the hundreds of thousands and carry multiple fraud flags from independent reporting databases. The actor registered hundreds of domains, set up hosting across multiple jurisdictions, generated vanity Bitcoin addresses, and built scam toolkits that work across Ethereum and Binance Smart Chain. This is not the infrastructure you build for $300. The operation is designed for sustained, repeatable use, and we are most likely seeing a narrow slice of its total activity.

The strongest investigative leads going forward sit outside of blockchain analysis. The Binance sub-account identified behind the 381,813 XRP wallet is a direct path to KYC records. The domain registration and hosting infrastructure, particularly the shared nameservers at streetplug[.]me and the EuroByte hosting cluster, could yield registrant details. Commercial chain analysis tools (Chainalysis, Elliptic) would likely have attributions for the terminal mixing wallets that our open-source methods couldn't resolve. The blockchain trail itself, by design, ends at services built to break traceability.

What we can say with confidence: a single actor controls both campaigns, uses Russian-language code artifacts, operates from infrastructure that spans France, Russia, and UK-based bulletproof hosting, and has built a wallet pipeline capable of handling significantly more volume than what we observed. The two confirmed victims on megaeth[.]bid are likely real people, one funded from Coinbase, the other a multichain DeFi user, who lost money to a scam disguised as a legitimate blockchain project. There are almost certainly more.

‍

IOCs

This OWASP guide popped up on my radar this week and, yes, it’s about AI. And yes, it’s entirely predictable. But what appeals to me at the moment is its predictability amidst the nondeterminism of LLM rakestepping. Catastrophic outcomes in these complex systems are foreseeable not just from today, or the day this Adversa post was published, but at least from 1984. It was in 1984 that sociologist Charles Perrow published “Normal Accidents: Living With High-Risk Technologies.” Normal Accidents had nothing to do with artificial intelligence, yet seeing how it’s being deployed today, the book now has everything to do with it. Perrow studied major industrial accidents across much of the twentieth century and isolated some important insights on unexpected catastrophic failures inevitable enough to be called Normal Accidents:

• The system is complex.
• The system is tightly coupled.
• The system has catastrophic potential.

In the agentic systems we see proposed and being implemented before us, certainly complexity plays an integral role - the dirty little secret of LLMs is that to make one useful, especially for a specialized expert task, you’re dealing with multiple layers of LLMs with varying levels of autonomy. It’s the sausage being made behind that single pane of glass most AI products pretend to be. 

We then turn to tight coupling - essentially, complex systems producing outputs that must occur in a specific order, such as a multi-stage chemical treatment process. It is the anticipated sequence - in Perrow’s words, the invariant sequence - where B must follow A, because that is the only way to make the product - that defines tight coupling. Think about the sub-tasks each Agent is charged with; pre-prompt hardening against injection attacks, shifting tone and scope of the LLM response, providing expectations to shape system output. Above that and the primary agent doing the task, you have multiple other systems working to evaluate, validate, and re-shape output before it’s pushed to the surface agent, who relays it to you. Should those multiple subsystems interact in varied ways or orders, the output is necessarily - perhaps catastrophically - affected.

Catastrophic potential is mostly self-evident, but let us take a specific example: the modern Security Operations Center, or SOC. Perrow’s book provides multiple corollary environments - think a Nuclear Power operations center full of sensors, monitors, and potential alerts. Or the cockpit of a commercial airplane, which had seen much more automation in the decades prior to 1984 and provided starkly relevant examples of alert and attention issues at critical moments. Indeed, we see SOC failures in some of the biggest hacks on record, where alerts are missed or disregarded, leading to major systemic damage.

So in the SOC we have a complex, tightly-coupled system with catastrophic potential. “The essence of the Normal Accident,” Perrow wrote, is “the interaction of multiple failures that are not in a direct operational sequence.” That is, system components interacting in sequences and ways not only unexpected, but “incomprehensible” during the incident, often leading to much worse outcomes. 

And what do we do, 42 years after Normal Accidents’ release? We add a complex, relatively tightly-coupled system of agents to a complex, certainly tightly-coupled system with catastrophic potential called the Security Operations Center. And not only that, but a system of agents fundamentally empowered by their own nondeterministic nature. 

“What distinguishes these [system component] interactions,” Perrow wrote, “is that they were not designed into the system by anybody; no one intended them to be linked. They baffle us because we acted in terms of our own designs of a world that we expected to exist - but the world was different.”

In the rush to the AI/Agentic SOC, expect many Normal Accidents.

Podcasts

• ‍ChinaTalk - Richard Danzig on AI and Cyber - Danzig’s published “Artificial Intelligence, Cybersecurity, and National Security: The Fierce Urgency of Now” over at RAND, and sat down for a good interview with the ChinaTalk folks. I may not agree with all points raised, but the conversation is a very well-informed and thoughtful one.‍

Articles

• ‍CERT Polska - Energy Sector Incident Report - If you’re reading this list, you’ve probably already seen this, but linking in case that’s untrue. Probably the best of the recent resources around the Polish energy grid incident, and worth becoming familiar with. Also good writeups by Kim Zetter here, here, and here.‍
• ‍UK Defence Journal - Iranian-linked Scottish accounts fall silent again - Social media accounts that posed as supporters of Scottish Independence once again fell silent amidst the Iranian internet blackout. Fun little detection, if not necessarily a fine one.‍
• ‍TechCrunch - Fintech firm Marquis blames hack at firewall provider SonicWall for its data breach - I expect this to go nowhere, but it’s certainly an interesting push that the likes of Ivanti, Fortinet, and Palo Alto will also be eyeing nervously. ‍
• ‍Greynoise - -f Around and Find Out: 18 Hours of Unsolicited Telnet Houseguests - Telnet? What year is it?!?! All kidding aside, Greynoise is making some fascinating moves lately, and as much of an AI skeptic as I am, hrbmstr’s experiments with AI analysis show some real value there. ‍
• ‍APNIC - What we learned from 63,000 attacks in 12 days on APNIC Honeynet sensors at University of Dhaka - “In just twelve days, our sensor was hit 63,247 times by 4,262 unique source IPs, including five unique IP addresses from Bangladesh. Fourteen of those led to malware download attempts. The time to first attack was less than one hour, and we averaged ~5,270 attacks every single day!” - Not groundbreaking, but another eye-opening bit of research showing with data just how dangerous the internet can be, packet-wise. Good work and writeup on their part.‍
• ‍Resecurity - Cyber Counterintelligence: When “Shiny Objects” Trick “Shiny Hunters” - Resecurity published some great coups between December and January, and have gone on my must-read feeds list as a result. ‍

Research Papers and Reports

• ‍GTIG - No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network - Good work by Google taking down the IPIDEA proxy networks, but a lot remains to be done. 

A malicious actor has created several domain masquerades of small companies posing as job boards, interview themes, and login pages since approximately August 2025. The activity appears to have two distinct objectives. The first is a credential harvesting scheme targeting ID.me accounts — the official identity provider for US government services like the IRS and SSA — which may then be exploited to facilitate financial fraud, including tax refund theft and fraudulent unemployment benefits. The second cluster focuses on malware delivery, tricking job seekers via fake Microsoft Teams meeting invites to download a malicious, unsigned variant of the remote access tool Connectwise. This gives the attacker access to the victim’s machine where they may conduct follow-on attacks.

Registration Commonalities

• Nameserver: namecheaphosting.com
• IP ISP: Namecheap Inc.
• Mail Server Domain
  
  • privateemail.com
  • jellyfish.systems
• SSL Issuer: Sectigo
• Registrar: NameCheap Inc.
• Server Type: Microsoft

‍

ID.me Credential Harvesting

clock-towerrealty[.]org
apply-untide[.]rentals

The site purports to be a United Rentals Careers portal and uses legitimate links and site content loaded from the real site, jobs.unitedrentals[.]com.

‍

The two buttons on the top right for “Continue Application” and “APPLY HERE” direct to another actor owned domain, clock-towerrealty[.]org. 
‍

http[:]//clock-towerrealty[.]org/APPLY/?ff_landing=13 Continue Application
https[:]//clock-towerrealty[.]org/APPLY/?ff_landing=10 APPLY HERE

The code for clock-towerrealty[.]org contains a credential harvester designed to look like a legitimate corporate portal. This appears to be a brand spoof but not a website spoof of the real entity, Clock Tower Realty in Florida, USA.

The malicious domain is using a cheaply registered WordPress site to trick job seekers into providing their email and password. Credentials being targeted are ID.me. If a scammer gets ID.me credentials, they could potentially perform unauthorized logins to steal tax refunds, apply for fraudulent unemployment benefits, or take over Social Security accounts.

When a user clicks the "Sign In" button after entering their information, the data is sent to admin-ajax.php, suggesting the stolen credentials are being stored in the WordPress SQL database.

https[:]//clock-towerrealty[.]org/APPLY/wp-admin/admin-ajax.php

The site also has a preloaded error message loaded initially - a basic deception to trick users into entering credentials.

```
<p class="alert alert-error" role="alert">
  <span style="color: #ff0000">* <span style="color: #000000">Try Again. </span></span>
  <span style="color: #ff0000"><span style="color: #000000">The email or password you entered is incorrect.</span></span>
</p>
```

This site, strangely, uses images with the following filenames:

• WhatsApp-Image-2026-01-16-at-12.23.50-PM-300x117.jpeg
• WhatsApp-Image-2026-01-16-at-12.25.04-PM.jpeg

These scammers may have taken screenshots of legitimate company logos and sent them via WhatsApp during the development of the scam, hence the file names “WhatsApp-Image”. Seeing "WhatsApp-Image" in a site's source code is a strong indicator that the site is fraudulent. Legitimate companies like United Rentals have dedicated IT departments. 

The site is instrumented for marketing and behavior tracking using the Google Tag Manager (GTM) ID “GTM-T75PDC7R”,which appears on multiple other actor-controlled sites created between 2025-08 and 2026-01 that feature the same type of scam.

Website Title:  Careers | United Rentals
GTM-T75PDC7R
clock-towerrealty[.]org
apply-untide[.]rentals
from-unietd[.]rentals
frosm-unitde[.]rentals
from-united[.]rentals
forms-unitde[.]rentals
froms-united[.]rentals

Malware Delivery

Other domains suspected of being in an associated cluster of activity were also identified masquerading as legitimate small company brands with job interview meeting invites. However, these domains do not simply attempt to steal credentials through fake logon pages. Instead, they deliver a malicious Windows installation file that provides remote access to the compromised machine.

Initial phishing domain: mlcrsoftedge[.]com. The site itself purports to be and links to https[:]//lsxconstructions[.]com/, a seemingly legitimate construction company website, which was created 2025-02-01 and redirects to lsxconstruction[.]com. 
‍

‍

When users receive the meeting invite and click the "Join Meeting" button, they unknowingly initiate a download of a modified, unsigned installation file for Connectwise, a remote access tool.

https[:]//mlcrsoftedge[.]com/downloads/LSXCMeets.msi
LSXCMeets.msi
4107f8e0d6597866d4beb7c30718935353782dc7e199d3956fd10c8456383feb

Bundled files such as 7027b69ab6ebc9f3f7d2f6c800793fde2a057b76010d8cfd831cf440371b2b23 are linked to multiple reports of impersonation attacks and Connectwise phishing campaigns going back to 2025-04-23. The majority of the recent activity appears to have started around 2025-11.
‍

Conclusion

The identified phishing activities use domain masquerades with a job theme and consist of two distinct attack types. One focuses on harvesting ID.me credentials, which are used to access government services (IRS, SSA, VA) and facilitate financial fraud. The second delivers a malicious, unsigned remote access tool (Connectwise) disguised as a Microsoft Teams link, resulting in system compromise. While there’s no definitive evidence the two clusters are linked to the same actor, the registration patterns, themes – specifically, masquerading as small companies – and timeframe appear highly correlative.
‍

IOCs

mlcrsoftedge[.]com
clock-towerrealty[.]org
apply-untide[.]rentals
from-unietd[.]rentals
frosm-unitde[.]rentals
from-united[.]rentals
forms-unitde[.]rentals
froms-united[.]rentals
Sha256: 4107f8e0d6597866d4beb7c30718935353782dc7e199d3956fd10c8456383feb
Google Tag Manager: GTM-T75PDC7R

‍

Before trying out your new year luck, be wary of online gambling apps and real money games. This report details an investigation into multiple clusters of dubious Android applications created in the past few weeks that are engaged in predatory gambling and real money gaming apps. Notably, these are not registered apps. They are intentionally misleading users into thinking they are legitimate and reputable through multiple tactics like spoofing the Google Play Store, creating fake reviews, generating fake public win declarations, and creating entire brands with marketing campaigns and broad distribution tactics. These clusters also attempt to evade detection and analysis by having post install code and configuration retrievals from actor controlled sites, which serve a dual purpose of distributing region specific content to users post installation.

The report is segmented into three distinct infrastructure clusters. Each cluster appears to target a general set of countries including Nigeria, India, Pakistan, and the Philippines. They also appear to have non-region specific user base targeting, including English, Portuguese, and Bengali speaking users. Despite the wide range of targets, the clusters share a common theme of mobile-focused gaming or gamified gambling apps to attract users for financial gain.

Details

The three clusters spoof the Google Play Store with fake app reviews and downloadable Android applications. Clusters 1 and 2 involve Android application delivery campaigns that utilize the Cocos2d game engine to obfuscate code setup,load external code and configuration details, and send device and user telemetry to actor controlled domains. These applications are distributed via hundreds of websites spoofing as Google Play Store installation pages with fake reviews. Search Engine Optimization (SEO) manipulation techniques are used to drive traffic to these sites.

Cluster 1: AA Game: Aviator

Approximately 180 domains since March, 2025,170 of which were first seen on 2025-12-14. They host nearly identical websites and serve primarily the same APK file with a few exceptions in older versions. The apps appear to feature crash-gambling mechanics, a style of game where users attempt to collect as much money as possible before the game crashes. 

‍

‍

The reviews are clearly fake. They are hardcoded into the HTML, there are multiple identical reviews under different names, and they all share the exact same review id such as “data-review-id="13dc2fa2-4acc-4923-8a55-be2f20d1841a". In a real database, every review has a unique ID. Here, the scammers just copied and pasted the same HTML template.

‍

“Aviator” games are also commonly used themes for unregulated, illegal gambling crash style games. The example app above uses terms like “Get Rich”, and has fake reviews like “I also get rich as a result!” and “Because I made more money than you can imagine!". Legitimate apps on the Play Store are strictly regulated; Google does not allow apps to promise that you will "get rich." These are social engineering tactics used to play on people's desire for easy money.

‍

Brief details of connective tissue

Baidu Tracking ID: 49521a05cd400ce694691ca2cfd38453

IP ISP: Defender Cloud International LLC

Registrar: 

• Metaregistrar BV
• Bangning Digital Technology Co.,Ltd

Name Server Domain: share-dns[.]net, share-dns[.]com

Server Type: nginx

SSL Hashes

• bc1f466a2c1c4b885adac674e39e8fe22d26d4a5
• b9e8c8b5ddba6935c82fd5e192e4171d005b0d8c
• 134a16bfde5eb4d3908a53aa9a18a50c7b129c29

Website Title: AA Game:Aviator - Apps on Google Play

‍

AA: Aviator Application‍

AAGame-new523y.apk
3860ffaa621b26c742dcfce52b916ddad6f7f4056045a0fadaf3434fc978c9ad
6da17544754706b86042b1646b6ae7101b549f539b69c5be5b68594cd9cfa969
83332d680ed84f222a5b9f2085b4fa9523e98c80d65eeecde6d4cb65d3075110
32a7c4a4dc4b14988adfa65a1c5d55df2ca39852c5e7aa61187df306436f58d7

india-aagame-7000003.apk
9a7495bb56e05389c00e4702a53eed6d946d265b20be766c92ef15e00d69ca6b

‍

A defining characteristic of these applications is the use of the Cocos2d framework. In this model, the Android Java layer (DEX) acts as a minimal host for a native C++ engine (libcocos.so), which in turn executes encrypted, compiled JavaScript code.

‍

Although some of the analyzed application’s code paths and text suggested they were targeting Nigerian based users, there were also samples focused on the Indian rupee (INR). Though remnants of what could be past regional targeting were observed, it's unclear if a specific user base is currently being targeted in this cluster.

Analysis of an older development variant of the Android application revealed a module called hall_marqueen. This module is hard-coded to generate fake withdrawal notifications, creating the illusion of a highly active and profitable user base:

code JavaScript
downloadcontent_copy
expand_less
   setHallLabelText() {
    let e = "";
    // 5% chance of a "realistic" name, 95% chance of a generic "UserXXXXX"
    if (p.instance.getIntRandom(0, 20) > 19)
        e = p.instance.getRandomName();
    else {
        let t = p.instance.getIntRandom(0, 3e5).toString();
        while (t.length < 5) t = "0" + t;
        e = "User" + t;
    }
    
    // Randomized fake withdrawal amounts
    let t = ["100", "200", "500", "1000", "5000", "10000", "20000"];
    const n = Math.floor(Math.random() * t.length);
    return e + " successfully withdraws ₹" + t[n];
}

Cluster 2: DK777 

Cluster 2 is a more generalized gambling Android app delivery. Sixteen domains registered on the same day host similar websites spoofing the Google Play store to deliver the same APK file. The application "DK777" features slots and multi-game halls, with visual assets emphasizing "big wins" and "jackpots”. The application also uses a Cocos2d framework with a more complex range of obfuscation techniques, including over 1,000 obfuscated files within the application’s classes dex file and 50+ encrypted JSC files. Multiple presumably actor-controlled sites with backups were identified that are used to send device telemetry and retrieve additional configuration and code for execution. Some of the configurations were set to use the Pakistani rupee. Languages in the apps included English, Portuguese, and Bengali.

Initial delivery domains spoof the Google Play Store for DK777 Android app delivery, including the following:

‍

‍

Brief details of connective tissue

ISP: CloudFlare Inc.

Registrar: 

• Metaregistrar BV
• Gname[.]com Pte. Ltd.

Name Server Domain: cloudflare[.]com

Website Title: DK777 – Apps on Google Play

All the initial delivery domains download the same APK. 

DK777_1000.apk
7da0e56d4c0669647aec7ea3645b882b793d4de20ab14718d4d6698fe9b3b8a2 

The app retrieves external code and configuration details from actor-controlled domains.

All six domains were registered the same day (2025-12-08) with similar registration and hosting configurations. Pivoting on these configurations revealed over 120 other domains dating back to as early as 2022-01 with similar gambling themes, including "192bet[.]com" and "pak111[.]com". 

‍

Cluster 3: LG Sabong

This cluster has approximately 196 domains. The bulk of registrations occurred between November and 2025-12 with related domains observed as early as 2025-05. The websites have aspects suggesting some localization for Filipino-speaking users. The nomenclature "Sabong" (cockfighting) suggests a focus on a culturally specific gambling market in the Philippines, while some variations of the randomized display images use the Filipino language.

Brief details of connective tissue‍

Google Tag Manager: GTM-M899ZXM

ISP: CloudFlare Inc.

Registrar: Dynadot Inc

Name Server Domain: cloudflare[.]com

Server Type: AliyunOSS

Website Title:

• LG - Apps
• LGParty - Apps
• LGParty - Apps on Google Play

‍

The sites use a "Cloaking" or "Bridge Page" system typically used in the gambling industry to bypass ad platform restrictions (like Facebook or Google Ads).

The code does not build a real functional website with buttons and text. Instead, it renders a hardcoded "lgpartyShareLand" component, which are PNG images displayed as the site content. These images are randomly selected during page load from two arrays stored on an Aliyun (Alibaba Cloud) server. There are 12 different sets of images for "LGParty" and 9 sets for "LG111". This is likely done so that ad reviewers see different "innocent" versions of the page, making it harder for automated bots to flag the site as a gambling portal.Deceptive Asset URLs

• https[:]//static.lg1313abcwsx[.]com/googleInstall/lgparty_shareland_[1-12].png
• https[:]//static.lg1313abcwsx[.]com/site/ind/shareLand/page_[1-9].png

The images display download or install buttons, but the entire site is set up as an onClick event wrapper, which triggers a jumpHander function. The jumpHander does three things:

1. Generates or retrieves a fbFingerId (Facebook Fingerprint ID) and stores it in the user’s localStorage
2. Runs a Facebook Pixel event (PageView and ClickLand) to track that a "lead" clicked the ad.
3. Redirects the user’s browser to a new URL, often to open a "Google Play" style link or an "intent" (to force open the browser on Android) to a subdomain like: https://pllay-godgle.{actor domain}.com

In the redirect action, the system uses "Jump Links" to move the user from the "Bridge Page" (the fake UI) to the actual malicious payload.

‍

var o = "https://pllay-godgle.".concat(location.hostname).concat(location.search);

return "intent://".concat(e.replace(/^https?:\/\//, ""), "#Intent;scheme=").concat(a, ";package=com.android.chrome;end")

The final goal is to force the installation of a "Waistcoat" APK. The script contains a utility function to trigger a silent download and communicates with a backend API at /x2/lg-waistcoat/delivery/. The term "waistcoat" (马甲包) is a Chinese industry term for "shell apps" or "wrapper apps" — fake apps used to hide gambling content inside an innocent-looking shell to get past Apple/Google app store reviewers.

‍

APK Filename: Dynamically generated as LGParty.apk or LG111.apk depending on the site configuration.

Download URL Pattern: https://apk-[current-domain]/apks/[siteName].apk?_ts=[timestamp]

Execution Logic: The code creates a hidden anchor element (__apk_dl_anchor__), sets the download attribute, and programmatically clicks it:

function c() {
    var e = "".concat(o.Z.siteName, ".apk"); // "LGParty.apk"
    var a = "https://apk-".concat(location.host, "/apks/").concat(o.Z.siteName, ".apk");
    var n = document.createElement("a");
    n.id = "__apk_dl_anchor__";
    n.href = a;
    n.download = e;
    n.click(); // Triggers immediate browser download
}

The goal is likely application side-loading. Google Play Store policy is quite clear on gambling and real money apps. They must have licenses to operate and complete an application process to be approved among other requirements. Because Google Play Store bans or prevents unlicensed or fraudulent real-money and gambling apps, groups may use "Waistcoat" (shell) pages, images, and fake Play Store UIs to trick the user into downloading a "verified" file from the real Play Store while trying to avoid detection. Once the .apk is installed, the app likely shows an innocent game (like a flight sim or puzzle) until it connects to its server, which can then flip a switch to load in and show the actual illegal gambling interface. In the case of these clusters, the external code update functionality suggests they were or could be used in this manner but there were no identified apps currently in the legitimate Google Play Store. 
‍

‍

Broader Outlook and Trend Analysis

The architecture observed here, specifically the Cocos2d native bridge combined with bytecode encryption, is a hallmark of "Shell" applications used in financial fraud. By separating the distribution (spoofed websites) from the logic (encrypted JavaScript), threat actors can pivot regional themes (India vs. Philippines) with minimal changes to the underlying technical framework. With Clusters 1 and 2, this appeared to be the case as the applications sent device telemetry to external servers, then retrieved and loaded configuration and code from those external actor-controlled domains at runtime. It is suspected that both clusters operated with regional and device profile-based configurations. These configurations also enable the actor to change the behavior of the application at any time to load in malicious code after installation. 

While there is no direct attribution identified thus far, this pattern has previously been associated with professional syndicates operating out of Southeast  Asia that manage high-volume gambling and investment scams.

The core strategy relies on delivering illegitimate applications that deceive users into trusting them. This is accomplished through various deceptive tactics, including the spoofing of the Google Play Store, the fabrication of social proof such as reviews and win declarations, and the establishment of dedicated brand identities with widespread distribution. A key feature of these operations is the attempt to evade analysis by utilizing post-installation code and configuration fetched from actor-controlled domains. 

While the applications do not appear to be overtly malicious in nature, as with typical malware granting remote access to user’s devices or stealing credentials, these applications pose as gambling and real money games with no regulation, oversight, or legitimacy. They can and likely do manipulate the gambling app behaviors such as having rigged results or non randomized outcomes.

Security Advice and Conclusion

This campaign highlights the critical role of managed app stores in the mobile ecosystem.

1. Sideloading Risks: The primary defense against these campaigns is avoiding APK installations from non-standard sources. These apps require sideloading specifically because their core logic — such as the fake marquee module — would be flagged by the automated and manual review processes of legitimate stores such as Google Play Store.
2. Fabricated Social Proof: Users should be informed that download counts, ratings, and reviews on spoofed websites are cosmetic HTML elements and do not reflect the application's actual standing or security.
3. Managed Environments: Organizations should leverage Managed Google Play or Mobile Device Management (MDM) solutions to restrict the installation of apps from untrusted sources, as the "hot-update" capabilities of these frameworks allow an app to change its behavior entirely after it has been installed.

‍

IOCs

Cluster 1: AA Aviator Game

‍

Cluster 2: DK777 Related Apps

‍

Cluster 3: LG Sabong App

I know I’m not the only one that flinched when a Log4j vulnerability dropped on the Thursday before Christmas. That it’s only a 6.3 allowed me to breathe again, but only shallowly.

Long before security, I spent my days in a 911 dispatch room soloing emergency calls and coordinating the response. The overlaps between that and cyber incident response are many, but two are worth calling out today. The first is that both types of response require forming an elaborate mental map of the emergency. And the second is that both types of response aren’t embodied; you’re at a workstation, processing and integrating in real time, but without the ability to physically release the tension involved.

The lack of physical embodiment is one of the reasons 911 calls can stick with you. Recall down to the waver in someone’s voice or something you think you heard in the background can be excruciatingly intimate and precise; the slosh of water in a tub, or the bark of an unrelated dog. And anchored to the desk as you are, there is no way to work the tension out of your body at the time. You learn to sit with it, and in turn the memories sit with you.

Some cyber incident response scenarios play out similarly. We can thrive on the tension, we can perform in near-superhuman ways across parallel tasks of critical importance for an extended period of time, we can love the thrill of pressure and the satisfied exhaustion of knowing how we handled it. But it all takes a toll, and that toll can stick with you.

We ignored it for a long time in Emergency Services, and in some ways still do. But it also resulted in the establishment of mechanisms like Critical Incident Stress Debriefing, mutually supportive ways to blow off steam while acknowledging the incident, and more. Many of us working remote, though, struggle more because the work desk hangs around our neck like an albatross, and we toss it as far as possible once the work day ends. But the stress of those incidents isn’t dealt with, and the mental and physical fatigue make after-hours efforts seem impossible.

Gauge how you and your team handle incidents. Figure out if you leave the stress in your body, or if you can find a way to work it out. It’s even more critical maintenance than replacing spinning disks – because when your stress response systems start throwing errors, they’re much harder to resolve.

Take care of yourselves out there. Take care of each other. We are all we’ve got.

Podcasts

Cyberwire – Root access to the great firewall – DomainTools Head of Investigations Daniel Schwalbe interviewed on our Great Firewall series. Definitely worth a listen – just editing these pieces kept me up at night, given the impact of realizations about the technologies behind the Great Firewall.

Articles

Intezer – Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs – Excellent find by Intezer, accompanied by a good writeup from Reuters. Only read after your coffee and when you’re prepared for statements like “An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code” because I was not ready.

Infoblox – Parked Domains Become Weapons with Direct Search Advertising – More great work with an accompanying writeup by Brian Krebs. Parked Domains continue to be one of the most common threats I see in day-to-day hunting, so it’s good to see research in this area.

DomainTools Investigations – The APT35 Dump Episode 4: Leaking The Backstage Pass To An Iranian Intelligence Operation – The next in our APT35/Charming Kitten series, with some of the strongest writing I’ve seen from our team yet. Several phrases are going to stick with me for a while, but especially “the banality of intrusion.” The depth and breadth of bureaucracy involved is sort of amazing compared to other models.

Greynoise Intelligence – React2Shell research – Greynoise has assembled a boatload of supplemental data on their github for folks defending against the React2Shell vulnerability, or those looking to hunt for exploiters. C2 IPs and domains, full payloads, hashes, and more. Lots of credit goes to Greynoise for providing this to the community.

Research Papers and Reports

GA Tech et al – From Concealment to Exposure – Understanding the Lifecycle and Infrastructure of APT domains – Some incredibly important points here as far as domains being aged, IP/DNS changes prior to public disclosure causing defender issues, a need for much longer log retention than most organizations consider, and more.

koenvh – DNS over rsync – Yes, you read that right. No, I won’t take it back, and you can’t make me. I saw it so you have to see it too, I don’t make the rules. It’s not the most cursed protocol I’ve ever seen, but it’s close.

Entertainment

The Onion – Study Finds 80% Of Americans Lack Social Connections To Pull Off Heist – Something tells me the readership for this list probably skews much further toward being able to crew a heist with their network, but that’s just a guess.

‍

Since May 2025, an attacker targeting Booking[.]com customers has generated nearly 1,000 spoofed booking and hotel reservation domains. The attackers appear to be compromising hotel booking management accounts to target Booking[.]com customers directly through the platform’s official messaging channels. By sending urgent “verify or cancel” notifications, they direct victims to external phishing sites that dynamically load the traveler’s actual reservation details to steal payment information.

Details

Attack Breakdown

The attack began by compromising hotel booking accounts. Though the specifics are as of yet unknown, it is likely this activity is a tied to attacks reported in November 2025 by Sekoia.io, dubbed the “I Paid Twice” phishing campaign. Sekoia labs suspected the attacker targeted hotel staff to steal credentials for booking platforms. A question remains if the attacker targeting hotels is the same one operating the phishing kits to target the hotel’s customers. Sekoia noted that such stolen hotel booking credentials are sold on Russian-language forums for under $5,000 each. Furthermore, while we found no direct links, a Microsoft STORM-1865 report shares many of the same characteristics with exception of an identified malware delivery component.

Once the attacker obtained these credentials, they then used that access to send lures to the hotel’s customers through Booking[.]com’s services. The victim receives a Booking app message and email from Booking[.]com with a message that they need to update their booking information within 8 hours or risk having their booking cancelled. If the user responds to the message, the attacker sends a URL to an attacker-owned domain with a customer-specific tracker ID.

On the attacker’s website it first presents a fake CloudFlare “Confirm that you are human” checkbox.

In fact, the main page loads an iframe containing the fake button and starts a timer to ask the server if the user has clicked yet.

Upon clicking the fake verification button, the site reloads, taking the customer’s booking ID from the URL and matching it against the data they stole from the hotel. The phishing page is dynamically generated to look like Booking[.]com hotel booking forms. The page is populated with the reservation hotel details and check in date. The victim is lured into re-entering their personal contact details including name, email and phone number.

Subsequently they are asked to re-enter their payment information for the hotel booking.

This appears to be the end goal of the attack, to retrieve contact info and payment information. Normally, we might expect this level of effort and ability to leverage trusted business relationships to attempt to distribute malware such as NetSupport RAT, but as of writing this investigation, the goal of the attack appeared limited to payment information harvesting.

Phishing Web Kit

The filepaths and scripts suggested the attack may involve Scraper/Interceptor kits, which are used almost exclusively for Booking[.]com and Airbnb scams.  Such kits are often associated with the Telekopye toolkit or the “U-Admin” ecosystem (Russian-origin phishing-as-a-service).

Common filepaths for the webkit:

• /dist/sites/ALL/booking/favicon.ico
• /dist/booking/booking/styles-new4.css
• /dist/booking/booking/submit-new8.js

It also uses a polling Ajax endpoint with a specific set of PHP files to synchronize the victim’s browser with the attacker’s control panel:

• /ajax/captcha.php (The “Check” stage)
• /ajax/payment_card_status.php (The “Redirect” controller)
• /ajax/user_send_status.php (The “Progress” tracker)
• /ajax/change_language.php

This specific naming convention(payment_card_status.php) is a known signature of the “Drainer” or “InfoStealer” variants of the Booking[.]com phishing kit.

However, the sites investigated appeared to use a database of stolen booking information from Booking[.]com and used it to dynamically populate pages for each victim. These factors suggest the attacker is using frankenstein code partially from a common Booking web kit to dynamically load victim specific information.

Domain Infrastructure

One of the domains resolved to “80.64.19[.]92”, which has several overlaps with “77.83.207[.]34” including the following:

• host TLS fingerprint host.services.tls.fingerprint_sha256
  • Ac410155847201fd764f6c56a40c7e2de7c632e22dc97a5a3dffdd7894d69c69
• host.services.ssh.server_host_key.fingerprint_sha256
  • b27da9759a8f931abb34cf1a4b04aeb7979d89504f791afc28e7116288b38728

Both of the IP addresses above are based in Moscow, Russia and are seen hosting the same services from Debian Linux operating systems: Proftpd Project Proftpd, Exim, Isc Bind, F5 Nginx, Dovecot

The strong link between both IP addresses is notable as the “77.83.207[.]34” has resolved over 370 domains since May 2025 that spoof hotel and confirmation related themes, and those domains have unique emails and registrant names exposed in the registration details.

The registrant email addresses link additional IP addresses resolving large numbers of similar domain name patterns in the same timeframe including “91.92.46[.]181” with another 358 domains and “172.86.75[.]75” with 41 domains.

In a few cases domains were previously seen spoofing as Booking[.]com in December 2024 including the following two now reused in 2025 for similar purposes:

• fastchek-by-booking[.]com
• check-via-booking[.]com

Dominant Themes by Frequency (Themes May Overlap)

Primary Spoofed Entity: Booking[.]com

Specific Properties Being Impersonated

Conclusion

This campaign abuses trust relationships within the hospitality supply chain. By leveraging compromised hotel credentials to send messages through authenticated Booking[.]com channels, threat actors bypass standard email security gateways and user vigilance.

For defenders, the primary detection opportunities may lie in the distinct infrastructure patterns rather than the delivery mechanism. While the current objective appears limited to financial fraud, the actors’ established foothold within hotel administrative portals presents a significant latent risk for lateral movement or the deployment of persistent malware (e.g., NetSupport RAT) in future campaigns. The apparent theft of customer booking information also presents a latent risk to customers for follow on phishing attacks.

A question remains, why have Booking[.]com and affected Hotel chains been silent? The answer may be that Booking[.]com legally positions itself as an intermediary and may argue that the hotel is responsible for their own poor security.

What Victims Should Do

If you have received a suspicious message or believe you may have been compromised:

• Contact the Hotel Directly: Call the hotel using a number from Google Maps (not the one in the suspicious message) to verify if the request is legitimate.

• Check the URL: Genuine Booking[.]com payments occur only on Booking[.]com. Any other URL (e.g., booking-secure-verify.com or hotel-reservation-check.com) is a scam.
• Initiate a Chargeback: If you paid, immediately call your bank. Report the transaction as “fraud due to a compromised merchant account,” not just a billing dispute.
• Secure Your Accounts: Change your Booking[.]com password and enable Two-Factor Authentication (2FA). If you reused that password elsewhere, change it there too.
• Ignore “Recovery” Scams: Be wary of third-party services or random social media accounts claiming they can “recover” your lost funds; these are often secondary scams targeting already vulnerable victims.

Third-Party Platform Risks & Mitigation

This campaign highlights an architectural weakness in the hospitality sector: the operational dependency on third-party platforms (like Booking[.]com) that may not provide enterprise-grade security controls. Hotels are effectively granting “trusted insider” status to external vendors without the ability to enforce internal security policies on those platforms such as the following:

• Session Kill Switches: The inability for admins to monitor and force-terminate sessions.
• Granular Outbound Filtering: The lack of controls to block sessions from sending unapproved URLs to guests.
• Strict Access Control: The absence of IP-allowlisting to restrict login access solely to the hotel’s physical network.

Since hotels cannot force third parties like Booking[.]com to change its architecture or take on specific security liabilities or guarantees for the hotel’s use of their services, the best strategy may be to treat them as an untrusted environment. The most practical defense may be to abstract the user interface away from the staff through your Property Management System (PMS) where more granular controls may be implemented.

IOCs

A full list of IOCs can be found on our GitHub.

Domain Name Regexp Patterns

confirmation-id\d+\.(com|world|click)verif(y)?gu[ea]st\d+-booking\.comcard(verif(y)?|id)\d*-booking\.(cconfirmation-id\d+\.(com|world|click)
verif(y)?gu[ea]st\d+-booking\.com
card(verif(y)?|id)\d*-booking\.(com|world)
[a-z]+-[a-z]+-[a-z]+\.(icu|click)
.*-booking\.com$

confirmation-id081277[.]com
confirmation-id081273[.]com
confirmation-id081299[.]com
confirmation-id155632[.]com
confirmation-id755632[.]com
confirmation-id897923[.]com
confirmation-id196632[.]com
confirmation-id78443[.]com
confirm-reserve[.]com
confirmation-one[.]click
verifyguets3438-booking[.]com
verify-details574[.]world
bookedehotelle2025[.]com
verifyguets25148-booking[.]com
verifyguets24111-booking[.]com
verifyguets84511-booking[.]com
verifyguets71561-booking[.]com
confirmation-id871234[.]com
verifyguets74341-booking[.]com
confirmation-id72694[.]com
verifyguets67841-booking[.]com
verifyguets12410-booking[.]com
confirmation-id784417[.]com
….

‍