Historical OSINT – Massive Black Hat SEO Campaign Spotted in the Wild

Cybercriminals continue actively launching fraudulent and malicious blackhat SEO campaigns further acquiring legitimate traffic for the purpose of converting it into malware-infected hosts further spreading malicious software potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

We’ve recently intercepted a currently active malicious blackhat SEO campaign serving scareware to socially engineered users with the cybercriminals behind it earning fraudulent revenue largely relying on the utilization of an affiliate-network based revenue-sharing scheme.

In this post we’ll profile the campaign, provide actionable intelligence on the infrastructure behind it, and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Known malicious domains known to have participated in the campaign:
hxxp://doremisan7.net?uid=213&pid=3&ttl=319455a3f86 –

Known malicious redirector known to have participated in the campaign:
hxxp://marketcoms.cn/?pid=123&sid=8ec7ca&uid=213&isRedirected=1 – – Email: JeremyLRademacher@live.com

Related malicious domains known to have been parked within the same malicious IP (

Known malicious domains known to have participated in the campaign:
VilWWenGOIo6THodjXoGJdpqmikpVuaGVvZG1kbV%2FEkKE%3D –

hxxp://yourspywarescan15.com/scan1/?pid=123&engine=pXT3wjTuNjYzLjE3Ny4xNTMmdGltZT0xMjUxMYkNPAFO –

Sample detection rate for sample malware:
MD5: 3d448b584d52c6a6a45ff369d839eb06
MD5: 54f671bb9283bf4dfdf3c891fd9cd700

We’ll continue monitoring the campaign and post updates as soon as new developments take place.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *