Discover and read the best of Twitter Threads about #TA569

Most recents (2)

1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others. ImageImageImage
2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack ImageImageImageImage
3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️ ImageImageImageImage
Read 5 tweets
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive.
Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company.
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!