TZUTC: -0500   
   MSGID: 742.consprcy@1:2320/105 2c4d32b4   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Thousands of websites have now been hijacked by this devious, and growing,   
   malicious scheme   
      
   Date:   
   Fri, 28 Mar 2025 14:02:00 +0000   
      
   Description:   
   Scheme grew from 35,000 websites to 150,000 websites in just a matter of   
   weeks.   
      
   FULL STORY   
      
   Security researchers c/side recently reported on a major website hijacking   
   campaign, in which unnamed threat actors took over 35,000 websites and used   
   them to redirect visitors to malicious pages and even serve them malware.    
      
   Now, a month later, the team has claimed the campaign has scaled even    
   further, and  now compromises a staggering 150,000 websites.    
      
   C/side believes the campaign is related to the Megalayer exploit, since its   
   known for distributing Chinese-language malware , contains the same domain   
   patterns, and the same obfuscation tactics.    
      
   Open redirects   
      
   While the method changed slightly, and now comes with a slightly revamped   
   interface, the gist is still the same, as the attackers use iframe injections   
   to display a full-screen overlay in the visitors browser.    
      
   The overlays show either impersonated legitimate betting websites, or    
   outright fake gambling pages.    
      
   C/side did not detail who the attackers are, other than saying they could be   
   linked to the Megalayer exploit.    
      
   The attackers are most likely Chinese, since theyre coming from regions where   
   Mandarin is common, and since the final landing pages present gambling    
   content under the Kaiyun brand.    
      
   They also did not discuss how the threat actors managed to compromise these   
   tens of thousands of websites, but once the attackers gained access, they    
   used it to inject a malicious script from a list of websites.    
      
   Once the script loads, it fully hijacks the users browser window - often   
   redirecting them to pages promoting a Chinese-language gambling (or casino)   
   platform, the researchers explained in the previous report.    
      
   To mitigate the risk of website takeover, c/side says web admins should audit   
   their source code, block malicious domains, or use firewall rules for   
   zuizhongjs[.]com, p11vt3[.]vip, and associated subdomains.    
      
   It would also be wise to keep an eye on logs for unexpected outgoing requests   
   to these domains.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/thousands-of-websites-have-now-been-hij   
   acked-by-this-malicious-scheme   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426