Insights and Research

On-Going Dynamic FakeAV Campaign

On-Going Dynamic FakeAV Campaign

Looking back on traffic from this week, I noticed a large spike in the number of companies accessing free TLD / Dynamic DNS related sites. Digging deeper it appears that a malware campaign tied to massive WordPress compromises was the culprit. This is a very widespread malware campaign that remains live / on-going and is currently redirecting to FakeAV websites. The campaign is making use of auto-domain generation and auto-updating of infected sites to change the embedded link with every visit. Some major infected sites that remain live include: and (careful if you visit these sites as they are currently infected). We are in the process of reaching out to victim sites and assisting with handling the incident. Here are the initial details:

There were over 100 of our customers attempting to access a large number of websites on a handful of IPs with domains matching the pattern:
[3-6 random letters][2 digits][3-6 random letters]
Given the very, very large number of domains used, this has to be some auto-domain generation/registration algorithm used in this campaign.

The pages accessed in the campaign includes:

Tracing referrer strings in our logs, here is one live example:  (infected PeopleSoft search site)

FakeAV page that dropped setup.exe:
MD5: 153ae4d1813c6d29a7809a62ff23f84c
VirusTotal reports 2/42 A/V vendors detect (very, very poor detection)

I re-downloaded the malware sample a few seconds later and the MD5 was immediately different.
Also a few seconds later, I re-visited the above site and the embedded link had already changed:

I refreshed the page, and sure enough the embedded link changed again. Aside from the hosting IPs, this appears to be a dynamic FakeAV campaign. resolves to (HostNOC)
Based on other domains on this IP, this will be an IP that you'll want to add to your denylist - there are numerous other FakeAV sites hosted here (see list below).

It looks like the primary hosting IP of the "" redirect changes each day, for example: and used in an earlier Sucuri post on this.
March 27 it was:
March 30 (today) it is:

A number of pages on sites have been compromised to drive this campaign. For example:

Infected websites have injected "eval(base64_decode(...));" statements in their wp-config.php and other WordPress .php files to communicate back to a command and control to retrieve a list of websites to inject these "" site inclusions into pages.

--- hosting information:

inetnum: -
netname:  INET4YOU
descr:       PE Bogaturev Sergey Anatolievich
country:    RU

person:          Bogaturev Sergey
address:         RU, Gornuy Shit, Komsomolskiy str.
phone:           +7(495) 324-35-69

descr:           Subnet for servers and VPS
origin:          AS57621
mnt-by:          INET4YOURU-MNT

descr:           Client_TC_WIFI
origin:          AS57189
mnt-by:          COMCORNET-MNT

--- hosting information:

inetnum: -
netname:         zuzu-net
descr:           OOO "Aldevir Invest"
country:         RU

person:          Krutko Evgeni Yurevich
address:         192012, St.-Petersburg, Chernova ul., 25, office 12
phone:           +7812850202
e-mail:          [email protected]
descr:           Route for DC
origin:          AS5508
mnt-by:          zuzu-mnt

--- domain information:

Registrant Name:Leah  Carandini
Registrant Street1:54 Ridge Road
Registrant City:Cordalba
Registrant State/Province:QLD
Registrant Postal Code:4660
Registrant Country:AU
Registrant Phone:+61.733106403
Registrant Phone: [email protected]


Other related FakeAV sites that resolve / resolved to

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.