{
	"id": "37ef294f-f279-4109-b317-2a6afdb2353c",
	"created_at": "2026-04-06T00:06:36.481781Z",
	"updated_at": "2026-04-10T03:30:03.973042Z",
	"deleted_at": null,
	"sha1_hash": "0cd997cc2c1f679cd0d734a0c7b257ca9acdbe06",
	"title": "q-logger skimmer keeps Magecart attacks going",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48950,
	"plain_text": "q-logger skimmer keeps Magecart attacks going\r\nBy Threat Intelligence Team\r\nPublished: 2021-10-18 · Archived: 2026-04-05 18:04:03 UTC\r\nThis blog post was authored by Jérôme Segura\r\nAlthough global e-commerce is continuing to grow rapidly, it seems as though Magecart attacks via digital\r\nskimmers have not followed the same trend. This is certainly true if we only look at recent newsworthy attacks;\r\nindeed when a victim is a large business or popular brand we typically are more likely to remember it.\r\nFrom a research standpoint, we have observed certain shifts in the scope of attacks. For instance, the different\r\nthreat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about\r\nMagecart Group 8, we documented some of the various web properties used to serve skimmers and exfiltrate\r\nstolen data.\r\nBut at the end of the day, we only know about attacks that we can see, that is until we discover more. Case in\r\npoint, one particular skimmer identified as q-logger, has been active for several months. But it wasn’t until we\r\nstarted digging further that we realized how much bigger it was.\r\nQ-logger origins\r\nThis skimmer was originally flagged by Eric Brandel as q-logger. Depending on how much you enjoy parsing\r\nJavaScript you may have a love/hate relationship with it. The code is dense and using an obfuscator that is as\r\ngeneric as can be, making identification using signatures challenging.\r\nThis skimmer can be found loaded directly into compromised e-commerce sites. However, in the majority of cases\r\nwe found it loaded externally.\r\nThe loader\r\nThe loader is also an encoded piece of JavaScript that is somewhat obscure. It is injected inline within the DOM\r\nright before the text/x-magento-init tag or separated by copious amounts of white space.\r\nOne way to understand what the code does is by using a debugger and setting a breakpoint at a particular spot. It is\r\nbest to either use an already compromised site or bypass the check for the address bar (onestepcheckout).\r\nWe can now see the purpose of this script: it is to load the proper skimmer.\r\nThe skimmer\r\nAs mentioned previously, the skimmer is quite opaque and makes debugging effort difficult and lengthy.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/\r\nPage 1 of 3\n\nTo cut to the chase, the skimmer exfiltrates data via a POST request to the same domain name where the\r\nJavaScript is loaded from.\r\nThreat actor and victims\r\nWe were able to collect a few indicators from the threat actor behind this campaign. One was the use of netmail.tk,\r\nalso observed by Luke Leal, for registering skimmer domains.\r\nAlthough there are clusters of domains from the same registrant, we see that they are trying to compartmentalize\r\ntheir infrastructure and hide the hosting provider’s true IP address. They also register domains en masse, which\r\nallows them to defeat traditional blocklists.\r\nWe don’t have a good estimate of how prevalent this campaign is, but we certainly run into it regularly while\r\nmonitoring e-commerce sites for malicious code. The victims are various small businesses with an online shop\r\nrunning Magento.\r\nConclusion\r\nThe large number of e-commerce sites that are running outdated versions of their CMS is a low hanging fruit for\r\nthreat actors interested in stealing credit card data. In a sense, there is always a baseline of potential victims that\r\ncan be harvested.\r\nAnd every now and again, some opportunities appear. They could be as simple as a zero-day in a plugin or CMS,\r\nor maybe an entry point into more valuable targets via a supply-chain attack.\r\nThreat actors are always ready to pounce on those and may well have established their infrastructure ahead of\r\ntime, waiting for such opportunities.\r\nMalwarebytes customers are protected against this skimmer.\r\nIndicators of Compromise\r\nEmail addresses (registrant)\r\nwxugvvvu@netmail[.]tk\r\nisgskpys@netmail[.]tk\r\nzulhqmnr@netmail[.]tk\r\nyzzljjkmc@emlhub[.]com\r\nfoyiy11183@macosnine[.]com\r\nSkimmer domains\r\nSkimmer URLs\r\nYARA rules\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/\r\nPage 2 of 3\n\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/"
	],
	"report_names": [
		"q-logger-skimmer-keeps-magecart-attacks-going"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9",
			"created_at": "2022-10-25T16:07:23.708745Z",
			"updated_at": "2026-04-10T02:00:04.720108Z",
			"deleted_at": null,
			"main_name": "Hidden Lynx",
			"aliases": [
				"Aurora Panda",
				"Group 8",
				"Heart Typhoon",
				"Hidden Lynx",
				"Operation SMN"
			],
			"source_name": "ETDA:Hidden Lynx",
			"tools": [
				"AGENT.ABQMR",
				"AGENT.AQUP.DROPPER",
				"AGENT.BMZA",
				"AGENT.GUNZ",
				"BlackCoffee",
				"HiKit",
				"MCRAT.A",
				"Mdmbot.E",
				"Moudoor",
				"Naid",
				"PNGRAT",
				"Trojan.Naid",
				"ZoxPNG",
				"gresim"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a7aefdda-98f1-4790-a32d-14cc99de2d60",
			"created_at": "2023-01-06T13:46:38.281844Z",
			"updated_at": "2026-04-10T02:00:02.909711Z",
			"deleted_at": null,
			"main_name": "APT17",
			"aliases": [
				"BRONZE KEYSTONE",
				"G0025",
				"Group 72",
				"G0001",
				"HELIUM",
				"Heart Typhoon",
				"Group 8",
				"AURORA PANDA",
				"Hidden Lynx",
				"Tailgater Team"
			],
			"source_name": "MISPGALAXY:APT17",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775791803,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cd997cc2c1f679cd0d734a0c7b257ca9acdbe06.pdf",
		"text": "https://archive.orkl.eu/0cd997cc2c1f679cd0d734a0c7b257ca9acdbe06.txt",
		"img": "https://archive.orkl.eu/0cd997cc2c1f679cd0d734a0c7b257ca9acdbe06.jpg"
	}
}