{
	"id": "f7cbb957-5f2d-45e3-8957-6d659dc59bf3",
	"created_at": "2026-04-10T03:21:56.6421Z",
	"updated_at": "2026-04-10T13:12:30.499124Z",
	"deleted_at": null,
	"sha1_hash": "123c1b45092a9518f06606871bd7aa2b17a6a940",
	"title": "GitHub - Zenexer/lnkr: Information about lnkr5, malware distributed via Chrome extensions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77706,
	"plain_text": "GitHub - Zenexer/lnkr: Information about lnkr5, malware distributed\r\nvia Chrome extensions\r\nBy Zenexer\r\nArchived: 2026-04-10 02:47:44 UTC\r\nlnkr is a malware campaign that injects scripts into web pages via malicious browser extensions.\r\nThe campaign has been identified as belonging to Brocode, a shell company registered in Hong Kong via startupr.com.hk.\r\nThe attackers are believed to be Eastern European, likely Ukrainian or Russian, but there's no indication that the effort is\r\nstate-sponsored.\r\nThe attackers clone legitimate and semi-legitimate Chrome extensions. Scripts are added to the clones that inject ads into\r\nevery web page visited by the victim, in addition to potentially sending sensitive data to C2 servers. The C2 communications\r\nare disguised as analytics opt-out requests. The malicious code will falsely explain to the victim that the ads suppor the\r\ndevelopment of the extension, but almost all of the affected extensions aren't developed by the attackers.\r\nThe extension that I analyzed, Flash Player + 1.2.0, ID fanagokoaogopceablgmpndejhedkjjb, was a modified, likely\r\nunauthorized clone of an extension of the same name, ID fnipglnbhfacfmefbgiiodalehbcgcbm. The malicious clone has been\r\nremoved from the Chrome Web Store; the original remains.\r\nThe attackers make the attack difficult to block. Generic S3 bucket names are used, C2 domain names are frequently rotated,\r\nand C2 IP addresses are numerous and spread across many hosting providers. C2 communications are disguised as opt-out\r\nrequests.\r\nAffected extensions appear widespread and affect a significant percentage of English-speaking Chrome users. The\r\nextensions are often removed from the Chrome store before they can be analyzed, which makes it difficult to assess the\r\nnumber of affected extensions. Concentrations appear to be in the United States and India.\r\nAt least one extension keeps a log of search keywords. It's not yet certain that this data is stored and transmitted by lnkr, but\r\npreliminary evidence points to that conclusion.\r\nThe name lnkr appears to be the name used by the attackers. The boostrap scripts are prefixed with lnkr , and some of\r\nthe server-side C2 source code is in a folder named lnkrApi . lnkr.us and lnkr.fr both appear to be controlled by the\r\nattackers.\r\nAttack analysis\r\nSee an analysis of one of the extensions\r\nIOCs\r\nThis should not be treated as an exhaustive list.\r\nDomain names\r\nSee domains.txt\r\nhttps://github.com/Zenexer/lnkr\r\nPage 1 of 7\n\nIP addresses\r\nSee ips.txt\r\nURL prefixes\r\nScheme can be either http: or https: .\r\n//s3.amazonaws.com/jscache/\r\n//s3.amazonaws.com/jscript-cdn/\r\n//s3.amazonaws.com/cashe-js/\r\n//s3.amazonaws.com/jsbooster/\r\n//adrs.me/get?key=6ae9f4bd1dc812dc713d61cba871d8e8\u0026\r\nURL contents\r\n/api/js-get?sourceId=\r\n/optout/get?jsonp=__twb_cb_\r\n/lnkr5.min.js\r\n/optout/set/lat?jsonp=\r\n/optout/set/lt?jsonp=\r\n/script/d.php?uid=\r\n/www/delivery/avw.php?\r\n/www/delivery/afr.php?\r\n/www/delivery/ck.php?\r\nArbitrary strings\r\nlnkr5.min.js\r\nlnkr30_nt.min.js\r\n1100b35355a4776ae9\r\n143e7cdebf193d2764\r\n16a168f0af2da0c3c2\r\n17c9c17dd4d2a394de\r\n1bbe2f4535e7dfb295\r\n1f7cbb02d08cf61dbb\r\nc822bb0d82ad01a5ae\r\n__ckp_srchydx_fired\r\n__ckp_srchmlr_fired\r\nExample script URLs\r\nThis list is far from exhaustive.\r\nURLs may be requested over plain HTTP or HTTPS.\r\nhttps://netcheckcdn.xyz/addons/lnkr5.min.js\r\nhttps://netcheckcdn.xyz/addons/lnkr30_nt.min.js\r\nhttps://github.com/Zenexer/lnkr\r\nPage 2 of 7\n\nhttps://s3.amazonaws.com/jscript-cdn/1f404c54c2b0e13e0f.js\r\nhttps://s3.amazonaws.com/cashe-js/143e7cdebf193d2764.js\r\nhttps://s3.amazonaws.com/jscache/17c9c17dd4d2a394de.js\r\nhttps://s3.amazonaws.com/jscache/16a168f0af2da0c3c2.js\r\nAnalytics IDs\r\nThese IDs are seen interspersed with malicious code. They may or may not belong to the attackers or uniquely identify the\r\nattacks.\r\nMixpanel\r\n58410f8ab299e0eb2b736f6e233eda37\r\nGoogle Analytics\r\nUA-108823706-1\r\nAbuse report correspondence\r\nI sent an abuse report to Amazon Web Services regarding the S3 buckets. Amazon didn't remove the malicious code. When I\r\nquestioned why, they forwarded me this response from the attackers. (Some of the text is quoted from my original report;\r\nthey appear to be addressing the individual points I mentioned.)\r\nHello,\r\nthanks for reaching us out regarding this issue.\r\n1. Here is a Virustotal report for the object 'jscript-cdn/1f404c54c2b0e13e0f.js' :\r\nhttps://www.virustotal.com/#/url/5f4279d8097fd1fd1c234e992a0c028146e5d102b2a3636fe1a9db3b87240503/detection\r\nas you can see only ESET alerts on this, but from our latest case we figured out that it’s a false positive\r\nalert on the URL, not for a script content, but haven’t got a reply from ESET so far. The same situation is\r\nfor 'jscript-cdn/1f65199417190d400c.js’.\r\nAnyway this scripts are not in use at this time.\r\n2. 'jscript-cdn/ is used to host scripts that are part of a malware campaign. The attacker creates malicious\r\nduplicates of legitimate extensions in the Chrome web store and injects these scripts into them. The\r\n‘jscript-cdn’ is used to host scripts for:\r\n1. Monetization chrome extensions, firefox addons, websites and other web applications.\r\n2. Analytics scripts for browser extensions. If the script is used for monetization, it’s completely MS\r\nand Google Compliance. Nor Monetization of extensions nor Injecting ads in a proper way is not\r\nprohibited. There are Extension’s Quality Quidlines and Single Purpose Policy. And of course there\r\nis no malicious code inside, we check all scripts regularly and are eager to keep them clean. If you\r\nfind something suspicious in our scripts please let us know and we’ll take the action immediately.\r\n3. The link is to an old article about the extension that had been using monetization script with search\r\nenhanced results, but the integration has been made incorrect that’s why some important features, such as\r\nOpt Out from ads hadn't been work. But the extension has been dropped from the store not for\r\nmonetization particularly but for violating single purpose policy.\r\nUser installs the extension from official chrome store, if he doesn’t like that the extension is monetized with\r\nscripts he can easily remove the extension from his browser and install alternative from the store. Usually our\r\nhttps://github.com/Zenexer/lnkr\r\nPage 3 of 7\n\nclients aware users in the description of the extension that it contains the monetization scripts.\r\nBest wishes, Brocode Team\r\nUltimate response from AWS:\r\nHello,\r\nThank you for providing the additional information. We are unable to remove the content at this time as we have\r\nno evidence of the reported files are malicious. These files appear to be adware, not malware.\r\nIf you have conclusive evidence that the reported files cause harm, please forward the information.\r\nRegards,\r\nAWS Abuse Escalations\r\nWHOIS\r\nlnkr.us\r\nDomain Name: lnkr.us\r\nRegistry Domain ID: D43534441-US\r\nRegistrar WHOIS Server: whois.publicdomainregistry.com\r\nRegistrar URL: publicdomainregistry.com\r\nUpdated Date: 2018-12-22T16:06:01Z\r\nCreation Date: 2013-12-19T21:11:43Z\r\nRegistry Expiry Date: 2019-12-18T23:59:59Z\r\nRegistrar: PDR Ltd. d/b/a PublicDomainRegistry.com\r\nRegistrar IANA ID: 303\r\nRegistrar Abuse Contact Email: abuse-contact@publicdomainregistry.com\r\nRegistrar Abuse Contact Phone: +1.2013775952\r\nDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited\r\nRegistry Registrant ID: C45976584-US\r\nRegistrant Name: Sergei Filov\r\nRegistrant Organization: N/A\r\nRegistrant Street: Svobody street 58\r\nRegistrant Street:\r\nRegistrant Street:\r\nRegistrant City: kiev\r\nRegistrant State/Province: Kiev\r\nRegistrant Postal Code: 01001\r\nRegistrant Country: UA\r\nRegistrant Phone: +003.80985512834\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: adverto@mail.com\r\nRegistrant Application Purpose: P1\r\nRegistrant Nexus Category: C31/UA\r\nRegistry Admin ID: C45976584-US\r\nAdmin Name: Sergei Filov\r\nAdmin Organization: N/A\r\nhttps://github.com/Zenexer/lnkr\r\nPage 4 of 7\n\nAdmin Street: Svobody street 58\r\nAdmin Street:\r\nAdmin Street:\r\nAdmin City: kiev\r\nAdmin State/Province: Kiev\r\nAdmin Postal Code: 01001\r\nAdmin Country: UA\r\nAdmin Phone: +003.80985512834\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: adverto@mail.com\r\nAdmin Application Purpose: P1\r\nAdmin Nexus Category: C31/UA\r\nRegistry Tech ID: C45976584-US\r\nTech Name: Sergei Filov\r\nTech Organization: N/A\r\nTech Street: Svobody street 58\r\nTech Street:\r\nTech Street:\r\nTech City: kiev\r\nTech State/Province: Kiev\r\nTech Postal Code: 01001\r\nTech Country: UA\r\nTech Phone: +003.80985512834\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: adverto@mail.com\r\nTech Application Purpose: P1\r\nTech Nexus Category: C31/UA\r\nName Server: vipvdscom.earth.orderbox-dns.com\r\nName Server: vipvdscom.mars.orderbox-dns.com\r\nName Server: vipvdscom.mercury.orderbox-dns.com\r\nName Server: vipvdscom.venus.orderbox-dns.com\r\nthisadsfor.us\r\nDomain Name: thisadsfor.us\r\nRegistry Domain ID: D46227974-US\r\nRegistrar WHOIS Server:\r\nRegistrar URL: www.tldregistrarsolutions.com\r\nUpdated Date: 2018-05-16T11:14:01Z\r\nCreation Date: 2014-08-08T15:29:34Z\r\nRegistry Expiry Date: 2019-08-07T23:59:59Z\r\nRegistrar: TLD Registrar Solutions Ltd.\r\nRegistrar IANA ID: 1564\r\nRegistrar Abuse Contact Email:\r\nRegistrar Abuse Contact Phone:\r\nDomain Status: ok https://icann.org/epp#ok\r\nRegistry Registrant ID: C46227970-US\r\nhttps://github.com/Zenexer/lnkr\r\nPage 5 of 7\n\nRegistrant Name: frank medison\r\nRegistrant Organization:\r\nRegistrant Street: Govanny ave 123\r\nRegistrant Street:\r\nRegistrant Street:\r\nRegistrant City: Brazil\r\nRegistrant State/Province:\r\nRegistrant Postal Code: 41111\r\nRegistrant Country: BR\r\nRegistrant Phone: +55.4552132\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: frankomedison1020@gmail.com\r\nRegistrant Application Purpose: P3\r\nRegistrant Nexus Category: C11\r\nRegistry Admin ID: C46227972-US\r\nAdmin Name: frank medison\r\nAdmin Organization:\r\nAdmin Street: Govanny ave 123\r\nAdmin Street:\r\nAdmin Street:\r\nAdmin City: Brazil\r\nAdmin State/Province:\r\nAdmin Postal Code: 41111\r\nAdmin Country: BR\r\nAdmin Phone: +55.4552132\r\nAdmin Phone Ext:\r\nAdmin Fax:\r\nAdmin Fax Ext:\r\nAdmin Email: frankomedison1020@gmail.com\r\nRegistry Tech ID: C46227971-US\r\nTech Name: frank medison\r\nTech Organization:\r\nTech Street: Govanny ave 123\r\nTech Street:\r\nTech Street:\r\nTech City: Brazil\r\nTech State/Province:\r\nTech Postal Code: 41111\r\nTech Country: BR\r\nTech Phone: +55.4552132\r\nTech Phone Ext:\r\nTech Fax:\r\nTech Fax Ext:\r\nTech Email: frankomedison1020@gmail.com\r\nName Server: ns-usa.topdns.com\r\nName Server: ns-uk.topdns.com\r\nName Server: ns-canada.topdns.com\r\nRelated reports\r\nhttps://github.com/Zenexer/lnkr\r\nPage 6 of 7\n\nhttps://gist.github.com/shivanshu3/45817d2354e41ca858c915b556a7174a\r\nhttps://www.reddit.com/r/techsupport/comments/47ank9/lnkrus_redirection_malware/\r\nhttps://productforums.google.com/forum/#!msg/websearch/xKg-fQHrKrg/Z76RCtTeAgAJ\r\nhttps://stackoverflow.com/questions/35576910/links-in-google-searches-and-inbox-mails-get-rewritten-to-lnkr-us\r\nSource: https://github.com/Zenexer/lnkr\r\nhttps://github.com/Zenexer/lnkr\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/Zenexer/lnkr"
	],
	"report_names": [
		"lnkr"
	],
	"threat_actors": [],
	"ts_created_at": 1775791316,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/123c1b45092a9518f06606871bd7aa2b17a6a940.pdf",
		"text": "https://archive.orkl.eu/123c1b45092a9518f06606871bd7aa2b17a6a940.txt",
		"img": "https://archive.orkl.eu/123c1b45092a9518f06606871bd7aa2b17a6a940.jpg"
	}
}