{ "id": "c1c2e552-5eb4-4e27-a852-3fad00b12e3e", "created_at": "2026-04-06T00:11:13.973917Z", "updated_at": "2026-04-10T03:21:59.190187Z", "deleted_at": null, "sha1_hash": "1899445fca29ed7132f5d14fe8b0acdb1ae03f69", "title": "Web Skimmer With a Domain Name Generator - Follow Up", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 652721, "plain_text": "Web Skimmer With a Domain Name Generator - Follow Up\r\nBy Denis Sinegubko\r\nPublished: 2020-04-23 · Archived: 2026-04-05 23:40:44 UTC\r\nThis note is a follow up to our recent post about a web skimmer that uses a dynamic domain name generating\r\nalgorithm. This week, analyst Ben Martin found another variation of the same malware. The script looks very\r\nsimilar.\r\nThe changes here are pretty minor: it uses a “ql” domain prefix instead of “qr” and the Math.sin() function\r\ninstead of Math.cos(). This new variation also uses the name of the compromised site as the script path on the\r\ngenerated malicious domain.\r\n[location.host,'js'].join('.')\r\nOtherwise, the idea is identical — the generated domain names are based on the current month and year. As seen\r\nin the original post, the domains for March through December of 2020 are already registered.\r\nMarch ql202141[.]pw\r\nApril ql201243[.]pw\r\nMay ql201041[.]pw\r\nJune ql201721[.]pw\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator-follow-up.html\r\nPage 1 of 2\n\nJuly ql202657[.]pw\r\nAugust ql202989[.]pw\r\nSeptember ql202412[.]pw\r\nOctober ql201456[.]pw\r\nNovember ql201000[.]pw\r\nDecember ql201463[.]pw\r\nAll of these domains were registered on March 13th, 2020 within one minute by a user with the email\r\nvalentinakrudyanova@yandex.ru. Domains from the original post were registered on March 18th, 2020, indicating\r\nthat this “ql” variation is a predecessor for the “qr” campaign.\r\nA URL scan indicates that this variant has been in use since mid-March: ql202141.]pw domain.\r\nThe obfuscated scripts served by the generated domains are web skimmers similar to what we described in the\r\nprevious post. In this case, they send stolen data to hxxps://mykada[.]com/js/ar/ar7938.php, a domain\r\npreviously mentioned in a February post by Marco Ramilli. Back then, the malware was also found to be using\r\nexfiltration URLs like hxxps://mykada[.]com/js/ar/ar2497.php.\r\nIf you believe your Magento website has been infected, you can refer to our hacked Magento guide for step-by-step instructions on how to remove malware and harden a compromised environment.\r\nDenis Sinegubko\r\nDenis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main\r\nresponsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of\r\nUnmaskParasites, his professional experience covers over 20 years of programming and information security.\r\nWhen Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.\r\nRelated Tags\r\nBlack Hat Tactics,\r\nCredit Card Stealers,\r\nLabs Note,\r\nObfuscation,\r\nSkimmer\r\nSource: https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator-follow-up.html\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator-follow-up.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator-follow-up.html" ], "report_names": [ "web-skimmer-with-a-domain-name-generator-follow-up.html" ], "threat_actors": [], "ts_created_at": 1775434273, "ts_updated_at": 1775791319, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1899445fca29ed7132f5d14fe8b0acdb1ae03f69.pdf", "text": "https://archive.orkl.eu/1899445fca29ed7132f5d14fe8b0acdb1ae03f69.txt", "img": "https://archive.orkl.eu/1899445fca29ed7132f5d14fe8b0acdb1ae03f69.jpg" } }