{
	"id": "8f52ede2-3960-4765-9e6f-8fc3996b44eb",
	"created_at": "2026-05-05T02:44:54.076181Z",
	"updated_at": "2026-05-05T02:46:36.6491Z",
	"deleted_at": null,
	"sha1_hash": "208133a49ed0ad22847545420690dbe371cf1c0d",
	"title": "Switching side jobs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4462734,
	"plain_text": "Switching side jobs\r\nArchived: 2026-05-05 02:35:33 UTC\r\nThe hacker group ATMZOW and its JavaScript-sniffer became known in 2020, thanks to the Malwarebytes\r\nresearchers, when the group installed a JS sniffer on a website that was collecting donations for victims of the\r\nAustralia bushfires.\r\nHowever, based on a specific obfuscation technique used by the group, we can track its activities back to 2015 as\r\n“Magento Guruincsite malware”. Moreover, one of the first domain names, used by the group, was created in\r\n2016.\r\nAccording to Group-IB Threat Intelligence data, ATMZOW has successfully infected at least 483 websites\r\nbelonging to the domain zones of Italy, Germany, France, UK, Australia, India, Brazil etc. since the\r\nbeginning of 2019.\r\nGroup-IB specialists collected information about ATMZOW’s recent activity and found ties with a phishing\r\ncampaign targeting clients of a US bank based on the same JS obfuscation technique and a connection between\r\nthe domain names used for the JS sniffer and the phishing domains on account of the same email address used.\r\nFurther analysis showed that the same phishing kit was used during the activity of Prometheus TDS, when an\r\nunknown adversary used phishing pages as a final redirect when distributing Hancitor malware. With moderate\r\nconfidence, we can conclude that both the ATMZOW JS sniffer campaign and related phishing attacks\r\ncould have been conducted by the Hancitor group.\r\nATMZOW: recent activity\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 1 of 10\n\nIn May 2022 Group-IB specialists discovered that ATMZOW started using Google Tag Manager (GTM) to\r\ndeliver malicious payloads. Google Tag Manager is a tag management system that allows website owners to\r\nquickly and easily update various code snippets known as tags on websites and mobile apps.\r\nThe hackers created a Google Tag Manager link with ID GTM-WNV8QFR and started using legitimate GTM\r\ncode to inject JS sniffers. Injection starts with a common GTM snippet.\r\nFigure 1: Google Tag Manager snippet with the attacker’s ID\r\nThis GTM script contains a specific tag (“vtp_html“) with the next stage injector.\r\nFigure 2: Google Tag Manager script with the attacker’s injector\r\nExecuting the script loaded by Google Tag Manager appends the injector to the DOM of the infected website.\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 2 of 10\n\nFigure 3: The attacker’s injector\r\nThe injector checks if the current user’s address in the address bar contains a “checkout” substring. If it does, the\r\ninjector loads the final payload from https://designestylelab[.]com/css/. The script loaded from\r\nhttps://designestylelab[.]com/css/ is a sample of the ATMZOW JS sniffer, but it contains an additional layer of\r\nobfuscation.\r\nFigure 4: ATMZOW sample with additional obfuscation\r\nIf we remove the junk symbols from the long string in this sample, we obtain a Base64-encoded string. After\r\ndecoding, we obtain an ATMZOW sample with its common obfuscation.\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 3 of 10\n\nFigure 5: ATMZOW sample\r\nAfter decrypting the strings used in this sample, we obtain a clean script of the ATMZOW JS sniffer.\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 4 of 10\n\nFigure 6: Use of a fake payment form in a sample of the ATMZOW JS sniffer\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 5 of 10\n\nFigure 7: Exfiltration address https://gvenlayer[.]com/track/ in a sample of the ATMZOW JS sniffer\r\nPhishing campaign\r\nIn January 2022 Group-IB specialists detected several phishing pages targeting clients of a US-based bank.\r\nThe pages used IDN domain names. A noteworthy fact about the pages is that they have a JavaScript script, which\r\nwas presumably obfuscated by the same tool as used by ATMZOW for the group’s samples of JS sniffers.\r\nFigure 8: Screenshot of a JS script from the page https://xn--keyvigatrs-key-7oc4531jsva[.]com/ktt/cmd/logon\r\nSince then we have detected only 7 unique domains used for phishing pages with a similar obfuscated JS:\r\nxn--kys-nvigatorky-zp8g5mna[.]com\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 6 of 10\n\nxn--kynavigatos-ky-pwc6541jna[.]com\r\nnavlgator-kcy[.]com\r\nxn--kyavigator-ky-jjc7914ima[.]com\r\nxn--ky-vigatorkey-kjc9383i4ka[.]com\r\nxn--key-vigatrs-key-wuc9688j1wa[.]com\r\nxn--keyvigatrs-key-7oc4531jsva[.]com\r\nConnection between the JS-sniffer and the phishing campaign\r\nWhen we detected the same obfuscation technique on a phishing website for the first time, we hypothesized that\r\nthe method was not unique to ATMZOW, but that other hackers could be using the same obfuscator. However,\r\nfurther analysis of the group’s recent activity showed additional evidence that attacks involving the JS sniffer\r\nand the phishing campaign were conducted by the same group.\r\nWhen ATMZOW started using Google Tag Manager as the initial stage of their infections, they used a website\r\nwith the domain name designestylelab[.]com as the storage location for their payloads. With a patented\r\ntechnology named Group-IB Graph, we discovered that this domain was created using the email address\r\nanne5lindt@winocs.com. The same email address was used to create two more IDN domains for phishing pages\r\ntargeting clients of the same bank as the pages with the ATMZOW-like obfuscation, which we first detected in\r\nJanuary 2022:\r\nkẹy-ņạvigatorkey.com (xn--ky-vigatorkey-kjc9383i4ka[.]com)\r\nkey-ņạvigatọrskey.com (xn--key-vigatrskey-8oc4531jsva[.]com)\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 7 of 10\n\nFigure 9: Graph shows a connection between JS sniffer storage and phishing domains\r\nIn addition, one of these domains created with the email address anne5lindt@winocs.com (xn--ky-vigatorkey-kjc9383i4ka[.]com) was tagged as a phishing page with ATMZOW-like obfuscated JS script. It was detected\r\non January 27, 2022.\r\nBased on the same JS obfuscation technique and the connection between the domain names used for the JS sniffer\r\nand the phishing domains (the same email address), we can conclude with a high degree of reliability that both\r\ncampaigns were conducted by the same threat group.\r\nConnection between the phishing campaign and Hancitor malware\r\nWhile analyzing Prometheus TDS, Group-IB Threat Intelligence specialists detected several cases when\r\nphishing pages targeting clients of the same bank were used as a final redirect after downloading the\r\nmalicious payload distributed by Prometheus TDS. In all cases, the malicious payload was Microsoft Office\r\ndocuments with a macro that dropped Hancitor malware.\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 8 of 10\n\nFor example, a common method of distribution via Prometheus TDS was the use of Google Docs with a link to\r\nthe compromised website with Prometheus.Backdoor installed. In this case, the Prometheus.Backdoor link was\r\nhXXp://www.swingsidebilbao[.]com/wp-content/plugins/contact-form-7/includes/block-editor/carl.php. If a user\r\nclicked on the link, they would receive a malicious Office document “0210_4367220121562.doc” (SHA1:\r\nbe3effcb9069ac6d66256c8246fde33e55980403) and then would be redirected to the phishing website hXXps://xn-\r\n-keynvigatorkey-yp8g[.]com/ktt/cmd/logon0210_4367220121562.doc. If the user opened the malicious document\r\nand enabled macros then, the document would drop the Hancitor DLL (SHA1:\r\n17693bca881ec9bc9851fcb022a664704c048b9d).\r\nAs we can see, in this case the hackers used IDN domains again to spoof a real banking website. Moreover, if we\r\ncompare unique URLs generated while analyzing phishing pages from both campaigns, it is clear that both\r\nphishing pages were created using the same kit, with slight modifications.\r\nBased on the information we collected, we can therefore conclude with a high degree of reliability that both\r\nclusters of phishing pages are part of a long-running phishing campaign conducted by one cybercriminal\r\ngroup.\r\nIoCs\r\nPhishing websites with ATMZOW-like obfuscation\r\nxn--kys-nvigatorky-zp8g5mna.com\r\nxn--kynavigatos-ky-pwc6541jna.com\r\nnavlgator-kcy.com\r\nxn--kyavigator-ky-jjc7914ima.com\r\nxn--ky-vigatorkey-kjc9383i4ka.com\r\nxn--key-vigatrs-key-wuc9688j1wa.com\r\nxn--keyvigatrs-key-7oc4531jsva.com\r\nPhishing websites detected in the Hancitor campaign with Prometheus TDS\r\nxn--avigatorkey-56b.com\r\nxn--nvigators-key-if2g.com\r\nxn--keynvigatorkey-yp8g.com\r\nxn--xprss53-s8ad.com\r\nATMZOW GTM ID\r\nGTM-WNV8QFR\r\nATMZOW JS sniffer storage\r\ndesignestylelab.com\r\nATMZOW JS sniffer gates\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 9 of 10\n\ngvenlayer.com\r\nmetahtmlhead.com\r\nwinsiott.com\r\ncongolo.pro\r\nvamberlo.com\r\nnmdatast.com\r\nseclib.org\r\nSource: https://blog.group-ib.com/switching-side-jobs\r\nhttps://blog.group-ib.com/switching-side-jobs\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/switching-side-jobs"
	],
	"report_names": [
		"switching-side-jobs"
	],
	"threat_actors": [],
	"ts_created_at": 1777949094,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/208133a49ed0ad22847545420690dbe371cf1c0d.pdf",
		"text": "https://archive.orkl.eu/208133a49ed0ad22847545420690dbe371cf1c0d.txt",
		"img": "https://archive.orkl.eu/208133a49ed0ad22847545420690dbe371cf1c0d.jpg"
	}
}