{ "id": "2523cec7-b8fb-4d0a-ba36-c5430220587e", "created_at": "2026-04-06T00:08:37.42982Z", "updated_at": "2026-04-10T13:11:46.611669Z", "deleted_at": null, "sha1_hash": "21de5d50f42061c8db17d001c4a3029a4d0f9137", "title": "Skimmers in Images \u0026 GitHub Repos", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1996643, "plain_text": "Skimmers in Images \u0026 GitHub Repos\r\nBy Denis Sinegubko\r\nPublished: 2020-07-22 · Archived: 2026-04-05 20:03:23 UTC\r\nMalwareBytes recently shared some information about web skimmers that store malicious code inside real .ico\r\nfiles.\r\nDuring a routine investigation, we detected a similar issue. Instead of targeting .ico files, however, attackers chose\r\nto inject content into real .png files — both on compromised sites and in booby trapped Magento repos on\r\nGitHub.\r\nGoogletagmanager.png\r\nOur security analyst Keith Petkus found this piece of malware injected on a compromised Magento 2.x site.\r\n\u003cscript\u003e...i();async function i() {let x92 = await fetch('/pub/media/wysiwyg/m2themes/googletagmanage\r\nThis code was found appended to real Google Tag Manager code, so seeing a reference to googletagmanager.png\r\nmight not spark suspicion at first glance. Moreover, it’s a valid .png image from the same site.\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 1 of 8\n\ngoogletagmanager.png\r\nJavaScript Inside .png\r\nNonetheless, the code is not typical for Google Tag Manager. If you inspect it closely, you’ll notice that it loads\r\ncontents of the image file and then executes part of it (x.slice(-34905)) as a JavaScript function.\r\nIf we check the contents of googletagmanager.png, it appears to be a regular binary .png file, including proper\r\nPNG file signatures and chunk marks such as IHDR and IEND.\r\nRaw content of the googletagmanager.png file\r\nHowever, after the end of the last chunk (IEND), we can see JavaScript code. This code is ignored by image\r\nviewers, but you can access it if you work with the .png file as if it was a regular text file. In our case, the\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 2 of 8\n\nmalware extracts the last 34,905 bytes of the file.\r\nSkimmer Code\r\nAfter deobfuscation, a typical Magecart skimmer code is revealed containing modifications that prevent someone\r\nfrom seeing the exfiltration gate right away.\r\nTell tale skimmer parameters\r\nThe following code is responsible for computing the URL of the gate.\r\nDecoding the exfiltration gate URL\r\nWhat we see here is the malware which attempts to load mage.png file from a GitHub repository\r\n(hxxps://raw.githubusercontent[.]com/mag202/magento/master/pub/media/downloadable/mage.png), then\r\nconduct some operations with chunks of its contents.\r\nMag202/Magento GitHub Repository\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 3 of 8\n\nIndeed, at https://github.com/mag202/magento we find a repository of a beta version of Magento 2.4 created by\r\nthe user mag202 on April 4, 2020.\r\nMag202/Magento repository on GitHub\r\nUnsurprisingly, we found the suspected  magento/pub/media/downloadable/mage.png file within the repo.\r\nmagento/pub/media/downloadable/mage.png in the mag202/magento repository\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 4 of 8\n\nExfil URL in hidden in mage.png\r\nA quick lookup in the official Magento repository reveals that this directory shouldn’t contain this  mage.png file.\r\nIn fact, it doesn’t have any image files at all.\r\nWhen checking the raw contents of this file, we find this encrypted text at the very bottom after the IEND\r\nsignature.\r\nMalicious part of mage.png\r\nSince we have the actual JavaScript code that decrypts it, we retrieved this exfiltration gate URL:\r\n“hxxps://fontsgoogle-apis[.]com/v14/“.\r\nCommit History\r\nOne cool feature of version control systems is that they keep track of all repository modifications. This\r\nmag202/magento repository on GitHub also has a public commit history.\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 5 of 8\n\nCommit history of mag202/magento\r\nThe commit history basically consists of a series of uploads and deletions for the malicious mage.png file. The\r\nhacker modifies the appended malicious code in these files and uploads new versions either in\r\npub/media/downloadable/mage.png or app/design/frontend/Magento/luma/media/mage.png.\r\nAll historical versions of these files are also available on GitHub. For example, the version from April 10 of\r\nmagento/app/design/frontend/Magento/luma/media/mage.png contained the following code appended at the\r\nend.\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 6 of 8\n\nHistorical version of malware in mage.png\r\nAt this point, it was real JavaScript code rather than just encrypted text. The purpose of this code was the same,\r\nhowever — to hide the exfiltration details and allow the attacker to update it through GitHub at their convenience.\r\nAfter its execution, we get the exfiltration URL:\r\nhxxps://googletag-manager[.]com/gtag/GTM-P75S9/\r\nThis is the same URL found in images loaded by similar skimmer malware.\r\nNov 4, 2019: googletag-manager[.]com was registered.\r\nMay 2nd, 2020: fontsgoogle-apis[.]com (used by the latest version of the malware) is registered. It is\r\nhosted on the server with IP 8.209.99.41.\r\nThis same server also hosts the soon-to-be-expired domain gstatlcs[.]com, which was registered on July 23rd,\r\n2019.\r\nConclusion\r\nWeb skimmer operators are always actively searching for new methods to prevent detection of their malware on\r\ncompromised websites.\r\nThis time, we found them combining four popular tricks to conceal their malicious code:\r\n1. Including requests to usually benign static content (e.g. stylesheets or images) that are normally less\r\nscrutinized in traffic monitoring or static file analysis. (1, 2)\r\n2. Planting malicious code inside real images. (1, 2, 3)\r\n3. Hosting malicious files on popular legitimate websites such as GitHub. (1, 2, 3).\r\n4. Using misleading variable names, filenames, and domains to make people believe they belong to a\r\nreputable popular service (in this case, Google Tag Manager). (1, 2).\r\nWhile this approach may make it more difficult to spot the malware for third-party researchers, webmasters who\r\nimplement integrity control checks or website monitoring services should be able to detect addition of new files to\r\nthe system or changes in existing files.\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 7 of 8\n\nDenis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main\r\nresponsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of\r\nUnmaskParasites, his professional experience covers over 20 years of programming and information security.\r\nWhen Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.\r\nRelated Tags\r\nBest Practices,\r\nGoogle,\r\nHacked Websites,\r\nObfuscation\r\nSource: https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nhttps://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html" ], "report_names": [ "skimmers-in-images-github-repos.html" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434117, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/21de5d50f42061c8db17d001c4a3029a4d0f9137.pdf", "text": "https://archive.orkl.eu/21de5d50f42061c8db17d001c4a3029a4d0f9137.txt", "img": "https://archive.orkl.eu/21de5d50f42061c8db17d001c4a3029a4d0f9137.jpg" } }