{
	"id": "102e7a17-ea0a-4362-b9d5-c8f9d6fbcb52",
	"created_at": "2026-04-06T00:08:28.73148Z",
	"updated_at": "2026-04-10T13:12:24.396383Z",
	"deleted_at": null,
	"sha1_hash": "312953c25ce2734a05aaf87f4ef6f3586fd18c2f",
	"title": "Malicious web redirect service infects 16,500 sites to push malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1695688,
	"plain_text": "Malicious web redirect service infects 16,500 sites to push malware\r\nBy Bill Toulas\r\nPublished: 2022-04-07 · Archived: 2026-04-05 13:02:34 UTC\r\nA new traffic direction system (TDS) called Parrot is relying on servers that host 16,500 websites of universities, local\r\ngovernments, adult content platforms, and personal blogs.\r\nParrot's use is for malicious campaigns to redirect potential victims matching a specific profile (location, language, operating\r\nsystem, browser) to online resources such as phishing and malware-dropping sites.\r\nThreat actors running malicious campaigns buy TDS services to filter incoming traffic and send it to a final destination\r\nserving malicious content.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nTDS are also legitimately used by advertisers and marketers, and some of these services were exploited in the past to\r\nfacilitate malspam campaigns.\r\nUsed for RAT distribution\r\nParrot TDS was discovered by threat analysts at Avast, who report that it’s currently used for a campaign called FakeUpdate,\r\nwhich delivers remote access trojans (RATs) via fake browser update notices.\r\nSite displaying the fake browser update warning (Avast)\r\nThe campaign appears to have started in February 2022 but signs of Parrot activity have been traced as far back as October\r\n2021.\r\n“One of the main things that distinguishes Parrot TDS from other TDS is how widespread it is and how many potential\r\nvictims it has,” comments Avast in the report\r\n“The compromised websites we found appear to have nothing in common apart from servers hosting poorly secured CMS\r\nsites, like WordPress sites.”\r\nhttps://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nPage 3 of 7\n\nMalicious JavaScript code seen in compromised sites (Avast)\r\nThreat actors have planted a malicious web shell on compromised servers and copied it to various locations under similar\r\nnames that follow a “parroting” pattern.\r\nMoreover, the adversaries use a PHP backdoor script that extracts client information and forwards requests to the Parrot\r\nTDS command and control (C2) server.\r\nIn some cases, the operators use a shortcut without the PHP script, sending the request directly to the Parrot infrastructure.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nPage 4 of 7\n\nParrot's direct and proxied forwarding (Avast)\r\nAvast says that in March 2022 alone its services protected more than 600,000 of its clients from visiting these infected sites,\r\nindicating the massive scale of the Parrot redirection gateway.\r\nMost of the users targeted by these malicious redirections were in Brazil, India, the United States, Singapore, and Indonesia.\r\nParrot's redirection attempts heatmap (Avast)\r\nAs Avast details in the report, the particular campaign’s user profile and filtering are so fine-tuned that the malicious actors\r\ncan target a specific person from thousands of redirected users.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nPage 5 of 7\n\nThis is achieved by sending that target to unique payload-dropping URLs based on extensive hardware, software, and\r\nnetwork profiling.\r\nThe payload dropped on the targets' systems is the NetSupport Client RAT set to run in silent mode, which provides direct\r\naccess to the compromised machines.\r\nThe details of the dropped payload (Avast)\r\nPhishing Microsoft credentials\r\nWhile the RAT campaign is currently the main operation served by the Parrot TDS, Avast analysts have also noticed several\r\ninfected servers hosting phishing sites.\r\nThose landing pages resemble a legitimate-looking Microsoft login page asking visitors to enter their account credentials.\r\nOne of the phishing sites served by the Parrot TDS (Avast)\r\nhttps://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nPage 6 of 7\n\nFor users who browse the web, having an up-to-date internet security solution running at all times is the best way to deal\r\nwith malicious redirections.\r\nFor admins of potentially compromised web servers, Avast recommends the following actions:\r\nScan all files on the webserver with an antivirus.\r\nReplace all JavaScript and PHP files on the webserver with original ones.\r\nUse the latest CMS version and plugins versions.\r\nCheck for automatically running tasks on the web server like cron jobs.\r\nAlways use unique and strong credentials for every service and all accounts, and add 2FA where possible.\r\nUse some of the available security plugins for WordPress and Joomla\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nhttps://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/"
	],
	"report_names": [
		"malicious-web-redirect-service-infects-16-500-sites-to-push-malware"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434108,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/312953c25ce2734a05aaf87f4ef6f3586fd18c2f.pdf",
		"text": "https://archive.orkl.eu/312953c25ce2734a05aaf87f4ef6f3586fd18c2f.txt",
		"img": "https://archive.orkl.eu/312953c25ce2734a05aaf87f4ef6f3586fd18c2f.jpg"
	}
}