{
	"id": "9fcc0e30-0309-40cc-be0e-424d0185f335",
	"created_at": "2026-04-06T00:07:56.191682Z",
	"updated_at": "2026-04-10T03:24:18.009516Z",
	"deleted_at": null,
	"sha1_hash": "3d13c1d1f38d76c032cf545a468bed2f31f63a32",
	"title": "Parrot TDS takes over web servers and threatens millions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2789334,
	"plain_text": "Parrot TDS takes over web servers and threatens millions\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 12:53:56 UTC\r\nA new Traffic Direction System we are calling Parrot TDS, using tens of thousands of compromised websites, has\r\nemerged in recent months and is reaching users from around the world. The TDS has infected various web servers\r\nhosting more than 16,500 websites, ranging from adult content sites, personal websites, university sites, and local\r\ngovernment sites.\r\nParrot TDS acts as a gateway for further malicious campaigns to reach potential victims. In this particular case,\r\nthe infected sites’ appearances are altered by a campaign called FakeUpdate (also known as SocGholish), which\r\nuses JavaScript to display fake notices for users to update their browser, offering an update file for download. The\r\nfile observed being delivered to victims is a remote access tool.\r\nThe newly discovered TDS is, in some aspects, similar to the Prometheus TDS that appeared in the spring of 2021\r\n[1]. However, what makes Parrot TDS unique is its robustness and its huge reach, giving it the potential to infect\r\nmillions of users. We identified increased activity of the Parrot TDS in February 2022 by detecting suspicious\r\nJavaScript files on compromised web servers. We analysed its behaviour and identified several versions, as well as\r\nseveral types of campaigns using Parrot TDS. Based on the appearance of the first samples and the registration\r\ndate of the Command and Control (C2) domains it uses, Parrot TDS has been active since October 2021.\r\nOne of the main things that distinguishes Parrot TDS from other TDS is how widespread it is and how many\r\npotential victims it has. The compromised websites we found appear to have nothing in common apart from\r\nservers hosting poorly secured CMS sites, like WordPress sites. From March 1, 2022 to March 29, 2022, we\r\nprotected more than 600,000 unique users from around the globe from visiting these infected sites. In this time\r\nframe, we protected the most users in Brazil, more than 73,000 unique users, India, nearly 55,000 unique users,\r\nand more than 31,000 unique users from the US.\r\nMap illustrating the countries Parrot TDS has targeted (in March)\r\nCompromised Websites\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 1 of 10\n\nIn February 2022, we identified a significant increase in the number of websites that contained malicious\r\nJavaScript code. This code was appended to the end of almost all JavaScript on the compromised web servers we\r\ndiscovered. Over time, we identified two versions (proxied and direct) of what we are calling Parrot TDS. \r\nIn both cases, web servers with different content management systems (CMS) were compromised. Most often\r\nWordPress in various versions, including the latest one or Joomla, were affected. Since the compromised web\r\nservers have nothing in common, we assume the attackers took advantage of poorly secured servers, with weak\r\nlogin credentials, to gain admin access to the servers, but we do not have enough information to confirm this\r\ntheory.\r\nProxied Version\r\nThe proxied version communicates with the TDS infrastructure via a malicious PHP script, usually located on the\r\nsame web server, and executes the response content. A deobfuscated code snippet of the proxied version is shown\r\nbelow.\r\nMalicious JavaScript Code\r\nThis code performs basic user filtering based on the User-Agent string, cookies and referrer. Briefly said, this code\r\ncontacts the TDS only once for each user who visits the infected page. This type of filtering prevents multiple\r\nrepeating requests and possible server overload.\r\nThe aforementioned PHP script serves two purposes. The first is to extract client information like the IP address,\r\nreferrer and cookies, forward the request from the victim to the Parrot TDS C2 server and send the response in the\r\nother direction.\r\nThe second functionality allows an attacker to perform arbitrary code execution on the web server by sending a\r\nspecifically crafted request, effectively creating a backdoor. The PHP script uses different names and is located in\r\ndifferent locations, but usually, its name corresponds to the name of the folder it is in (hence the name of the TDS,\r\nsince it parrots the names of folders).\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 2 of 10\n\nIn several cases, we also identified a traditional web shell on the infected web servers, which was located in\r\nvarious locations under different names but still following the same “parroting” pattern. This web shell likely\r\nallowed the attacker more comfortable access to the server, while the backdoor in the PHP script mentioned above\r\nwas used as a backup option. An example of a web shell identified on one of the compromised web servers is\r\nshown below.\r\nTraditional web shell GUI\r\nSince we have seen several cases of reinfection, it is highly likely that the server automatically restores possibly\r\ndeleted files using, for example, a cron job. However, we do not have enough information to confirm this theory.\r\nDirect Version\r\nThe direct version is almost identical to the previous one. This version utilises the same filtering technique.\r\nHowever, it sends the request directly to the TDS C2 server and, unlike the previous version, omits the malicious\r\nbackdoor PHP script. It executes the content of the response the same way as the previous version. The whole\r\ncommunication sequence of both versions is depicted below. We experimentally verified that the TDS redirects\r\nfrom one IP address only once.\r\nInfection chain sequence diagram\r\nIdentified Campaigns\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 3 of 10\n\nThe Parrot TDS response is JavaScript code that is executed on the client. In general, this code can be arbitrary\r\nand exposes clients to further danger. However, in practice, we have seen only two types of responses. The first,\r\nshown below, is simply setting the __utma cookie on the client. This happens when the client should not be\r\nredirected to the landing page. Due to the cookie-based user filtering mentioned above, this step effectively\r\nprevents repeated requests on Parrot TDS C2 servers in the future.\r\nBenign Parrot TDS C2 Response\r\nThe next code snippet shows the second type, which is a campaign redirection targeting Windows machines.\r\nMalicious Parrot TDS C2 Response\r\nFakeUpdate Campaign\r\nThe most prevalent “customer” of Parrot TDS we saw in the wild was the FakeUpdate campaign. The previous\r\nversion of this campaign was described by MalwareBytes Lab in 2018 [2]. Although the version we identified\r\nslightly differs from the 2018 version, the core remains the same. The user receives JavaScript that changes the\r\nappearance of the page and tries to force the user to download malicious code. An example of what such a page\r\nlooks like is shown below.\r\nFakeUpdate Campaign\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 4 of 10\n\nThis JavaScript also contains a Base64 encoded ZIP file with one malicious JavaScript file inside. Once the user\r\ndownloads the ZIP file and executes the JavaScript it contains, the code starts fingerprinting the client in several\r\nstages and then delivers the final payload.\r\nUser Filtering\r\nThe entire infection chain is set up so that it is complicated to replicate and, therefore, to investigate it. Parrot TDS\r\nprovides the first layer of defence, which filters users based on IP address, User-Agent and referrer. \r\nThe FakeUpdate campaign provides the second layer of defence, using several mechanisms. The first is using\r\nunique URLs that deliver malicious content to only one specific user.\r\nThe last defence mechanism is scanning the user’s PC. This scan is performed by several JavaScript codes sent by\r\nthe FakeUpdate C2 server to the user. This scan harvests the following information.\r\nName of the PC\r\nUser name\r\nDomain name\r\nManufacturer\r\nModel\r\nBIOS version\r\nAntivirus and antispyware products\r\nMAC address\r\nList of processes\r\nOS version\r\nAn overview of the process is shown in the picture below. The first part represents the Parrot TDS filtering based\r\non the IP address, referrer and cookies, and after the user successfully passes these tests, the FakeUpdate page\r\nappears. The second part represents the FakeUpdate filtering based on a scan of the victim’s device.\r\nOverview of the filtering process\r\nFinal Payload\r\nThe final payload is then delivered in two phases. In the first phase, a PowerShell script is dropped and run by the\r\nmalicious JavaScript code. This PowerShell script is downloaded to a temporary folder under a random eight\r\ncharacter name (e.g. %Temp%\\1c017f89.ps1 ). However, the name of this PowerShell is hardcoded in the\r\nJavaScript code. The content of this script is usually a simple whoami /all command. The result is sent back to\r\nthe C2 server.\r\nIn the second phase, the final payload is delivered. This payload is downloaded to the AppData\\Roaming folder.\r\nHere, a folder with a random name containing several files is dropped. The payloads we have observed so far are\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 5 of 10\n\npart of the NetSupport Client remote access tool and allow the attacker to gain easy access to the compromised\r\nmachines [3]. \r\nThe RAT is commonly named ctfmon.exe (mimicking the name of a legitimate program). It is also\r\nautomatically started when the computer is switched on by setting an\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run registry key.\r\nNetSupport mimicking the name of a legitimate Microsoft service\r\nNetSupport Client Installed on the compromised machine\r\nThe installed NetSupport Manager tool is configured so that the user has very little chance of noticing it and, at\r\nthe same time, gives the attacker maximum opportunities. The tool basically gives the attacker full access to the\r\nvictim’s machine. To run unnoticed, chat functions are disabled, and the silent option is set on the tool, for\r\nexample. A gateway is also set up that allows the attacker to connect to the client from anywhere in the world. So\r\nfar, we’ve seen Chinese domains in the tool’s configuration files used as gateways. The following picture below\r\nshows the client settings.\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 6 of 10\n\nNetSupport Client Settings\r\nPhishing\r\nWe identified several infected servers hosting phishing sites. These phishing sites, imitating, for example, a\r\nMicrosoft office login page, were hosted on compromised servers in the form of PHP scripts. The figure below\r\nshows the aforementioned Microsoft phishing observed on an otherwise legitimate site. We don’t have enough\r\ninformation to assign this to Parrot TDS directly. However, a significant number of the compromised servers\r\ncontained phishing as well.\r\nMicrosoft Phishing hosted on the compromised web server\r\nConclusion and Recommendation\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 7 of 10\n\nWe have identified an extensive infrastructure of compromised web servers that served as TDS and put a large\r\nnumber of users at risk. Given that the attacker had almost unlimited access to tens of thousands of web servers,\r\nthe above list of campaigns is undoubtedly not exhaustive. \r\nThe Avast Threat Labs has several recommendations for developers to avoid their servers from being\r\ncompromised.\r\nScan all files on the web server with Avast Antivirus.\r\nReplace all JavaScript and PHP files on the web server with original ones.\r\nUse the latest CMS version.\r\nUse the latest versions of installed plugins.\r\nCheck for automatically running tasks on the web server (for example, cron jobs).\r\nCheck and set up secure credentials. Make sure to always use unique credentials for every service.\r\nCheck the administrator accounts on the server. Make sure each of them belongs to you and have strong\r\npasswords.\r\nWhen applicable, set up 2FA for all the web server admin accounts.\r\nUse some of the available security plugins (WordPress, Joomla).\r\nIndicators of Compromise (IoC)\r\nRepository: https://github.com/avast/ioc/tree/master/ParrotTDS\r\nParrot TDS\r\n* In attempts to prevent further attacks onto the infected servers, we are providing this hash on demand. Please\r\nDM us on Twitter or reach us out at ti@avast.com.\r\nFakeUpdate\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 8 of 10\n\n* Delivering the final payload\r\nNetSupport RAT\r\n**xxx stands for the random string name\r\nResources\r\n[1] Viktor Okorokov and Nikita Rostovcev. Prometheus TDS, Group IB, 5 Aug. 2021, https://blog.group-ib.com/prometheus-tds. \r\n[2] Jérôme Segura. FakeUpdates Campaign Leverages Multiple Website Platforms, MalwareBytes Labs, 10 Apr.\r\n2018, https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/.\r\n[3] NetSupport Software. https://www.netsupportsoftware.com/.\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 9 of 10\n\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nhttps://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/"
	],
	"report_names": [
		"parrot-tds-takes-over-web-servers-and-threatens-millions"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434076,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d13c1d1f38d76c032cf545a468bed2f31f63a32.pdf",
		"text": "https://archive.orkl.eu/3d13c1d1f38d76c032cf545a468bed2f31f63a32.txt",
		"img": "https://archive.orkl.eu/3d13c1d1f38d76c032cf545a468bed2f31f63a32.jpg"
	}
}