{
	"id": "ea8a3190-e914-4d45-9e0e-9b4e89fec6ec",
	"created_at": "2026-04-06T00:09:56.691703Z",
	"updated_at": "2026-04-10T13:13:08.6438Z",
	"deleted_at": null,
	"sha1_hash": "4130d6b2b09499c921e22da210f9be7df430e630",
	"title": "Strategic web compromises in the Middle East with a pinch of Candiru",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1457118,
	"plain_text": "Strategic web compromises in the Middle East with a pinch of Candiru\r\nBy Matthieu Faou\r\nArchived: 2026-04-02 10:36:32 UTC\r\nBack in 2018, ESET researchers developed a custom in-house system to uncover watering hole attacks (aka strategic web\r\ncompromises) on high-profile websites. On July 11\r\nth\r\n, 2020 it notified us that the website of the Iranian embassy in Abu\r\nDhabi had been modified and had started injecting JavaScript code from https://piwiks[.]com/reconnect.js, as shown in\r\nFigure 1.\r\nFigure 1. Script injection on the website of the Iranian Embassy in Abu Dhabi\r\nOur curiosity was aroused by the nature of the targeted website and in the following weeks we noticed that other websites\r\nwith connections to the Middle East started to be targeted. We traced the start of the campaign back to March 2020, when\r\nthe piwiks[.]com domain was re-registered. We believe that the strategic web compromises only started in April 2020 when\r\nthe website of the Middle East Eye (middleeasteye.net), a London-based digital news site covering the region, started to\r\ninject code from the piwiks[.]com domain.\r\nAt the end of July or the beginning of August 2020, all remaining compromised websites were cleaned; it is probable that\r\nthe attackers themselves removed the malicious scripts from the compromised websites. The threat group went quiet until\r\nJanuary 2021, when we observed a new wave of compromises. This second wave lasted until August 2021, when all\r\nwebsites were cleaned again. A few indicators from this second wave were shared on Twitter by a fellow researcher, which\r\nallows us to make a link with what Kaspersky tracks as Karkadann.\r\nWe detail the inner working of the compromises in the Technical analysis section, below, but it is worth noting that the final\r\ntargets are specific visitors of those websites, who are likely to receive a browser exploit. The compromised websites are\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 1 of 16\n\nonly used as a hop to reach the final targets.\r\nWe also uncovered interesting links with Candiru, detailed in the section Links between the watering holes, spearphishing\r\ndocuments and Candiru. Candiru is a private Israeli spyware firm that was recently added to the Entity List (entities subject\r\nto licensing restrictions) of the US Department of Commerce. This may prevent any US‑based organization from doing\r\nbusiness with Candiru without first obtaining a license from the Department of Commerce.\r\nAt the time of writing, it seems that the operators are taking a pause, probably in order to retool and make their campaign\r\nstealthier. We expect to see them back in the ensuing months.\r\nTargeting\r\nOur tracking shows that the operators are mostly interested in the Middle East, with a particular emphasis on Yemen. Table 1\r\nshows the known targets in 2020 and 2021.\r\nTable 1. Domains compromised during the first wave\r\nCompromised website C\u0026C From To Detail\r\nmiddleeasteye.net piwiks[.]com 2020‑04‑04 2020‑04‑06\r\nA UK-based online newspaper\r\ncovering the Middle East.\r\npiaggioaerospace.it piwiks[.]com 2020-07-08 2020-11-05 An Italian aerospace company.\r\nmedica-tradefair[.]co rebrandly[.]site 2020-07-09 2020-10-13\r\nFake website impersonating a German\r\nmedical trade fair in Düsseldorf.\r\nmfa.gov.ir piwiks[.]com 2020-07-11 2020-07-13 Ministry of Foreign Affairs of Iran.\r\nalmanar.com.lb rebrandly[.]site 2020-07-24 2020-07-30 Television channel linked to Hezbollah.\r\nsmc.gov.ye\r\nvisitortrack[.]net\r\nhotjar[.]net\r\n2021-01-18\r\n2021-04-21\r\n2021-04-14\r\n2021-07-30\r\nMinistry of Interior of Yemen.\r\nalmasirahnews.com\r\nvisitortrack[.]net\r\nhotjar[.]net\r\n2021-01-25\r\n2021-04-21\r\n2021-03-25\r\n2021-07-17\r\nYemeni Television channel linked to\r\nthe Ansar Allah movement (Houthis).\r\ncasi.gov.sy hotjar[.]net 2021-02-01 Unknown\r\nCentral Authority for the Supervision\r\nand Inspection of Syria.\r\nmoe.gov.sy hotjar[.]net 2021-02-01 Unknown Syrian Ministry of Electricity.\r\nalmanar.com.lb\r\nwebfx[.]bz\r\nwebffx[.]bz\r\nwebffx[.]bz\r\n2021-02-03\r\n2021-03-12\r\n2021-03-24\r\n2021-02-23\r\n2021-03-24\r\n2021-03-25\r\nTelevision channel linked to Hezbollah.\r\nmanartv.com.lb webfx[.]bz 2021-02-03 2021-03-22 Television channel linked to Hezbollah.\r\nmof.gov.ye hotjar[.]net 2021-02-11 2021-07-14 Ministry of Finance of Yemen.\r\nscs-net.org hotjar[.]net 2021-03-07 Unknown Internet Service Provider in Syria.\r\ncustoms.gov.ye livesesion[.]bid 2021-03-24 2021-06-16 Customs agency of Yemen.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 2 of 16\n\nCompromised website C\u0026C From To Detail\r\ndenel.co.za\r\npmp.co.za\r\ndeneldynamics.co.za\r\ndenellandsystems.co.za\r\ndenelaviation.co.za\r\nsite-improve[.]net\r\n2021-03-31\r\n2021-03-31\r\n2021-04-03\r\n2021-04-04\r\n2021-04-07\r\n2021-07-22\r\nUnknown\r\n2021-07-27\r\n2021-07-23\r\n2021-07-19\r\nA South African state-owned aerospace\r\nand military technology conglomerate.\r\nyemen.net.ye hotjar[.]net 2021-04-15 2021-08-04 Internet service provider in Yemen.\r\nyemenparliament.gov.ye hotjar[.]net 2021-04-20 2021-07-05 Parliament of Yemen.\r\nyemenvision.gov.ye hotjar[.]net 2021-04-21 2021-06-13 Yemeni government website.\r\nmmy.ye hotjar[.]net 2021-05-04 2021-08-19 Yemeni media linked to the Houthis.\r\nthesaudireality.com bootstrapcdn[.]net 2021-06-16 2021-07-23\r\nLikely dissident media outlet in Saudi\r\nArabia.\r\nsaba.ye addthis[.]events 2021-06-18 Unknown\r\nYemeni news agency linked to Houthis.\r\nHowever, it seems it was taken over by\r\nthe Southern Transitional Council in\r\nearly June 2021, just before this\r\nwebsite was compromised.\r\nmedica-tradefair[.]co is the outlier in this list, as it was not compromised but was operated by the attackers themselves. It\r\nwas hosted at ServerAstra, as were all the other C\u0026C servers used in 2020.\r\nIt mimics the legitimate website medica-tradefair.com, which is the website of the World Forum for Medicine’s MEDICA\r\nTrade Fair held in Düsseldorf (Germany) each year. The operators simply cloned the original website and added a small\r\npiece of JavaScript code.\r\nAs seen in Figure 2, the content doesn’t seem to have been modified. It is likely that attackers were not able to compromise\r\nthe legitimate website and had to set up a fake one in order to inject their malicious code.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 3 of 16\n\nFigure 2. Cloned version of the Medica Trade Fair website\r\nIt is interesting to note that the malicious domains mimic genuine web analytics, URL shortener or content delivery network\r\ndomains and URLs. This is a characteristic of this threat actor.\r\nTechnical analysis – Strategic web compromises\r\nFirst wave – 2020\r\nFirst stage – Injected script\r\nAll compromised websites were injecting JavaScript code from the attacker-controlled domains piwiks[.]com and\r\nrebrandly[.]site. In the first known case, the injection is as shown in Figure 3.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 4 of 16\n\nFigure 3. Script injection on the website of the Iranian Embassy in Abu Dhabi\r\nThis injection loads a remote JavaScript named reconnects.js and a legitimate third-party library, GeoJS, for IP geolocation\r\nlookup.\r\nIn the cases of rebrandly[.]site injections, the additional scripts are loaded using HTML script tags, as seen in Figure 4.\r\nFigure 4. Script injected into the medica-tradefair[.]co website\r\nSecond stage – Fingerprinting script\r\nreconnects.js and recon-api.js are almost identical; only the order of some lines or functions are changed. As shown in\r\nFigure 5, the malware authors tried to avoid raising suspicions by prepending their script with a copy of the jQuery Browser\r\nPlugin header. They were probably hoping that malware analysts would not scroll further.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 5 of 16\n\nFigure 5. Beginning of the fingerprinting script used in the first wave\r\nThe script first implements a function named geoip. It is automatically called by the GeoJS library, previously loaded, as\r\nmentioned on the official GeoJS website. The variable json contains the IP geolocation information. The script sends this\r\nJSON via an HTTP POST request to the C\u0026C server at the URL https://rebrandly[.]site/reconnect-api.php. If the server\r\nreturns an HTTP 200 status code, then the script proceeds to a function named main.\r\nFirst, main gathers information such as the operating system version and the browser version using custom functions shown\r\nin Figure 6. They simply parse the browser User-Agent to extract information.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 6 of 16\n\nFigure 6. OS and browser fingerprinting functions\r\nAs shown in Figure 7, the function then checks whether the operating system is either Windows or macOS and only\r\ncontinues if so. This is interesting because it suggests that this operation is intended to compromise computers and not\r\nmobile devices such as smartphones. It also checks for a list of common web browsers: Chrome, Firefox, Opera, IE, Safari\r\nand Edge.\r\nFigure 7. The main function of the fingerprinting script used in the first wave\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 7 of 16\n\nThe script also encrypts a hardcoded value, 1122, although we don’t know for what purpose. Despite the function being\r\nnamed decrypt, it actually encrypts using RSA and the library JSEncrypt. The 1024-bit RSA key is hardcoded and set to:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhIxVX6QGlxe1mrkPCgBtz8bWH\r\nnzmek4He5caAE2sH2TFnXN1VdqpxMaJSi+dj9sbqHu0tSYd+5tU20514jlEOX6/D\r\nyFFPCoOvx5TzAm+AkSmevUuMsfZTifK+wQRxRhiuMk2UbnVCVQS0CJDoPTl8Blsp\r\n1oCEF2Kz7uIb0pea3QIDAQAB\r\n-----END PUBLIC KEY-----\r\nThen, the script sends an HTTPS GET request to the C\u0026C server rebrandly[.]site. The id parameter contains the fingerprint\r\ndata and the last parameter value contains the country provided by the GeoJS library.\r\nIf the server returns a reply, it is decrypted using AES from the CryptoJS library, and a hardcoded key\r\nflcwsfjWCWEcoweijwf@#$@#$@#499299234@#$!@2. This key stayed the same, even after we tried a few requests.\r\nThe decrypted value is supposedly a URL and a new iframe pointing to this URL is created. We were unable to get any valid\r\nanswer but we believe it leads to a browser remote code execution exploit that allows an attacker to take control of a\r\nmachine.\r\nSecond wave – 2021\r\nIn January 2021, a new wave of attacks started. The attackers created an entirely new network infrastructure and changed all\r\ntheir JavaScript code.\r\nFirst stage – Injected script\r\nIn order to be a bit stealthier still, in this second wave, they started to modify scripts that were already on the compromised\r\nwebsite. So instead of adding code to the main HTML page, they modified libraries such as wp-embed.min.js, as seen in\r\nFigure 8. They simply added a few lines at the end of https://www.smc.gov.ye/wp-includes/js/wp-embed.min.js to load a\r\nscript from a server they control: https://visitortrack[.]net/sliders.js.\r\nFigure 8. Injected script used in the second wave\r\nAnother strategy used to limit their exposure is to create a cookie the first time the visitor executes the malicious script, as\r\nshown in Figure 9. As the script is conditionally injected depending on whether the cookie already exists, this will prevent\r\nfurther injections. This specific code was found on the website of the Syrian Central Authority for the [sic] Supervision and\r\nInspection (casi.gov.sy).\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 8 of 16\n\nFigure 9. Cookie creation to avoid further requests\r\nSecond stage\r\nFrom January to March 2021, for the second-stage script, the operators used a script based on the minAjax library. This is\r\nnot a fingerprinting script per se as it doesn’t send any information about the browser or the operating system to the C\u0026C\r\nserver – an example is shown in Figure 10. It should be noted that very similar scripts are used by the LNKR adware, so a\r\ndetection on this might lead to a high volume of false positives.\r\nFigure 10. Second-stage script of the second wave\r\nThis script contains the current timestamp, t0, an expiration timestamp, ex, and two hashes juh and cs, whose significance\r\nwe don’t know at present. These values are sent to the C\u0026C server https://webfex[.]bz/f/gstats. If the reply is a JSON object\r\nand contains the fw key, the script issues a redirection to the URL contained in fw using parent.top.window.location.href. As\r\nwith the first wave, we were not able to get any valid redirect.\r\nIn April 2021, this script was changed to FingerprintJS Pro. This is a commercial product whose developers have an official\r\nwebsite shown in Figure 11.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 9 of 16\n\nFigure 11. Home page of FingerprintJS\r\nIn comparison to the fingerprinting script used in 2020, this is far more complex because it retrieves the default language,\r\nthe list of fonts supported by the browser, the time zone, the list of browser plugins, the local IP addresses using\r\nRTCPeerConnection, and so on. Network communications with the C\u0026C server are encrypted with an AES session key. As\r\nshown in Figure 12, the server can return JavaScript code that will be executed in the context of the current web page.\r\nFigure 12. FingerprintJS Pro adds JavaScript code to the current page\r\nAs with the previous cases, we never got a valid redirect. We still believe it leads to a browser exploit and it shows that this\r\ncampaign is highly targeted.\r\nSpearphishing documents and links with Candiru\r\nReminder of the Citizen Lab publication\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 10 of 16\n\nIn the Citizen Lab Candiru blogpost, there is a section called A Saudi-Linked Cluster?. It mentions a spearphishing\r\ndocument that was uploaded to VirusTotal.\r\nThe C\u0026C server used by this document is https://cuturl[.]space/lty7uw and VirusTotal captured a redirection from this URL\r\nto https://useproof[.]cc/1tUAE7A2Jn8WMmq/api. The domain useproof[.]cc was resolving to 109.70.236[.]107 and,\r\naccording to the Citizen Lab, this server matched their so-called CF3 fingerprint for Candiru C\u0026C servers. This domain was\r\nregistered via Porkbun, as are most Candiru-owned domains.\r\nTwo domains resolving to the same IP address caught our attention:\r\nwebfx[.]cc\r\nengagebay[.]cc\r\nThe same second-level domains, with a different TLD, were used in the second wave of strategic web compromises. These\r\ntwo domains in the .cc TLD are most likely operated by Candiru too.\r\nThe Citizen Lab report mentions a few domains similar to cuturl[.]space, which we detail in Table 2.\r\nTable 2. Domains similar to cuturl[.]space\r\nDomain Registrar IP Hosting Provider\r\nllink[.]link Njalla 83.171.237[.]48 Droptop\r\ninstagrarn[.]co TLD Registrar Solutions 83.97.20[.]89 M247\r\ncuturl[.]app TLD Registrar Solutions 83.97.20[.]89 M247\r\nurl-tiny[.]co TLD Registrar Solutions 83.97.20[.]89 M247\r\nbitly[.]tel Njalla 188.93.233[.]149 Dotsi\r\nThese domain names mimic URL shorteners and the Instagram social media website and were registered through Njalla and\r\nTLD Registrar Solutions Ltd. This reminds us of the domains used for the strategic web compromises that are all variations\r\nof genuine web analytics websites and were also registered via Njalla.\r\nWe also independently confirmed that the servers to which these domains were resolving were configured in a similar\r\nfashion.\r\nThus, we believe that this set of websites is controlled by the same threat group that created the documents. Conversely, the\r\ndomain useproof[.]cc is most likely operated in-house by Candiru and is used to deliver exploits.\r\nLinks between the watering holes, spearphishing documents and Candiru\r\nTable 3 summarizes the characteristics of the watering holes, the documents found by Citizen Lab, and Candiru.\r\nTable 3. Summary of links between the three clusters (watering holes, documents found by Citizen Lab and Candiru)\r\nWatering holes Cluster of documents Candiru\r\nRegistrars Mainly Njalla\r\nNjalla and TLD Registrar\r\nSolutions\r\nPorkbun\r\nHosting\r\nproviders\r\nServerAstra, Droptop, Neterra,\r\nNet Solutions, The Infrastructure\r\nDroptop, M247 and\r\nDotsi\r\nM247, QuadraNet, etc.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 11 of 16\n\nWatering holes Cluster of documents Candiru\r\nGroup, Sia Nano and FlokiNET\r\nDomain\r\nthemes\r\nAnalytics and URL shortener\r\nservices\r\nURL shortener services\r\nAnalytics, URL shortener services,\r\nmedia outlets, tech companies,\r\ngovernment contractors, etc.\r\nVictimology Middle East Middle East\r\nMiddle East, Armenia, Albania,\r\nRussia, Uzbekistan, etc.\r\nTargeted\r\nplatforms\r\nWindows and macOS Windows Windows and macOS\r\nTTPs Strategic web compromises\r\nMalicious documents\r\nwith Document_Open\r\nmacros\r\nMalicious documents and fake\r\nshortened URLs redirecting to\r\nexploits and the DevilsTongue\r\nimplant.\r\nWhat is interesting to note is that the watering holes are limited to a quite narrow victimology. We also noted that domains\r\nknown to be operated by Candiru (webfx[.]cc for example) are very similar to domains used for the watering holes\r\n(webfx[.]bz). However, they were not registered in the same fashion and their servers are configured very differently.\r\nIn July 2021, Google published a blogpost providing details on exploits used by Candiru. It includes CVE‑2021-21166 and\r\nCVE-2021-30551 for Chrome and CVE-2021-33742 for Internet Explorer. They are full remote code execution exploits that\r\nallow an attacker to take control of a machine by making the victim visit a specific URL that then delivers the exploit. This\r\nshows Candiru has the capabilities to exploit browsers in a watering hole attack.\r\nHence, we believe that the watering holes behave similarly to the documents. The first C\u0026C server, injected in the\r\ncompromised websites, would redirect to another C\u0026C server, owned by a spyware firm such as Candiru and delivering a\r\nbrowser exploit.\r\nBased on this information, we assess:\r\nwith low confidence that the creators of the documents and the operators of the watering holes are the same.\r\nwith medium confidence that the operators of the watering holes are customers of Candiru.\r\nConclusion\r\nThis report describes two strategic web compromise campaigns targeting high-profile organizations in the Middle East, with\r\na strong focus on Yemen. We also revealed links to Candiru, a spyware firm, that sells state‑of‑the‑art offensive software\r\ntools and related services to government agencies.\r\nWe were unable to get an exploit and the final payload. This shows that the operators choose to narrow the focus of their\r\noperations and that they don’t want to burn their zero-day exploits.\r\nWe stopped seeing activity from this operation at the end of July 2021, shortly after the release of blogposts by the Citizen\r\nLab, Google and Microsoft detailing the activities of Candiru.\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 12 of 16\n\nIndicators of Compromise\r\nLegitimate, historically compromised websites\r\nCompromised website From To (treat as a lower bound)\r\nmiddleeasteye.net 2020-04-04 2020-04-06\r\npiaggioaerospace.it 2020-07-08 2020-11-05\r\nmfa.gov.ir 2020-07-11 2020-07-13\r\nalmanar.com.lb 2020-07-24 2020-07-30\r\nsmc.gov.ye\r\n2021-01-18\r\n2021-04-21\r\n2021-04-14\r\n2021-07-30\r\nalmasirahnews.com\r\n2021-01-25\r\n2021-04-21\r\n2021-03-25\r\n2021-07-17\r\ncasi.gov.sy 2021-02-01 Unknown\r\nmoe.gov.sy 2021-02-01 Unknown\r\nalmanar.com.lb\r\n2021-02-03\r\n2021-03-12\r\n2021-02-23\r\n2021-03-25\r\nmanartv.com.lb 2021-02-03 2021-03-22\r\nmof.gov.ye 2021-02-11 2021-07-14\r\nscs-net.org 2021-03-07 Unknown\r\ncustoms.gov.ye 2021-03-24 2021-06-16\r\ndenel.co.za 2021-03-31 2021-07-22\r\npmp.co.za 2021-03-31 Unknown\r\ndeneldynamics.co.za 2021-04-03 2021-07-27\r\ndenellandsystems.co.za 2021-04-04 2021-07-23\r\ndenelaviation.co.za 2021-04-07 2021-07-19\r\nyemen.net.ye 2021-04-15 2021-08-04\r\nyemenparliament.gov.ye 2021-04-20 2021-07-05\r\nyemenvision.gov.ye 2021-04-21 2021-06-13\r\nmmy.ye 2021-05-04 2021-08-19\r\nthesaudireality.com 2021-06-16 2021-07-23\r\nsaba.ye 2021-06-18 Unknown\r\nC\u0026C servers\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 13 of 16\n\nDomain IP First seen Last seen Details\r\npiwiks[.]com 91.219.236[.]38 2020-03-31 2020-07-29 Watering hole C\u0026C server.\r\nrebrandly[.]site\r\n91.219.239[.]191\r\n91.219.236[.]38\r\n2020-03-20\r\n2020-07-13\r\n2020-07-10\r\n2020-09-29\r\nWatering hole C\u0026C server.\r\nmedica-tradefair[.]co 91.219.236.50 2021-06-28 2021-10-20\r\nFake website impersonating a German\r\nmedical conference.\r\nbitly[.]bz 91.219.239[.]191 2020-03-19 2020-03-19 Unknown.\r\ntinyurl[.]ist 91.219.239[.]191 2020-03-19 2020-04-16 Unknown.\r\ntinyurl[.]bz 91.219.239[.]191 2020-03-20 2020-04-16 Unknown.\r\nbit-ly[.]site 91.219.239[.]191 2020-03-25 2020-04-16 Unknown.\r\nbitly[.]tw 91.219.239[.]191 2020-03-26 2020-04-16 Unknown.\r\nbitly[.]zone 91.219.239[.]191 2020-03-26 2020-04-16 Unknown.\r\nshortlinkcut[.]link 91.219.239[.]191 2020-03-26 2020-04-16 Unknown.\r\ntinyurl[.]one 91.219.239[.]191 2020-03-26 2020-04-16 Unknown.\r\ntinyurl[.]photos 91.219.239[.]191 2020-03-26 2020-04-16 Unknown.\r\ntinyurl[.]plus 91.219.239[.]191 2020-03-26 2020-04-16 Unknown.\r\nsite-improve[.]net 185.165.171[.]105 2021-01-06 2021-07-21 Watering hole C\u0026C server.\r\nclickcease[.]app 83.171.236[.]147 2021-01-06 2021-07-28 Unknown.\r\nvisitortrack[.]net 87.121.52[.]252 2021-01-06 2021-10-06 Watering hole C\u0026C server.\r\nwebfx[.]bz 94.140.114[.]247 2021-01-06 2021-03-24 Watering hole C\u0026C server.\r\nlivesession[.]bid 5.206.224[.]197 2021-01-06 2021-07-25 Unknown.\r\nengagebay[.]app 185.82.126[.]104 2021-01-07 2021-05-19 Unknown.\r\nhotjar[.]net 5.206.224[.]226 2021-01-07 2021-08-02 Watering hole C\u0026C server.\r\nwebffx[.]bz 83.171.236[.]3 2021-02-21 2021-03-27 Watering hole C\u0026C server.\r\nengagebaay[.]app 5.206.227[.]93 2021-03-07 2021-07-27 Unknown.\r\nlivesesion[.]bid 87.120.37[.]237 2021-03-17 2021-07-28 Watering hole C\u0026C server.\r\nsitei-mprove[.]net 87.121.52[.]9 2021-03-17 2021-07-27 Unknown.\r\nwebfex[.]bz 45.77.192[.]33 2021-02-26 N/A Watering hole C\u0026C server.\r\nbootstrapcdn[.]net 188.93.233[.]162 2021-04-28 2021-07-28 Watering hole C\u0026C server.\r\naddthis[.]events 83.171.236[.]247 2021-04-29 2021-07-28 Watering hole C\u0026C server.\r\nsherathis[.]com 5.206.224[.]54 2021-06-27 2021-08-01 Unknown.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 14 of 16\n\nDomain IP First seen Last seen Details\r\nyektenet[.]com 5.2.75[.]217 2021-06-27 2021-07-27 Unknown.\r\nstatic-doubleclick[.]net\r\n87.121.52[.]128 2021-06-27 2021-07-27 Unknown.\r\ncode-afsanalytics[.]com\r\n83.171.236[.]225 2021-06-27 2021-07-28 Unknown.\r\nfonts-gstatic[.]net 83.171.239[.]172 2021-06-27 2021-07-24 Unknown.\r\nmoatads[.]co 87.121.52[.]144 2021-06-27 2021-07-23 Unknown.\r\ndoubleclick[.]ac 5.2.67[.]82 2021-06-27 2021-07-18 Unknown.\r\nllink[.]link 83.171.237[.]48 2021-01-25 2021-05-01 Unknown.\r\ninstagrarn[.]co 83.97.20[.]89 2020-11-02 2021-01-23 Unknown.\r\ncuturl[.]app 83.97.20[.]89 2020-11-02 2021-01-20 Malicious document C\u0026C server.\r\nurl-tiny[.]co 83.97.20[.]89 2020-11-02 2020-11-25 Unknown.\r\nbitly[.]tel 188.93.233[.]149 2021-01-25 2021-03-11 Unknown.\r\ncuturl[.]space 83.171.236[.]166 2021-01-25 2021-04-23 Malicious document C\u0026C server.\r\nuseproof[.]cc 109.70.236[.]107 2020-11-25 2021-02-19 Candiru exploit delivery server.\r\nFiles\r\nSHA-1 Filename C\u0026C URL Commen\r\n4F824294BBECA4F4ABEEDE8648695EE1D815AD53 N/A https://cuturl[.]app/sot2qq\r\nDocumen\r\nwith VBA\r\nmacro.\r\n96AC97AB3DFE0458B2B8E58136F1AAADA9CCE30B copy_02162021q.doc https://cuturl[.]space/lty7uw\r\nDocumen\r\nwith\r\nmalicious\r\nVBA\r\nmacro.\r\nDA0A10084E6FE57405CA6E326B42CFD7D0255C79 seeIP.doc https://cuturl[.]space/1hm39t\r\nDocumen\r\nwith VBA\r\nmacro.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the MITRE ATT\u0026CK framework.\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nThe operators bought domain names from multiple\r\nregistrars, including Njalla.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nThe operators rented servers from multiple hosting\r\ncompanies. In 2020, they rented servers mainly from\r\nServerAstra.\r\nT1584.004\r\nCompromise\r\nInfrastructure: Server\r\nThe operators compromised several high-profile\r\nwebsites.\r\nT1588.001\r\nObtain Capabilities:\r\nMalware\r\nThe operators probably bought access to Candiru\r\nimplants.\r\nT1588.005\r\nObtain Capabilities:\r\nExploits\r\nThe operators probably bought access to Candiru\r\nexploits.\r\nT1608.004\r\nStage Capabilities:\r\nDrive-by Target\r\nThe operators modify more than twenty high-profile\r\nwebsites to add a piece of JavaScript code that loads\r\nadditional code from their C\u0026C servers.\r\nInitial Access\r\nT1189 Drive-by Compromise\r\nVisitors to compromised websites may have received an\r\nexploit after their browser was fingerprinted.\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nThe operators sent spearphishing emails with malicious\r\nWord documents.\r\nExecution T1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nThe Word documents contain a VBA macro running\r\ncode using the Document_Open function.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nThe watering hole scripts communicate via HTTPS with\r\nthe C\u0026C servers.\r\nSource: https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nhttps://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/"
	],
	"report_names": [
		"strategic-web-compromises-middle-east-pinch-candiru"
	],
	"threat_actors": [
		{
			"id": "5e034014-1f6e-424d-adfa-49557e655e08",
			"created_at": "2024-02-06T02:00:04.118601Z",
			"updated_at": "2026-04-10T02:00:03.572699Z",
			"deleted_at": null,
			"main_name": "Karkadann",
			"aliases": [
				"Piwiks"
			],
			"source_name": "MISPGALAXY:Karkadann",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8f6bd9b8-e46e-4c3b-9a08-41fee319f273",
			"created_at": "2022-10-25T16:07:23.747959Z",
			"updated_at": "2026-04-10T02:00:04.735963Z",
			"deleted_at": null,
			"main_name": "Karkadann",
			"aliases": [],
			"source_name": "ETDA:Karkadann",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b",
			"created_at": "2024-02-02T02:00:04.032871Z",
			"updated_at": "2026-04-10T02:00:03.532955Z",
			"deleted_at": null,
			"main_name": "Caramel Tsunami",
			"aliases": [
				"SOURGUM",
				"Candiru"
			],
			"source_name": "MISPGALAXY:Caramel Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434196,
	"ts_updated_at": 1775826788,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4130d6b2b09499c921e22da210f9be7df430e630.pdf",
		"text": "https://archive.orkl.eu/4130d6b2b09499c921e22da210f9be7df430e630.txt",
		"img": "https://archive.orkl.eu/4130d6b2b09499c921e22da210f9be7df430e630.jpg"
	}
}