{
	"id": "f87506f7-5413-4d92-9c2a-fc7a3efed280",
	"created_at": "2026-04-06T00:14:09.318518Z",
	"updated_at": "2026-04-10T13:12:49.831473Z",
	"deleted_at": null,
	"sha1_hash": "45c0dc8210af31486cd31ac35b15c603e2358c6a",
	"title": "Malvertising campaigns come back in full swing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1362395,
	"plain_text": "Malvertising campaigns come back in full swing\r\nBy Threat Intelligence Team\r\nPublished: 2020-09-08 · Archived: 2026-04-05 22:40:28 UTC\r\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nStill using Internet Explorer?\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 1 of 36\n\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 2 of 36\n\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 3 of 36\n\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some\r\nclient-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP\r\naddresses.\r\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 4 of 36\n\nStill using Internet Explorer?\r\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 5 of 36\n\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 6 of 36\n\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nMalvertising on top adult site gets maximum reach\r\nThe second malvertiser (‘malsmoke’) is one that we have tracked diligently over the past several months and\r\nwhose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it\r\ngoes after larger publishers and a variety of ad networks. However, up until now we had only seen them on\r\npublishers from the adult industry that are still relatively small in scale.\r\nIn this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on\r\nxhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.\r\nThe gates used by this group also use a decoy site and over time they have registered domains mocking ad\r\nnetworks and cloud providers.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 7 of 36\n\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some\r\nclient-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP\r\naddresses.\r\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nStill using Internet Explorer?\r\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 8 of 36\n\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 9 of 36\n\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nBeyond a common payload, those two domains are also related. A RiskIQ crawl confirms a relationship between\r\nthese 2 domains where the parent host was caught doing a meta refresh redirect to the child:\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 10 of 36\n\nMalvertising on top adult site gets maximum reach\r\nThe second malvertiser (‘malsmoke’) is one that we have tracked diligently over the past several months and\r\nwhose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it\r\ngoes after larger publishers and a variety of ad networks. However, up until now we had only seen them on\r\npublishers from the adult industry that are still relatively small in scale.\r\nIn this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on\r\nxhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.\r\nThe gates used by this group also use a decoy site and over time they have registered domains mocking ad\r\nnetworks and cloud providers.\r\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some\r\nclient-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP\r\naddresses.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 11 of 36\n\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nStill using Internet Explorer?\r\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 12 of 36\n\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 13 of 36\n\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nAbout 10 days later, another domain, websolvent[.]me, became active but used a different redirection technique, a\r\n302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon\r\nStealer.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 14 of 36\n\nBeyond a common payload, those two domains are also related. A RiskIQ crawl confirms a relationship between\r\nthese 2 domains where the parent host was caught doing a meta refresh redirect to the child:\r\nMalvertising on top adult site gets maximum reach\r\nThe second malvertiser (‘malsmoke’) is one that we have tracked diligently over the past several months and\r\nwhose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it\r\ngoes after larger publishers and a variety of ad networks. However, up until now we had only seen them on\r\npublishers from the adult industry that are still relatively small in scale.\r\nIn this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on\r\nxhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.\r\nThe gates used by this group also use a decoy site and over time they have registered domains mocking ad\r\nnetworks and cloud providers.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 15 of 36\n\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some\r\nclient-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP\r\naddresses.\r\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 16 of 36\n\nStill using Internet Explorer?\r\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 17 of 36\n\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 18 of 36\n\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nSimple server-side cloaking performs the redirect to a Fallout exploit kit landing page which attempts to exploit\r\nCVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) before dropping the Raccoon Stealer.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 19 of 36\n\nAbout 10 days later, another domain, websolvent[.]me, became active but used a different redirection technique, a\r\n302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon\r\nStealer.\r\nBeyond a common payload, those two domains are also related. A RiskIQ crawl confirms a relationship between\r\nthese 2 domains where the parent host was caught doing a meta refresh redirect to the child:\r\nMalvertising on top adult site gets maximum reach\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 20 of 36\n\nThe second malvertiser (‘malsmoke’) is one that we have tracked diligently over the past several months and\r\nwhose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it\r\ngoes after larger publishers and a variety of ad networks. However, up until now we had only seen them on\r\npublishers from the adult industry that are still relatively small in scale.\r\nIn this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on\r\nxhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.\r\nThe gates used by this group also use a decoy site and over time they have registered domains mocking ad\r\nnetworks and cloud providers.\r\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some\r\nclient-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP\r\naddresses.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 21 of 36\n\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nStill using Internet Explorer?\r\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 22 of 36\n\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 23 of 36\n\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nIn this campaign, the crooks abused the popular ad network ExoClick by using different redirection pages.\r\nHowever, each time we were able to notify the ad network and get them shut down quickly.\r\nThe first domain they used was inteca-deco[.]com, which was setup as a web design agency but visibly a decoy\r\npage to the trained eye.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 24 of 36\n\nSimple server-side cloaking performs the redirect to a Fallout exploit kit landing page which attempts to exploit\r\nCVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) before dropping the Raccoon Stealer.\r\nAbout 10 days later, another domain, websolvent[.]me, became active but used a different redirection technique, a\r\n302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon\r\nStealer.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 25 of 36\n\nBeyond a common payload, those two domains are also related. A RiskIQ crawl confirms a relationship between\r\nthese 2 domains where the parent host was caught doing a meta refresh redirect to the child:\r\nMalvertising on top adult site gets maximum reach\r\nThe second malvertiser (‘malsmoke’) is one that we have tracked diligently over the past several months and\r\nwhose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it\r\ngoes after larger publishers and a variety of ad networks. However, up until now we had only seen them on\r\npublishers from the adult industry that are still relatively small in scale.\r\nIn this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on\r\nxhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.\r\nThe gates used by this group also use a decoy site and over time they have registered domains mocking ad\r\nnetworks and cloud providers.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 26 of 36\n\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some\r\nclient-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP\r\naddresses.\r\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 27 of 36\n\nStill using Internet Explorer?\r\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 28 of 36\n\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 29 of 36\n\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nMalvertising campaigns leading to exploit kits are nowhere near as common these days. Indeed, a number of\r\nthreat actors have moved on to other delivery methods instead of relying on drive-by downloads.\r\nHowever, occasionally we see spikes in activity that are noticeable enough that they highlight a successful run. In\r\nlate August, we started seeing a Fallout exploit kit campaign distributing the Raccoon Stealer via high-traffic adult\r\nsites. Shortly after we reported it to the ad network, the same threat actor came back again using the RIG exploit\r\nkit instead.\r\nThen we saw possibly the largest campaign to date on top site xhamster[.]com from a malvertiser we have tracked\r\nfor well over a year. This threat actor has managed to abuse practically all adult ad networks but this may be the\r\nfirst time they hit a top publisher.\r\nMalvertising on popular ad network\r\nThe first malicious advertiser we observed was able to bid for ads on a number of adult sites by targeting users\r\nrunning Internet Explorer without any particular geolocation restriction, although the majority of victims were in\r\nthe US.\r\nIn this campaign, the crooks abused the popular ad network ExoClick by using different redirection pages.\r\nHowever, each time we were able to notify the ad network and get them shut down quickly.\r\nThe first domain they used was inteca-deco[.]com, which was setup as a web design agency but visibly a decoy\r\npage to the trained eye.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 30 of 36\n\nSimple server-side cloaking performs the redirect to a Fallout exploit kit landing page which attempts to exploit\r\nCVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) before dropping the Raccoon Stealer.\r\nAbout 10 days later, another domain, websolvent[.]me, became active but used a different redirection technique, a\r\n302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon\r\nStealer.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 31 of 36\n\nBeyond a common payload, those two domains are also related. A RiskIQ crawl confirms a relationship between\r\nthese 2 domains where the parent host was caught doing a meta refresh redirect to the child:\r\nMalvertising on top adult site gets maximum reach\r\nThe second malvertiser (‘malsmoke’) is one that we have tracked diligently over the past several months and\r\nwhose end payload is often the Smoke Loader malware. It is by far the most daring and successful one in that it\r\ngoes after larger publishers and a variety of ad networks. However, up until now we had only seen them on\r\npublishers from the adult industry that are still relatively small in scale.\r\nIn this instance, the threat actor was able to abuse the Traffic Stars ad network and place their malicious ad on\r\nxhamster[.]com, a site with just over 1.06 billion monthly visits according to SimilarWeb.com.\r\nThe gates used by this group also use a decoy site and over time they have registered domains mocking ad\r\nnetworks and cloud providers.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 32 of 36\n\nThe redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some\r\nclient-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP\r\naddresses.\r\nInterestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.\r\nMalsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat\r\nactors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 33 of 36\n\nStill using Internet Explorer?\r\nThreat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet\r\nExplorer is another. Despite recommendations from Microsoft and security professionals, we can only witness that\r\nthere are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and\r\nfully supported browser.\r\nAs a result, exploit kit authors are squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash\r\nPlayer (due to retire for good next year).\r\nMalwarebytes customers have long been protected from malvertising and exploit kits. We continue to track and\r\nreport the campaigns we run into to help do our part in keeping the Internet safer.\r\nIndicators of compromise\r\nGates used in malvertising campaign pushing Raccoon Stealer\r\nintica-deco[.]com\r\nwebsolvent[.]me\r\nRaccoon Stealer\r\nb289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c\r\nf319264b36cdf0daeb6174a43aaf4a6684775e6f0fb69aaf2d7dc051a593de93\r\nRaccoon Stealer C2s\r\n34.105.147[.]92/gate/log.php\r\nchinadevmonster[.]top/gate/log.php\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 34 of 36\n\nSmoke Loader\r\n23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b\r\nSmoke Loader C2s\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\ndkajsdjiqwdwnfj[.]info\r\n2831ujedkdajsdj[.]info\r\n928eijdksasnfss[.]info\r\nGates used in the malsmoke campaign\r\neinlegesohle[.]com/indexx.php\r\nadexhangetomatto[.]space\r\nencelava[.]com/coexo.php\r\nencelava[.]com/caac\r\nuneaskie[.]com/ukexo.php\r\nbumblizz[.]com/auexo.php\r\nbumblizz[.]com/auflexexo.php\r\nbumblizz[.]com/caexo.php\r\nbumblizz[.]com/caflexexo.php\r\nbumblizz[.]com/usexo.php\r\nbumblizz[.]com/usflexexo.php\r\ncanadaversaliska[.]info/coflexexo.php\r\ncanadaversaliska[.]info/coflexo.php\r\ncanadaversaliska[.]info/ukflexexo.php\r\ncanadaversaliska[.]info/ukflexo.php\r\ncanadaversaliska[.]info/usflexexo.php\r\ncanadaversaliska[.]info/usflexo.php\r\nkrostaur[.]com/jpexo.php\r\nkrostaur[.]com/jpflexexo.php\r\nkrostaur[.]com/jpflexo.php\r\nleiomity[.]com/ukexo.php\r\nleiomity[.]com/ukflexexo.php\r\nleiomity[.]com/usexo.php\r\nleiomity[.]com/usflexexo.php\r\nsurdised[.]com/coexo.php\r\nsurdised[.]com/usexo.php\r\nTweets referencing the malsmoke campaign\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 35 of 36\n\nhttps://twitter[.]com/MBThreatIntel/status/1245791188281462784\r\nhttps://twitter[.]com/FaLconIntel/status/1232475345023987713\r\nhttps://twitter[.]com/nao_sec/status/1231149711517634560\r\nhttps://twitter[.]com/tkanalyst/status/1229794466816389120\r\nhttps://twitter[.]com/nao_sec/status/1209090544711815169\r\nSource: https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nhttps://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/\r\nPage 36 of 36",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/"
	],
	"report_names": [
		"malvertising-campaigns-come-back-in-full-swing"
	],
	"threat_actors": [
		{
			"id": "8143b0d6-bfa0-43cc-b45f-dbcf4728741c",
			"created_at": "2025-05-29T02:00:03.230052Z",
			"updated_at": "2026-04-10T02:00:03.880481Z",
			"deleted_at": null,
			"main_name": "Malsmoke",
			"aliases": [],
			"source_name": "MISPGALAXY:Malsmoke",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45c0dc8210af31486cd31ac35b15c603e2358c6a.pdf",
		"text": "https://archive.orkl.eu/45c0dc8210af31486cd31ac35b15c603e2358c6a.txt",
		"img": "https://archive.orkl.eu/45c0dc8210af31486cd31ac35b15c603e2358c6a.jpg"
	}
}