{
	"id": "eb14e671-2814-4dcd-a604-22367d567943",
	"created_at": "2026-04-06T00:15:48.796376Z",
	"updated_at": "2026-04-10T03:21:21.288764Z",
	"deleted_at": null,
	"sha1_hash": "46ac2a178ac6accdfc2b95b6541d0e8a86d145a6",
	"title": "Parrot TDS: A Persistent and Evolving Malware Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4510310,
	"plain_text": "Parrot TDS: A Persistent and Evolving Malware Campaign\r\nBy Zhanglin He, Ben Zhang, Billy Melicher, Qi Deng, Bo Qu, Brad Duncan\r\nPublished: 2024-01-19 · Archived: 2026-04-05 14:16:21 UTC\r\nExecutive Summary\r\nA traffic direction system (TDS) nicknamed Parrot TDS has been publicly reported as active since October 2021.\r\nWebsites with Parrot TDS have malicious scripts injected into existing JavaScript code hosted on the server. This\r\nTDS is easily identifiable by keywords found in the injected JavaScript that we will explore to show the evolution\r\nof this threat.\r\nThis injected script consists of two components: an initial landing script that profiles the victim, and a payload\r\nscript that can direct the victim’s browser to a malicious location or piece of content. To help the reader better\r\nunderstand Parrot TDS, this article provides in-depth analysis of the landing scripts and payload scripts we have\r\ncollected from this campaign.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, DNS Security,\r\nAdvanced Threat Prevention and Advanced URL Filtering. If you think you might have been compromised or\r\nhave an urgent matter, contact the Unit 42 Incident Response team.\r\nBackground\r\nIn early September 2023, we investigated a notification concerning a compromised website based in Brazil. Our\r\ninvestigation revealed that this website served pages with injected JavaScript identified as Parrot TDS. Further\r\nresearch uncovered many variations of Parrot TDS script from various servers worldwide.\r\nOur research reveals several versions of injected JavaScript associated with this campaign. Before reviewing all\r\nvariations of this script, we should better understand the basic nature of Parrot TDS.\r\nParrot TDS Overview\r\nWhile campaigns involving malicious or injected JavaScript code are fairly common, Parrot TDS is notable due to\r\nits wide scope and ability to threaten millions of potential victims. This TDS is easily identifiable by keywords\r\nfrom the injected JavaScript, such as:\r\nNdsj\r\nNdsw\r\nNdsx\r\nThe threat operators have consistently used these keywords for Parrot TDS. The presence of these keywords\r\nmakes it easier for researchers to group samples from this campaign together, making it one of the most\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 1 of 21\n\ninvestigated campaigns in recent years.\r\nAlthough its origin remains unclear and public reports indicate Parrot TDS started in 2021, our data indicates it\r\nfirst appeared as early as 2019, with full samples available by August of that year. This relatively high-profile\r\ncampaign would in that case have been active for more than four years.\r\nOur investigation into Parrot TDS has revealed different versions of injected JavaScript that illustrate its\r\nevolution. Throughout its evolution, the chain of events used by Parrot TDS has remained consistent.\r\nChain of Events for Parrot TDS Payload Distribution\r\nAlthough we have observed different versions of Parrot TDS, the attack chain follows the same basic pattern as\r\nshown below in Figure 1.\r\nFigure 1. Chain of events for payload distribution through Parrot TDS.\r\nIn most cases, a web server compromised by Parrot TDS injects a landing JavaScript code snippet into existing\r\nJavaScript files. This code usually contains keywords such as ndsj or ndsw.\r\nWe call this the Parrot TDS “landing script” as shown above in Steps 3 and 4 from Figure 1. The landing script\r\nconducts environment checks as a way to avoid detection.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 2 of 21\n\nIf conditions set by the landing script are successfully met, the victim’s web browser queries a payload server.\r\nThis payload server then returns a JavaScript payload containing keywords such as ndsx.\r\nWe call this second script the “payload script” as shown in Steps 5 and 6 from Figure 1 above. The Parrot TDS\r\npayload script can direct the victim’s browser to a malicious webpage or other potentially harmful content.\r\nUltimately, the two components we have identified from Parrot TDS traffic are:\r\nLanding scripts (usually containing keywords ndsj or ndsw)\r\nPayload scripts (containing keywords such as ndsx)\r\nTo better understand these two components, we must first examine the landing script.\r\nParrot TDS Landing Script\r\nWe analyzed more than 10,000 Parrot TDS landing scripts from internal and external data sources. The range of\r\nthis dataset is from August 2019 through October 2023.\r\nThese samples reveal four versions of Parrot TDS landing script that represent approximately 95.8% of the\r\ncollected data as indicated in Figure 2 below. The remaining 4.2% could be the future of this campaign, since the\r\ncharacteristics of these samples do not match the four versions of landing script we have identified so far.\r\nFigure 2. Pie chart showing Parrot TDS landing script distribution.\r\nThe four versions of Parrot TDS landing script from 95.8% of our samples use either the keyword ndsw or ndsj,\r\nwhile the other 4.2% use the keyword ndsj. Scripts with the keyword ndsj use more obfuscation techniques such\r\nas Canvas, decodeURI or WebAssembly.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 3 of 21\n\nMost Parrot TDS landing scripts from earlier in the campaign were injected as a single line of code, often\r\nappended at the end of JavaScript files served from the compromised website. We identify this as Version 1 (V1),\r\nand Figure 3 shows one such example. Note: We will acronymize each version as V paired with its sequential\r\nversion number for the remainder of the article.\r\nFigure 3. Example of landing script V1. Source of sample: VirusTotal.\r\nThe example in Figure 3 indicates a single line of injected code, with the JavaScript normalized and beautified\r\nabove it.\r\nThe different landing script versions have no significant differences in the core function of the injected script.\r\nLater versions include more obfuscation. The V1 sample from Figure 3 above shows the core function quite\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 4 of 21\n\nclearly. The sixth line of beautified JavaScript code shows an XMLHTTPRequest that interacts with the payload\r\nserver and executes the response as a payload.\r\nThe major function and workflow of the landing script of V2 are almost the same as those of V1. The only\r\ndifference is that V2 appends a token every time it interacts with the payload server. This token contains two\r\nrandom strings as noted below in Figure 4, and the token is usually 21-22 bytes long.\r\nFigure 4. Example of Parrot TDS landing script V2. Source of sample: VirusTotal.\r\nCompared to V1 and V2, the landing script for V3 looks very different. V3 includes a new function that primarily\r\nserves as storage for strings, noted as “serving strings” in Figure 5 below.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 5 of 21\n\nFigure 5. Example of Parrot TDS landing script V3, part 1 of 3. Source of sample: VirusTotal.\r\nParrot TDS landing script V3 hosts a long array of strings. Each string in the array could be a word or part of a\r\nword used by other functions to dynamically construct a keyword or string at runtime.\r\nAlso shown in Figure 5, another function modifies the string array from the previously-noted function. This makes\r\nstatic deobfuscation for analysis more difficult. Other than that, the core function of V3 is not much different from\r\nprevious versions.\r\nThe remaining portions of our V3 landing script example are shown below in Figures 6 and 7.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 6 of 21\n\nFigure 6. Example of Parrot TDS landing script V3, part 2 of 3.\r\nFigure 7. Example of Parrot TDS landing script V3, part 3 of 3.\r\nCompared to V3, V4 landing scripts contain additional obfuscation and use somewhat different array indexes. V4\r\nalso implements additional changes affecting how its JavaScript handles numbers and strings. Despite these\r\nchanges, V4 has the same overall functionality as V3 landing scripts.\r\nFigures 8 through 11 below show an example of a V4 landing script.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 7 of 21\n\nFigure 8. Example of Parrot TDS landing script V4, part 1 of 4. Source of sample: VirusTotal.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 8 of 21\n\nFigure 9. Example of Parrot TDS landing script V4, part 2 of 4.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 9 of 21\n\nFigure 10. Example of Parrot TDS landing script V4, part 3 of 4.\r\nFigure 11. Example of Parrot TDS landing script V4, part 4 of 4.\r\nParrot TDS landing script samples using an ndsj keyword are much rarer than ndsw in our collected data. We treat\r\nthe majority of ndsj landing script samples as minor versions among V3 and V4.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 10 of 21\n\nIn reviewing our collected landing script samples, we found other versions that do not fully fit V1 through V4 or\r\nthe ndsj landing scripts. These samples include:\r\nA special version that loads its payload with a Canvas object\r\nAdvanced versions that involve more obfuscation and WebAssembly code such as decodeURIComponent\r\nand String.fromCharCode\r\nSamples that also contain injected JavaScript code from different campaigns (if a web server remains\r\nvulnerable for an extended period of time, its JavaScript files could be injected with many different\r\nsnippets of malicious code)\r\nSeveral minor versions that apply interchangeable obfuscation, such as using a number value or string\r\nvalue, or using [] or a period to access the property of an object – the numeric or string values can also be\r\nrepresented as decimal or hexadecimal numbers\r\nWhile earlier samples of the injected landing script consist of a single line of JavaScript code, we observed an\r\nincreasing number of Parrot TDS samples with multiple lines of injected JavaScript code since August 2022. This\r\nis likely an evasion technique, since a single long line of malicious code is easier to spot in a script file than\r\nmultiple lines of shorter malicious code.\r\nParrot TDS landing scripts profile the victim’s web browser, and if all conditions are successfully met, they direct\r\nthe victim’s browser to retrieve a payload script.\r\nParrot TDS Payload Script\r\nParrot TDS payload scripts use an ndsx keyword, making them relatively easy to identify.\r\nCompared to the landing scripts, we found fewer unique samples of Parrot TDS payload scripts. We have\r\nclassified these into nine versions, compared to the four major versions of Parrot TDS landing scripts.\r\nThese payload scripts are mostly malicious, but V1 only sets a cookie value for the victim and is basically benign.\r\nThe other eight major versions of the Parrot TDS payload script are malicious.\r\nV2 is the most common payload script, representing more than 70% of our sample set. Figure 12 shows a column\r\nchart revealing the Parrot TDS payload script distribution.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 11 of 21\n\nFigure 12. Column chart showing Parrot TDS payload script distribution.\r\nV1 is the simplest version of the Parrot TDS payload script, and it merely sets a cookie that expires after one year\r\nas shown below in Figure 13. This payload script is effectively benign.\r\nA Parrot TDS landing script will only query the payload server if the victim’s browser has no cookie set by a\r\nprevious payload script. This V1 payload script basically removes the current browser from any follow-up actions\r\nfor one year.\r\nFigure 13. Example of Parrot TDS payload script V1. Source of sample: VirusTotal.\r\nThe V2 payload script is straightforward. Without any obfuscation, it creates a new script tag to load JavaScript\r\nfrom a malicious URL as shown in Figure 14.\r\nThis payload script is the most common version we see for Parrot TDS. Around 70% of our collected payload\r\nsamples are V2.\r\nFigure 14. Example of Parrot TDS payload script V2. Source of sample: VirusTotal.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 12 of 21\n\nParrot TDS payload script V3 contains obfuscation and only targets victims running Microsoft Windows. Figure\r\n15 shows an example of a V3 payload script.\r\nIn the bottom third of the script, ls represents a decode function that decodes several strings in the script. Our\r\ninvestigation revealed that V3 payload scripts will check for the following conditions:\r\nA referrer\r\nAcceptable URL format\r\nA platform identifier of “windows”\r\nThat Parrot TDS had not previously set a cookie\r\nAfter passing all checks, the V3 payload script functions the same as V2, loading an additional script from a\r\nmalicious URL.\r\nFigure 15. Example of Parrot TDS payload script V2. Source of sample: VirusTotal.\r\nV4 and V5 payload scripts are similar. V4 is effectively a V1 payload script plus additional code as shown in\r\nFigure 16.\r\nV5 is effectively a V2 payload script plus additional code (see Figure 17). In both cases, the additional code\r\nappears before the original V1 or V2 functions.\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 13 of 21\n\nFigure 16. Example of Parrot TDS payload script V4. Source of sample: VirusTotal.\r\nFigure 17. Example of Parrot TDS payload script V5. Source of sample: VirusTotal.\r\nWith V4 and V5, Parrot TDS payload scripts involve more obfuscation, which is similar to the obfuscation seen in\r\nV3 landing scripts. The core function of this extra payload script code is to hook all clickable links in the landing\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 14 of 21\n\npage. Whenever a visitor to the webpage clicks a link, the script will create a new image object and load from a\r\nspecific URL.\r\nV6 through V9 of the payload script include more obfuscation. These are very rare in our dataset.\r\nTargets of Parrot TDS\r\nParrot TDS is part of an ongoing campaign targeting victims across the globe. We see landing script or payload\r\nscript samples daily from a variety of websites compromised through this campaign. While our study began with a\r\ntip about a compromised Brazilian website, the variety of compromised websites we found serving Parrot TDS\r\nindicates victims are not limited to a single industry, nationality or geographic area.\r\nThe attackers likely use automatic tools to exploit known vulnerabilities. The majority of the compromised servers\r\nuse WordPress, Joomla or other content management systems (CMS) to host a website. Even websites without\r\nCMS could be compromised through this campaign, since server-side vulnerabilities are not limited to CMS.\r\nConclusion\r\nParrot TDS is a notable part of our threat landscape. This campaign has lasted more than four years, and it keeps\r\nevolving with new techniques and obfuscations. Most websites compromised through this campaign use some sort\r\nof CMS like WordPress or Joomla.\r\nWebsite administrators can detect if Parrot TDS has compromised their sites by searching files hosted on the\r\nassociated web server. For example, they can search server content for the keywords associated with Parrot TDS,\r\nlike ndsj, ndsw and ndsx. Administrators can also conduct an audit to discover any extra .php files on a web\r\nserver.\r\nProtections and Mitigations\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nNext-Generation Firewalls (NGFW):\r\nThe Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the\r\nWebshell file traffic with best practices via the following Threat Prevention signatures: 94702\r\nAdvanced WildFire: The Advanced WildFire machine-learning models and analysis techniques have been\r\nreviewed and updated in light of the IoCs shared in this research.\r\nAdvanced URL Filtering identifies all known IoCs related to this campaign as malicious.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 15 of 21\n\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nLanding Script Examples\r\nThe following are SHA256 hashes for 100 examples of JavaScript files with injected landing script code for Parrot\r\nTDS. These files have been submitted to VirusTotal.\r\n0006060d1efe85b23f68f1b6fc086ab2fd5f2d80ca2e363cd0c000fd5a175ce2\r\n000954817a815dd64b6f061fbc28a8c7919616bb1708abb58754d680772a935c\r\n00163ddc2d61a97f58b06ba35cd8b6062a81b6e2b15a9f3917358efedd40a3c5\r\n001ab3bfd48219fa355adf76006118bfc50e9ea3abaf3ff331159c21bf0c3028\r\n00278f1d3b38242b0c461b98f4ad77ee7d10c85204291c02c6c23a472613c4da\r\n00399f6e2d64aa631f5e9fe60e2da4c189535ff79e5e557b9244662866285872\r\n003bef5d2f093a8dad8cae8635d9986d023f515b799373dec008ba75490a9308\r\n003d2f4ade543f7b35999c51d06f6b3cdb0c25dc18816358f76b59698a77aa5d\r\n0044d4afd6e12e6ede2f5fe59943de23b8a986df1e8e4b2f3445dcc5c3ab8208\r\n0048c341751674cca947df44aa1319e58036ca9192415ed63ab8b5a2413e031c\r\n004be99a81506cc2ed4e94a667bb6771140c84a51f61902a24a55b2fd265af29\r\n004d8253f02277ac50955aa0ef6c1a460ce798d94201959079ecdf35dc2f4c63\r\n004dc3e4f73cef86a5476aeaa41de85a8bebea06a2e7f7f654b33640078ffb0a\r\n0050e225e781ee415fae74108108de3200eb3010e2c77e8d265882d3e9c7399c\r\n0054bc9d7a5fc4d630c79d3641ac32f65ab3e61c9c82ad2edca6dcab5a050c65\r\n0059da8643270d09d5b60ea2bbd0d459d6ce54cd54e27facbd8a9b748643fa4b\r\n006154fbc565b387c800206323d80b61fd4a16525fbfc682ae1d7c458aceab58\r\n006a7ae01c1b1939ada3639e59ce8513aa489cd9f59f80a20205e4474ecf0082\r\n0073932eece5b9817b80d1fe1c219a72f0b8d3764039e3313672d938b14f2d8e\r\n00789e764859a749d79a1927e070e2959473f0cf6e0ca2be5b0f666a4e8926c1\r\n007a56bddc9c2171771bcbb654b85b8039c3342ac83fdb060bc2f24d1c5d8814\r\n0087f64098d10cce64219f8456702611e462ab755c4e5cc2e4d719add810e98c\r\n00a23761ffe9a3cefb79be72155354305116d0f60f41b01b0d2f37cbce61d9a5\r\n00be4cae7ccf629d22c6c9c1842341309eac1eb9e7e83ed1ab28997f3c3d4e96\r\n00bf309f513ee8c46435433bf8f1ec19527d16b4f976da1403f8fb753506571a\r\n00bffe2fabe6a57a21d912f4111bd9451e388adcebb1d023fa2c3fe079aad24d\r\n00c11daf1c18160eba63de3b2d712cc8c0abe457f993cc2f81f8c746fc970c12\r\n00c28bfec1fe8ecd139c06791293298430353e449115ef712fdcaae57e35f46f\r\n00dabc4c7753c6b608a8889f9d1367edca1bc2c3b6e92744e0b50abca33b8a87\r\n00ddbc6dc6b571681fae2c4a2d72cd9a7129ee800f326e33279cb337fafc93ce\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 16 of 21\n\n00df68a21172ddb20bde5bce4606b814022e4bba5fdc5cac457b7f1643f625ff\r\n00ec04f09b4c045e2b95f0ac4723a58457522e3c39fb6157e8d4213c12be0540\r\n00ee956dd06c3a14962c1ea8c447cc2d3e63a28c486dc0bd50e535674ae63c56\r\n00fb7abeb8464e01fe3043b2544bd71a82a9466c5c3ac6b954e62e87314d585a\r\n010622ece3ec9199668bfd2d1637149ede9c242e9672a7531cdaab86da849f77\r\n010fde6958e0107c2d543b2d6afbe492efbfa5fd44cd0a75185c779f31e16df9\r\n01124a700f6984062f26e34dff117b87b7d269557817a7241fa1d00ad5d780a0\r\n011478985c03b81ed04d6d4ce598baf3f7d48aa6e3a58f24de0e74bfe0cadd3b\r\n01235cf8181552124cbd76232607f1a60e8f82c48e0f013765ad6bda59b34e01\r\n0124566011742f850ed029a1aaa11a08ca00bd7f9775df45b0a9bc8740e89c04\r\n0126c6520a793efe328e9820dcbc9d42732f4cfb4b6fd25919d07e7b6c23c781\r\n012830c380ec979ab925b9bed84e6052e2ff5259409fc0bbc49b544e8030b19c\r\n0128a7881e686a5e291fcbd93644d8e670f98802412a5338701222dc5f9a28ca\r\n012b2cfe603de4ade7370ae7ba585e36c818c4193341b488872a4dbdd07bcc2d\r\n01366391de90229ac2b8a7269a4a42df9bd1709f51aece7164ffa4531f518811\r\n0137d093587fb1f42985ca271c8d2d1d601da410168491b66b154d4d003d332c\r\n013f3f2248ad31ebd52e1cf5c139d13bab6690734248bc2a6c83f06fbe43260c\r\n0141c2fe63d36c43558b67f0b884389366b13da3e9f68897b147a445f3328442\r\n01425b3c993e51d80f4e3b5a8f949b25e4fb30e9e9377507ac8b4fd3b7a69ff9\r\n0143d1989d04d70fc035e7eba21ef46b27f2673fd3a7e9df78a802179c33105d\r\n01585ae455c2bbe6471d718bcf845eca55f80e24963d562d847f81eafc672ec1\r\n0159a56803cebaf1544a44e3cee01df30505afb390b83371fa8cbb1d46353800\r\n01660ed180b9d0e4e19d7da313cd8ca818211ce36948eb31742e3da85a51580f\r\n01663c903d345f4aa71e7141e4bffcc25f244c898bf4eda96d9514322ca6e13c\r\n017ff4946dd00acc0da7ddc48e23c9736f735e2dcf0a83cb5613b433fca1960c\r\n018087b1bac5e86f4b6dce4d8c5fdc77c53b96280fe37342a74585e89b9b9665\r\n018f392c9cbf6640dae7d457b33be7d81a08612c911add177c7c5bb39876efc7\r\n01a482c79849908879a39eeacf77078b531f29e5d86c9e9f578a97b2313c98fe\r\n01af830f79aad912bd8a3438bc9e914e159a112df657a1610f50527304657139\r\n01b8b7cf7a93077119aa5062554bb662be230b2e2655a8e53b44b482f4c73a3a\r\n01be768e7bc9ef499ec5b37e4dffecfaab9346489d27b1d6de3b9a67db584e2d\r\n01dc27a4be3f69ebba64a71afde7a4158436b2a423174c6a2196efe9342a870c\r\n01dd3fed62220c53eb9208ab00d0fcce62cf76841e532a9474da5ed47563b978\r\n01de1c2f03c920ac64e73dfdbca363c1f8888534981c6215365b2514b9192f93\r\n01eb0535321d4d1ef0d5f5b3dbb91c341b75e8dbd129c40801c26abcf650331f\r\n01ec9cf7d9cba1294a8dd4803766c37bf20c4cd57d5ae26d990083076d170ea1\r\n01eed0382a2938c7733fc823ee43b2414116237e5793789dafa274e451d1dd75\r\n0203c29fe1c34417e158624fe4f352513f076302b1179a854a5351613b75b9bf\r\n020e6aa377b6ef4ef45efe0906b3b5dfdfe7381099a8fa080a58a457eaef934e\r\n0214510764fee618b8fe18aeb72f643218dde5252d1d568f0fad735ea861f1a8\r\n021519c6b0c63ccadd416fddbabc28001f1b6e8c09cac93a076a013cb98d3afb\r\n021a5e6f490622bbc79d0d42b444ccc856b4e8cfcb77df3d01bad9c8f1177a3b\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 17 of 21\n\n021a60787a1d4acdfa44fd27510e6aaa6305807c48e8209c892458e43d360323\r\n021cd5b198f6bbf78aacb3f716a7f3355cdac98d835d493b6cb85ee4b9adc8a0\r\n02216dfca8323263933ff53130796d3a445e44251f02c241d95c6bc0f81721cc\r\n022668b33b118e73d391aaf790bd06bb3bb03dc13b58a28a70dde3dc485ecf5b\r\n022feae2851e7993780e08ea328e36521e91c695f3a5304e0dd1df678d7f6c3b\r\n0237268899c037aaee7bde29e28a08f89230e92bbef33dbf0f17ad58ee53af55\r\n023dcc38a7a55f941818aa307203216c6eaf50f8fed529a4c636a89f70119717\r\n0250e4baf4fbd9aba84b25968a7debd4ce83360e0ebef03d5ccbb24f9e17ecf8\r\n0252b75589fe832eb103d64ed7f5e1dcb6417babd6e290c34c79093ff312092f\r\n0255da103745a213d50a2d86770d5381add6bd84bea41edd93ac746c019565ca\r\n025cf7e1e1f39c001c627cf42be1be14ef52a42f760e03db922246a7b114aec1\r\n026cb95e6b415355767655b9f706e1c1f9bf20b242e65aa47b8e1279068f718f\r\n027079961030e5af9bb7382acb2c6b19221b41255f801be540c07b484cded4d7\r\n0270d194a2d4499468b8461796e1cb3d1af301df6b12c2b7193a8baef8c13ce3\r\n0279bd4320fb5025a9d740bbdd0cf2aafb477d684af4ea1ca0e83bab424527fa\r\n02868c886de5090362c6d503e6549e65fbe975f1fa03ddfb18fb0432f5f6bfb4\r\n028d5b2992d88d52ea9e80625e25c324b665fb784bfa9daec3ebba16d01a8348\r\n029415b96774d15e7e2acd2ed45907f67617217345a6aea1fdf65fdb4353e52b\r\n029c44784556ca319015548c3dbeb92b025ed72f918d1d8245b6a6a321a64b7c\r\n02b2312ce68bc4ac2c59ee905b23f8f9d2dfb3fd0f38b5ef896f59e6d74834f8\r\n02b467d42c7d26cdc480ead7c678c2930dc315882caf5531a3e3d503b118d5ad\r\n02c5ebe4418bad22a508f0d430ca1ec6b3d419011f94041b70ad636c89e98980\r\n02d7c155eef3da89d00ecf3718084c361675f3ccd84162cc00f2d4124b9a2346\r\n02e141ad62fc2f8514cdd8221be61f68a9d13de939fa850c4185154538d7c9fb\r\n02f5e9ff5293fd5855d35337e8bb3e3a03b47afa7e71a06de2f8cfd557f4f0d6\r\n02f7b2f58da74dde5a1f09b2492c8f6fa56bb009900378feaf057e6577de8a2f\r\n02fbcc9f2971840c5381b1e0f5052b1067c82ea353e7d2ec6810d001ce25dfff\r\n02fcddc3c5383b505fa9babc3fce93118abedcb7203b8921933f815eb7c7a879\r\nPayload Script Examples\r\nThe following are SHA256 hashes for 100 examples of JavaScript files with injected payload script code for\r\nParrot TDS. These files have been submitted to VirusTotal.\r\n0009fe8aa339fb489abcfd711d5c7b2a70b7d57ae55aae3922669f72cbf5964f\r\n0234918db61115aaa0c3be708084dae30feee8d97a41a011e3fbb06d745c496c\r\n05bcb1f5aa6284333985186f3329f9226d80225fcd25436575aff7735cd4f6e1\r\n0641128e6dba0c69644810e8af88af80ad734af52fe734c655ce26f5a3641097\r\n07f56d3fca2f26e41e9b5a9e3cc6d3bdc6edce18fa12276bc19bab5c3fb19b26\r\n09c4ea62962848f48cfc68d905675bc466574a8011acb79b721b688ec7bfec12\r\n09e06b3fa2194b76a1e73483614ec3f3ab076c55134c3d45e7ac9ea452e51176\r\n0a10157a920b190fb2fba6b6df34e12fd4532e52bc71700b9cefa73f95e60fe6\r\n0cf4f33985dff5e1e7d37d8d5485b3561ffa42d0a31acec10321cdc28c31abdf\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 18 of 21\n\n0f20659f7cea84ef3b1def6c54555454b1820fd8adf9866b2ea3ed18e341babb\r\n0f334075e5379be32d176048287ea8b787d524e34630509a74ec4cd90fc1b0dd\r\n137bb7784088669d1432243831896cfe5b5fc02d7f207de26d16220b38335c90\r\n174fb6597444ff6d7d59d2981f6aad54c99e763a6123d52319bb2d0ba84bfd29\r\n175a0bb57ec0e0a5728b7f8455a968861dc50c42a1ce8eb437d8b98fd394ea47\r\n1ab04ee02b5359662c26c4c1f10f711d707ac23293193cbcba3cc84d0d070000\r\n1c8bbb02dd1fd46e442caad6fba174b966ea5bd9d27d6315991b904792693d54\r\n1ca06df44cce9aa64294a8e55c41e654ab6b766ab76faa39a34363cce4e83e08\r\n1e01bf738bc665f149b0793af461a43f4330ecf99dd068e2b7abd038c46ef417\r\n1e5ca993bc0afee9eb23436ea2e0bfbede934ce2be850d3122cc429fd73d01c1\r\n1e6d8d031bbb4a4e15f8c15941dc27944e62727116338957306db9610351911a\r\n20f9cd4ef8616afb8a62eabf6ca1c252c54021dc03ba621bab2e00db8fb6bbc1\r\n21114a66a1934b806a8b1b76f924fdb9876047316ba8d26c2ac94c1b0e908cb5\r\n244221e80cbc510ea4e62f49fc1a377dcc5365899c2f92f7807b91cdeb20476d\r\n25786bcc47e97d9e55588b4e2962aeb9760cd546629bb5fd08799ba8c9e8d027\r\n25af4cd7c60671f1af9bbf17441b8951b8751ee1299dd7fa97ba4afd6021642c\r\n25e4bc712d895d8bfce72fab30eef25da18591979c672d1fbd976bac2e0cf1ca\r\n2707ac252eb0abce8dcb9b1eb35b4d306e111e59e09f6acb03180425ee81fd4f\r\n2726854efc42c00d7064abf99ef451d05975e7461c42e7897ba1b0c6336f153e\r\n2c961d64aeefe73c43a96739c52047fd1f39af5af86e388689531cdd83b00045\r\n2c9eafa9914032112c170e3dc12d40c03ee1e873bade8bfed36b6a7759ff1dd5\r\n2dd1db4ff9da32d73ac876e513f20c1da6d83031969f645e3e014e96134a8aac\r\n2f9e5ea05aa8cd81c1c1f0914220557c5dc4a8bc42ee822bd327e3cfc3328f45\r\n2ff953a5d7e760ad4d4a06d2ad68d43c42f388a9c6fb6e9d0c6341dd05c33374\r\n3032a2affd7d9a3dd9418b3fab3c88af2bc0f71e3baaad8e478ec85af569c912\r\n31562bdf22a927837f6fdb333e72bc3cf8da067143cb3d99663ce7224d0f8901\r\n31a15a342e6d65ecf2987d83458f1ff5587662ea794a42b7f54393bd8531025d\r\n34fdb99c3e895a66c814aedf6e29c075ee5fac7aa1190903759ec08766bee28c\r\n36b4a9947b26ee3e86f495fce1a767a773b911b37bad2008215a5488314cf48d\r\n3ce09915fa674481076bac26a985c39a0252cc7452e0ff2ea4c9d62d38b49958\r\n3d1aaafea2a4757f1ccdd4759ec42ca566220fab7717efa2face1998ccc6a8c7\r\n3d99d924a59ef070c2f2df7de660b10704171fa74d68442bf80a076d1d4ae9de\r\n3f8e3f9fb2f2d2c6f5257d7ffd597be6758ca48867bef3aa83a244fcfcc9647b\r\n411f94f34ce1b603867f64689d91dfe7ffd92dd69a2ad5ef518fe3564401f69b\r\n41c4914a2cda7a9c3deb0a85a17c9f964c95dc1e0dbdfd8727d7d7ebaed3c66f\r\n44ba1192916ccc51c0bda43aa9a40d3ebb7f8480ce2554092ec2198e99e2f9ea\r\n474a0fa3ecddd9a7eef503c10a6e09f34384c7a301e6ba92474c8b809aff841a\r\n4f0d9b754402ac02b36b470e93cb712724a2c505c798d3cb8d23662c1303e4f2\r\n539ecf094f122790b157415933bb0122417015fff914a848ff5b83d1c3ce69eb\r\n53ca5aaf4786aa235795c9b4a2648bed523f38d115a5791bd26b3e22e9e6f109\r\n53e703d262af2c91d8be81ca0e32c7f9b3dbc8b6d571ad3a480bff020a8cae04\r\n54774aef9a494e29a072bc729f8482fba6dc530a045d40e4453d61beac8d8355\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 19 of 21\n\n56514cfce2dd75f2dafeebf385bc827bd1b7392f65bac98ec9791526f724fd66\r\n5666d18866973f608cccf95c7dbf56d56bb3027121af701bd779f9ab794c53b1\r\n56a1123d2c25a9ee7c674aa10ea8be720a23cabe74b68dca017c93944cee15e4\r\n5b0ecde609dc384857508b71851062b6dc158d37d26ad3e6baf4407877ada9de\r\n5b481fc971f724141c54e4fb6eb992056256098cd2284b717912a75714864179\r\n5ca0afa8d1665d8ad314543c5924fc4c8679ffa5360a3ec4bb2e3a79a865b730\r\n5f87cdf1ccd448d8f90b79d80153fbae143ec9dfa1c79a5ba9193609975d0d35\r\n5f9fa969df10a03d38c26050655645c0b8cd00c4ae35b62d9e355815ef722b21\r\n5fd89dab9bcdcd783ae96c0b42f5761d2d24a6192d730040a50ffb4b5c95850a\r\n6168dc254c4c6dd6a5461c56fd1fdb65821f04d9ac23e4d70b62d447ce77971d\r\n61c76044609b8f522546991b2683239bba734ca290981e5ed25099f46312fd04\r\n6323837b455a41f34cfd526c2c2ffb6fb3a826c4f482ccdf66801ece0ca6f1e7\r\n6385e6004a9d11485d076f2b9b79b2ddf468b629aef0f66c22c7bffa3d7ebc3a\r\n638fd2159534b7b180ef2ca0633f6ee5d09af8cddbac758e1cde1ca6aec1ca8c\r\n63f48e94e38c7b5e441c3aeb0c74141bd6d7fc7ab03a345d09d67c8e8b871ca9\r\n6fed7c758e0484b53fd3efaa622b609052dcf5ad34768181d3ff8e22cb6e6e2f\r\n732457475da8c47cf211f5eb3a6529c9aa8976ce26d50f2e90422278c2160d5e\r\n738f775e1031402f228c1246d10d9c13af1d461596319bea87f8b20d085349cd\r\n73e5dc70d286c24265f71de61016404934991d0b41c4962420c1490469111b4e\r\n778f4a8f061efea0efca1669c4eb0f26c7d1cc02e003fc01f43ddba328ebfc92\r\n7ab4fce62ebf632bca176894152a88e38965708bffdae4357a8b6c6defa1724d\r\n7accd14f469d79c4539c5887faf79407e6a06111612d2b63eb9f34c5afe7c74f\r\n7e9feda6e593b6d7e3c15032edb0cd3e2d1ec585d8f5691e951ac70059ce4240\r\n801626f005b40b0ef889f93c64f991e53318393fb0efdd30bb30185a12cb7480\r\n817af2e8193d3a226dad46bef33e55a56b3a56ff035cc0e68067e2eb61975dc5\r\n81d99d01f6909a2ae027e3a0d792b7c517b312fcf2cc03228c2a5348ad796582\r\n865cc44cf024bc083f5bfd3d5d3c9c1334e1c629de1698fcda26feeb26f73dc3\r\n86b84a35d28207783bd79e34f6f2e687e6e38fd9fb78df90b1cc7e6f302e0084\r\n87549ec7913d919dff9678b38b040ea9b77c84f29aa3dea487dc7a80e4a0950d\r\n87768a7c92ebc8419e08209e55eb1f713d5ed7be411ed3b52555f8a29fe4a3f9\r\n87fb8a757f5de0f4cb4f8b4f568068e8c12f376562b1f5d1df118b4dc3076564\r\n8f896f3f0b5f33413217e9350dba6d4958cc9bdf568902a08d739b43db6f993b\r\n92322cc99cc5bd84bd1f06de8412b7f907e03a66489d147a1d3a77b2d3b0aacb\r\n9707f57ca55e1f0cc975488ab10188f885589db427beef7df9adc3bd4e95bd62\r\n98a230f8bed756447d8f8dcfb1485e395068eae511ca7b3a10049848427682af\r\n9bbafb672ee8f9c8eec8ee111962db7aa49e6e91f2fc3a23b0d5f32152f5101b\r\n9be661e3218290ebd4de59037d1360f4bec7e2f521d09a063da994d838160fce\r\na0b928edf0cf8efba7d2b2edcc43419ec7568d70717ba44ffc6c24fb9ebb9464\r\na1dab97450e66028c0f1e62620354cd9d71b99d1517f7cceef59c4c0a5de44f6\r\na226f8878b2c440932c5d9e215384733226d3942efecbb05f84cb34555c99e9f\r\na296db98c85c21b8f4c60a651a56aa745385d769f76c4f35e7f8cef6ee16c841\r\na6b8f4094bf162b6007006b51aad4f1fe4930e1bf458d6d47ebe7047f8895039\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 20 of 21\n\naf84372409235ad5f716b758b24e384f3506d771bad4460676de9ea3c375e9d7\r\nb07c3cbacb4d238e209aabc19754852c536ba708ee4b19fd8fbc32580a7e119a\r\nb14ba04ffc4b680225cc76912317570c09f06e8c6cec1a4b2092cbbff0668bd4\r\nb727b3fe958407787c9929fef59b6735861be12ebcf8c72aa6ed7b9cfa6829c6\r\nbc1d29c3ac08b1a4f30b3f4930dc5e07bdeb0ba55cfe7ad684021a63bf72db71\r\nbc88f6e79d49242e16cb30b64d1b8948c7d9333785476b4e8d24f82403290454\r\nbe8bf730a23766f917c1f90e79bbd23c76b7a12572eeda4bc38ff46ce17f9c9a\r\nSource: https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nhttps://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysis/"
	],
	"report_names": [
		"parrot-tds-javascript-evolution-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434548,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/46ac2a178ac6accdfc2b95b6541d0e8a86d145a6.pdf",
		"text": "https://archive.orkl.eu/46ac2a178ac6accdfc2b95b6541d0e8a86d145a6.txt",
		"img": "https://archive.orkl.eu/46ac2a178ac6accdfc2b95b6541d0e8a86d145a6.jpg"
	}
}