{
	"id": "18471acc-11e7-4f2b-b083-52a5530b2638",
	"created_at": "2026-04-06T00:07:33.645175Z",
	"updated_at": "2026-04-10T13:11:51.452061Z",
	"deleted_at": null,
	"sha1_hash": "49f41b9bb7d13908d907fe1b35d6e09227bffc50",
	"title": "Lil' skimmer, the Magecart impersonator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47075,
	"plain_text": "Lil' skimmer, the Magecart impersonator\r\nBy Threat Intelligence Team\r\nPublished: 2021-06-27 · Archived: 2026-04-02 12:41:06 UTC\r\nThis blog post was authored by Jérôme Segura\r\nA very common practice among criminals consists of mimicking legitimate infrastructure when registering new\r\ndomain names. This is very true for Magecart threat actors who love to impersonate Google, jQuery and many\r\nother popular brands.\r\nIn this post we look at a skimmer recently disclosed by security researchers that has been around for over a year\r\nbut managed to keep a low profile. In addition to naming several of their domains after Google, the threat actor is\r\nalso naming their domains after the websites they have compromised.\r\nOften, identifying additional infrastructure on the same network is a relatively simple exercize. But in this case it\r\nis more complex because the hosting servers are comprised of a large number of domains names, many of which\r\nare also malicious but not skimming related. Hiding in the noise is another common trait for threat actors.\r\nKeeping it simple\r\nThis skimmer was publicly mentioned by Eric Brandel in early June 2021 and unlike Magecart JavaScript code,\r\nthis one is very straightforward. Jordan Herman had also previously spotted this skimmer and referred to it as Lil’\r\nSkim. Based on an urlscan.io crawl, it appears the earliest instance is from at least March 2020, via googie[.]host.\r\nA dense network hiding more skimmer domains\r\nA quick review of the Autonomous System (AS198610 Beget) where those skimmer domains are found shows a\r\nsignificant number of malicious hosts tied to phishing kits, Windows payloads, and Android malware just to name\r\na few. Two IP addresses in particular, 87.236.16[.]107 and 87.236.16[.]10, are host to additional skimmer domains\r\nbelonging to Lil’ Skim.\r\nFor example, tidio[.]fun is a play on tidio.com, a chat application for website owners wishing to interact with\r\ncustomers. We recognize the same Lil’ Skim code here as well:\r\nCustom domains by compromised store\r\nAnd then we discovered a number of skimmer domains that were named after compromised stores. This in itself is\r\nnot a new practice and is often seen with phishing sites. The threat actor simply replaced the top level domain\r\nname with .site, .website or .pw to create hosts that load the skimmer code and receive stolen credit card data.\r\nAll the domains we found (c.f. IOCs) were hosted on 87.236.16[.]107.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/\r\nPage 1 of 2\n\nConclusion\r\nLil’ Skim is a simple web skimmer that is fairly easy to identify and differs from other Magecart scripts. The\r\nthreat actor is keen of impersonating internet companies but also the victim sites it goes after.\r\nWe were able to track this actor across the same ASN where they registered a number of different domains over a\r\nperiod of at least a year. There likely are more pieces of infrastructure to uncover here, but that might be a time\r\nconsuming process.\r\nWe have notified the stores that have been impacted by this campaign. Additionally, Malwarebytes customers are\r\nalready protected via our web protection module across our different products including Malwarebytes Browser\r\nGuard.\r\nIndicators of Compromise\r\nThe following IOCs are linked to urlscan.io crawls whenever possible.\r\nStandard skimmer domains\r\nSkimmer domains impersonating compromised sites\r\nSkimmer IPs\r\nKnown victim sites\r\nSource: https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/\r\nhttps://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/"
	],
	"report_names": [
		"lil-skimmer-the-magecart-impersonator"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434053,
	"ts_updated_at": 1775826711,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/49f41b9bb7d13908d907fe1b35d6e09227bffc50.pdf",
		"text": "https://archive.orkl.eu/49f41b9bb7d13908d907fe1b35d6e09227bffc50.txt",
		"img": "https://archive.orkl.eu/49f41b9bb7d13908d907fe1b35d6e09227bffc50.jpg"
	}
}