{ "id": "3499d601-b957-4fde-b4e5-f6167fb521db", "created_at": "2026-04-06T00:14:17.134869Z", "updated_at": "2026-04-10T03:37:22.718032Z", "deleted_at": null, "sha1_hash": "4d8bcd71dc5a9aca9877ba550f9034e99c3663d1", "title": "Confiant | Substack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8365502, "plain_text": "Page not found\r\nFEBRUARY 2026\r\nTracking Software Weaponized by Criminals\r\nInside four months of joint research with Infoblox Threat Intel on\r\nthe abuse of Keitaro Software.\r\nMAR 24\r\n•\r\nCONFIANT\r\nAnalyzing a Live AiTM Attack Targeting Google\r\nAccounts via Malvertising\r\nWe captured a malvertising campaign delivering an Adversary-in-the-Middle (AiTM) kit. Here, we unpack a paradox— an…\r\nPUBLISHED ON ROSHAN\r\n•\r\nMAR 24\r\nMalvertiser “D-Shortiez” abuses WebKit back\r\nbutton hijack in forced-redirect campaign\r\nOver the last few years, as AdTech and browser security has\r\ncontinued to mature, many malvertisers have moved on from…\r\nMAR 2\r\n•\r\nCONFIANTANDELIYA STEIN\r\nDisrupting 59M Malicious Impressions: Inside D-Shortiez Testing Infrastructure and Campaign\r\nManagement\r\nTwo clusters, one password, and the automated harvesting that\r\nblocked campaigns before deployment\r\nFEB 24\r\n•\r\nCONFIANTANDMICHAEL STEELE\r\nLatest Top\r\nCookie Policy\r\nWe use cookies to improve your experience, for analytics, and for marketing. You can accept, reject, or manage your preferences. See\r\nour privacy policy.\r\nManage Reject Accept\r\nhttps://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537\r\nPage 1 of 5\n\nThe Curious Case Of MutantBedrog's Trusted-Types CSP Bypass\r\nMutantBedrog is a malvertiser that caught our attention early\r\nsummer ’24 for their highly disruptive forced redirect campaig…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nHow One \"Crypto Drainer\" Template Facilitates\r\nTens Of Millions Of Dollars In Theft\r\nCrypto Drainers are phishing pages that lure victims into signing\r\nmalicious transactions that allow the attacker to siphon their…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nA Whirlwind Tour Of Crypto Phishing\r\nThe post-pandemic world has seen cryptocurrencies and\r\nblockchain products in general catapult in valuation and…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nHow File Hashes Fail As A Malware Detection\r\nHeuristic\r\nIn this blog post we take a trip downstream from malvertising\r\ndelivery mechanisms and take a close up look at a fake Flash…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nProfiling hackers using the Malvertising Attack\r\nMatrix by Confiant\r\nA relatively new threat vector, Malvertising is a cyber-attack\r\nrelying on ad networks and digital ads exposing virtually any…\r\nFEB 3\r\n•\r\nCONFIANT\r\nLooking At Chrome Extensions That Hijack Search\r\n- Spread Via Malvertising\r\nIn this blog post we discuss an ongoing malvertising campaign\r\nthat pushes search hijacking browser extensions.\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN Cookie Policy\r\nWe use cookies to improve your experience, for analytics, and for marketing. You can accept, reject, or manage your preferences. See\r\nour privacy policy.\r\nhttps://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537\r\nPage 2 of 5\n\nThe Trend Of Client-Side Fingerprinting In Cloaked\r\nLanding Pages\r\nThis blog post will examine the client-side aspect of cloaking in\r\nnon auto-redirect based malvertising chains.\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nMalvertising, Site Compromise, And A Status\r\nReport On Drive-by Downloads\r\nThis blog post will explore the details behind a recent spree of\r\nwebsite hacks and the malicious payloads that were embedde…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nExploring The Impact Of Malvertising On\r\nGovernment, ISPs \u0026 The Fortune 100\r\nIn this blog post we will explore the threat of malvertising from\r\nthe other end of the tunnel and look at what organizations are…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nNew macOS Bundlore Loader Analysis\r\nLooking at a recent Malvertising campaign detected by\r\nConfiant’s realtime Malvertising detection engine, we stumble…\r\nFEB 3\r\n•\r\nCONFIANT\r\nMalvertiser 'eGobbler' Exploits Chrome \u0026 WebKit\r\nBugs, Infects Over 1 Billion Ads\r\nOver the past 6 months, the threat group has leveraged obscure\r\nbrowser bugs in order to engineer bypasses for built-in browse…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nRevealing How \"The Dandelion Group\" Leverages\r\nMultiple Layers Of Cloaking To Run Ad Fraud\r\nCampaigns\r\nThis blog post will unveil the inner workings behind a persistent\r\nad fraud operation that relies heavily on cloaking in order to…\r\nFEB 3\r\n•\r\nCONFIANTANDELIYA STEIN\r\nCookie Policy\r\nWe use cookies to improve your experience, for analytics, and for marketing. You can accept, reject, or manage your preferences. See\r\nour privacy policy.\r\nhttps://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537\r\nPage 3 of 5\n\nJANUARY 2026\r\nNOVEMBER 2025\r\nHow Malvertisers Weaponize Device Fingerprinting\r\nHTTP cookies are utilized to keep a local record of visitors’\r\nbrowsing activity in order to personalize the web surfing…\r\nFEB 2\r\n•\r\nCONFIANTANDELIYA STEIN\r\nThe Malvertising Campaign Lifecycle\r\nThis blog post is an investigation into the typical lifecycle of\r\nresources that serve malicious display ads, or as we like to c…\r\nFEB 2\r\n•\r\nCONFIANTANDELIYA STEIN\r\nUncovering 2017's Largest Malvertising Operation\r\nThe Zirconium group successfully created and operated 28 fake\r\nad agencies to distribute malvertising campaigns through 201…\r\nJAN 30\r\n•\r\nCONFIANT\r\nHands On With Malvertisers' Sneaky Tricks\r\nThese days when we talk about digital ad fraud, most of us in\r\nAd Tech think immediately about non-human traffic or nefariou…\r\nJAN 29\r\n•\r\nCONFIANTANDELIYA STEIN\r\nHow Bad Ads Hijack Your Browser With One\r\nSimple Trick\r\nForced mobile redirects are perhaps the most pervasive ad\r\nsecurity concern today for both publishers and consumers of…\r\nJAN 29\r\n•\r\nCONFIANTANDELIYA STEIN\r\nCookie Policy\r\nWe use cookies to improve your experience, for analytics, and for marketing. You can accept, reject, or manage your preferences. See\r\nour privacy policy.\r\nhttps://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537\r\nPage 4 of 5\n\nSEPTEMBER 2023\r\nJUNE 2022\r\nPhantom Stores: Retail Impersonation Spreads\r\nAhead of Black Friday Powered by Video Ads and\r\nModular 'Holiday Skins' Kit\r\nIn the frenzied weeks leading up to Black Friday and Cyber\r\nMonday, Ad Tech’s busiest season, a new cluster of phantom…\r\nNOV 24, 2025\r\n•\r\nCONFIANTANDROSHAN\r\nExploring ScamClub Payloads via Deobfuscation\r\nUsing Abstract Syntax Trees\r\nScamClub is a prolific threat actor in the programmatic ad space\r\nknown to carry out large-scale attacks with the purpose of…\r\nSEP 27, 2023\r\n•\r\nCONFIANT\r\nHow SeaFlower 藏海花 installs backdoors in\r\niOS/Android web3 wallets to steal your seed\r\nphrase\r\nDuring the course of our work at Confiant, we see malicious\r\nactivity on a daily basis.\r\nJUN 12, 2022\r\n•\r\nCONFIANT\r\n© 2026 Confiant Threat Intelligence · Privacy ∙ Terms ∙ Collection notice Substack is the home for great culture\r\nCookie Policy\r\nWe use cookies to improve your experience, for analytics, and for marketing. You can accept, reject, or manage your preferences. See\r\nour privacy policy.\r\nhttps://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.confiant.com/exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537" ], "report_names": [ "exploring-scamclub-payloads-via-deobfuscation-using-abstract-syntax-trees-65ef7f412537" ], "threat_actors": [ { "id": "38d454f7-6689-443b-939e-062054a229b1", "created_at": "2023-12-03T02:00:05.152067Z", "updated_at": "2026-04-10T02:00:03.487236Z", "deleted_at": null, "main_name": "ScamClub", "aliases": [], "source_name": "MISPGALAXY:ScamClub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434457, "ts_updated_at": 1775792242, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4d8bcd71dc5a9aca9877ba550f9034e99c3663d1.pdf", "text": "https://archive.orkl.eu/4d8bcd71dc5a9aca9877ba550f9034e99c3663d1.txt", "img": "https://archive.orkl.eu/4d8bcd71dc5a9aca9877ba550f9034e99c3663d1.jpg" } }