{
	"id": "fe5dcc57-b0e9-4e2b-8fbf-dfb374b1ec1b",
	"created_at": "2026-04-06T00:19:34.29655Z",
	"updated_at": "2026-04-10T03:24:11.928889Z",
	"deleted_at": null,
	"sha1_hash": "51394ccb24a526bd9c46b7ef7f4d4f2a9ce41940",
	"title": "“Keeper” Magecart Group Infects 570 Sites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74141,
	"plain_text": "“Keeper” Magecart Group Infects 570 Sites\r\nPublished: 2020-07-07 · Archived: 2026-04-05 17:18:35 UTC\r\nKey Findings\r\nGemini discovered that the “Keeper” Magecart group, which consists of an interconnected network of 64\r\nattacker domains and 73 exfiltration domains, has targeted over 570 victim e-commerce sites in 55\r\ndifferent countries from April 1, 2017 until the present. The Keeper exfiltration and attacker domains use\r\nidentical login panels and are linked to the same dedicated server; this server hosts both the malicious\r\npayload and the exfiltrated data stolen from victim sites.\r\nOver 85% of the victim sites operated on the Magento CMS, which is known to be the top target for\r\nMagecart attacks and boasts over 250,000 users worldwide. The country hosting the largest selection of\r\nthese victim e-commerce sites was the United States, followed by the United Kingdom and the\r\nNetherlands. \r\nGemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards\r\nwith time stamps ranging from July 2018 to April 2019. Extrapolating the number of cards per nine months\r\nto Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not\r\nPresent (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised\r\npayment cards. \r\nThe Keeper Magecart group has been active for three years, over which time it has continually improved\r\nits technical sophistication and the scale of its operations. Based on this pattern of successful Magecart\r\nattacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly\r\nsophisticated attacks against online merchants across the world.\r\nBackground\r\nIn mid-2020, Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses\r\nin the United States as well as the rest of the world. Operating on an outdated content management system (CMS),\r\nutilizing unpatched add-ons, or having administrators’ credentials compromised through sequel injections leaves\r\ne-commerce merchants vulnerable to a variety of different attack vectors. Over the past six months, the Gemini\r\nteam has uncovered thousands of Magecart attacks ranging from simple dynamic injection of malicious code\r\nusing a criminally hosted domain, to leveraging Google Cloud or GitHub storage services and using\r\nsteganography to embed malicious payment card-stealing code into an active domain’s logos and images. The\r\ncriminals behind this threat constantly evolve and improve their techniques to prey on unsuspecting victims who\r\ndo not emphasize domain security.\r\nAs has been previously reported, there are numerous stand-alone Magecart groups that actively use unique\r\nmethods to target hundreds and thousands of e-commerce sites yearly. One such group was responsible for\r\ncompromising a Volusion CMS, in turn infecting over 6,000 e-commerce sites with payment card-stealing scripts\r\nfor nearly a month in the third quarter of 2019.  \r\nhttps://geminiadvisory.io/keeper-magecart-group-infects-570-sites/\r\nPage 1 of 5\n\nWhile analyzing numerous Magecart attacks, Gemini successfully established a full link between an active\r\nMagecart group, its techniques, indicators of compromised (IOCs), evolving tactics, victims, and an estimated\r\nnumber of cards offered for sale. The Gemini team has named this group “Keeper” based on its repeated usage of\r\na single domain called fileskeeper[.]org to inject malicious payment card-stealing JavaScript (JS) into the\r\nwebsite’s HTML code, as well as receive compromised card data. Analysis revealed that the Keeper group\r\nincludes an interconnected network of 64 attacker domains used to deliver malicious JS payloads (see Appendix\r\nA) and 73 exfiltration domains used to receive stolen payment cards data from victim domains (see Appendix B).\r\nThis network targeted over 570 victim e-commerce sites in 55 different countries from April 1, 2017 until the\r\npresent.\r\nKeeper’s attacker statistics on magecart attack\r\nImage 1: Keeper’s attacker domains, targets, and exfiltration domains affected 55 countries\r\nworldwide.\r\nIn-Depth Analysis\r\nKeeper\r\nThe Keeper group, much like many other Magecart groups, attempted to disguise its malicious attacker domains\r\nas legitimate services, or, in this case, even legitimate sites. Several of the attacker domains attempted to closely\r\nimitate legitimate site names by changing the top-level domain or several characters within the domain name. For\r\nexample, the attacker domain closetlondon[.]org attempted to imitate closetlondon.com. In addition to imitating\r\nlegitimate site names, this group also attempted to imitate popular website plugins and payment gateways.\r\nGemini determined that Keeper’s exfiltration and attacker domains use identical login panels and are linked to the\r\nsame dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim\r\nsites. Below is an example of how a dedicated server is used to host Magecart infrastructure responsible for\r\ncollecting compromised card data from numerous e-commerce domains.\r\nDedicated server hosting Magecart infrastructure for card data payment collecting\r\nImage 2: Dedicated server hosting Magecart infrastructure designed to collect payment card data\r\nfrom target domains.\r\nKeeper utilized an identical login panel screenshot\r\nImage 3: Keeper utilized an identical login panel for all of its exfiltration URLs, which were\r\nconnected to a single dedicated server.\r\nOver 85% of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart\r\nattacks and boasts over 250,000 users worldwide. The country hosting the largest selection of these victim e-commerce sites was the United States, at 28%, followed by the United Kingdom and the Netherlands.\r\nList of compromised domains by location\r\nImage 4: List of compromised domains by country or territory.\r\nCMS distribution by victim sites pie chart\r\nhttps://geminiadvisory.io/keeper-magecart-group-infects-570-sites/\r\nPage 2 of 5\n\nImage 5: CMS distribution by victim sites.\r\nThrough the analysis of the dedicated server and numerous hosted exfiltration and attacker domains, Gemini was\r\nable to identify over 570 individuals attacks on numerous e-commerce sites across the world that occurred\r\nbetween April 2017 and the present (see Appendix C). By analyzing victim domains and the payload scripts that\r\nwere used to infect them, analysts discovered the evolution of obfuscation and data collection methods.\r\nApril 1, 2017: One of the initial attacks was carried out against dressedinwhite.com through the attacker\r\ndomain js-storage[.]click. The Keeper group utilized public obfuscation methods, which made it simple to\r\ndecode. The JS payload was created to focus primarily on two specific payment card data fields (card\r\nnumber and expiration date), but also to gather all other available fields on the checkout page.\r\nAugust 9, 2018: The online bicycle merchant milkywayshop.it was infected by the attacker domain\r\ndobell[.]su. The malicious JS payload was hiding in plain sight and did not have any private or public\r\nobfuscation and displayed the payload in cleartext. The payload collected all of the data from the fields\r\ncommonly seen on the checkout page, such as card data, billing information, and additional personally\r\nidentifiable information (PII). \r\nMilkyWayShop website collected data field screenshot\r\nImage 6: Collected data field on the MilkyWayShop website. \r\nNovember 26, 2018: From November 2018 to the present, the threat actors have used custom obfuscation\r\nmethods. This was first identified in the infection of casterdepot.com. The JS payload was injected by the\r\nattacker domain swappastore[.]com and collected information from all commonly seen fields on the\r\ncheckout page, such as card data, billing information, and additional PII. \r\nCustom obfuscation used in the malicious script targeting\r\nImage 7: The custom obfuscation used in the malicious script targeting casterdepot.com. The\r\ndecrypted string is on the right-hand side of the image.\r\nJanuary 6, 2019: The attacker script was modified and it appeared to be much cleaner and more concise\r\nwith no displayed line breaks. This was seen in the infection of  nomin.net by the attacker domain\r\nscriptvault[.]org. The Keeper group currently uses this format for its payloads and denotes specific\r\npayment card, billing address, and additional information fields that it collects.\r\nCurrent format of the Keeper group’s malicious payload\r\nImage 8: The most recent format of the Keeper group’s malicious payload.\r\nDuring the analysis of an ongoing infection in one of the victim URLs, fiushafashion.com, Gemini conducted a\r\ntest transaction with fictitious data and decrypted, then decoded the malicious payment request. Gemini analysts\r\nnoted that the payment card data, billing information, additional PII, and source URL were exfiltrated to the\r\nKeeper exfiltration domain assetstorage[.]net.\r\nEncrypted test payment request\r\nDecrypted and encoded test payment request\r\nhttps://geminiadvisory.io/keeper-magecart-group-infects-570-sites/\r\nPage 3 of 5\n\nDecrypted and decoded test payment request\r\nImages 9-11: Encrypted test payment request (top), decrypted and encoded test payment request\r\n(middle), and decrypted and decoded test payment request (bottom).\r\nTotal Revenue\r\nDuring the historical analysis of the Keeper group, Gemini uncovered an unsecured access.log on the Keeper\r\ncontrol panel on April 24, 2019. This access log stored 184,000 compromised cards with time stamps ranging\r\nfrom July 2018 to April 2019. This likely indicated the total number of cards collected from numerous Keeper\r\ninfections during this time period. Based on the provided number of collected cards during a nine-month window,\r\nand accounting for the group’s operations since April 2017, Gemini estimates that it has likely collected close to\r\n700,000 compromised cards. Given the current dark web median price of $10 per compromised Card Not Present\r\n(CNP) card, this group has likely generated upwards of $7 million USD from stealing and selling compromised\r\npayment cards in its full lifespan. \r\nTargets\r\nThe 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55\r\ndifferent countries. Gemini analyzed the size of the victims’ sites using Amazon’s Alexa Rank, which generates a\r\nbasic score based on daily unique visitors and the number of pageviews. Victims with the top Alexa Global\r\nRanking received anywhere from 500,000 to over one million visitors each month and were responsible for selling\r\nelectronics, clothing, jewelry, custom promotional products, and liquor. The table below provides several\r\nexamples of the most affected merchants with top Alexa Global Ranking (meaning more traffic per website). \r\nDomain Infection Date Description\r\nalkaramstudio.com February 2018 Pakistan-based clothing store\r\narb.co.za December 2019 South Africa-based electrical wholesaler\r\ncwspirits.com April 2020 US-based premier wine and spirits seller\r\nejohri.com February 2020 India-based online jewelry store\r\nhirschs.co.za April 2018 South Africa-based appliance and electronics store\r\nibox.co.id December 2019 Indonesia-based Apple product reseller\r\ndiscountmugs.com September 2018 US-based custom promotional product store\r\nConclusion\r\nThe Keeper Magecart group has been active for three years, over which time it has continually improved its\r\ntechnical sophistication and the scale of its operations. It has verifiably compromised hundreds of domains and\r\nlikely extracted payment card information from many more that have yet to be uncovered. With revenue likely\r\nexceeding $7 million and increased cybercriminal interest in CNP data during the COVID-19 quarantine measures\r\nhttps://geminiadvisory.io/keeper-magecart-group-infects-570-sites/\r\nPage 4 of 5\n\nacross the world, this group’s market niche appears to be secure and profitable. Based on this pattern of successful\r\nMagecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly\r\nsophisticated attacks against online merchants across the world.\r\nAppendix A: List of 64 unique Keeper attacker domains.\r\nAppendix B: List of 73 exfiltration domains that Keeper used to extract stolen payment card data.\r\nAppendix C: List of 570 compromised victim domains infected by Keeper.\r\nGemini Advisory Mission Statement\r\nGemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to\r\nmitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help\r\nidentify and isolate assets targeted by fraudsters and online criminals in real-time.\r\nSource: https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/\r\nhttps://geminiadvisory.io/keeper-magecart-group-infects-570-sites/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/"
	],
	"report_names": [
		"keeper-magecart-group-infects-570-sites"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434774,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51394ccb24a526bd9c46b7ef7f4d4f2a9ce41940.pdf",
		"text": "https://archive.orkl.eu/51394ccb24a526bd9c46b7ef7f4d4f2a9ce41940.txt",
		"img": "https://archive.orkl.eu/51394ccb24a526bd9c46b7ef7f4d4f2a9ce41940.jpg"
	}
}