{
	"id": "8120980e-6178-4db5-9c47-1f21495352a2",
	"created_at": "2026-04-06T00:15:00.394264Z",
	"updated_at": "2026-04-10T13:12:42.461963Z",
	"deleted_at": null,
	"sha1_hash": "53626c1051da5e12ff8b7cade2ef7872314c17b2",
	"title": "40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3232193,
	"plain_text": "40 New Domains of Magecart Veteran ATMZOW Found in Google\r\nTag Manager\r\nBy Denis Sinegubko\r\nPublished: 2023-12-07 · Archived: 2026-04-05 23:18:37 UTC\r\nHackers like Google Tag Manager: millions of sites use it, and they can inject custom scripts and HTML code via\r\na script from the highly trusted domain googletagmanager.com. In order to create a new container and abuse\r\nGoogle Tag Manager, all they need is a Google account (and we all know how easy it is to get one).\r\nGiven the widespread use of GTM and the inherent trust websites put in scripts from Google, this tactic presents a\r\nsignificant security risk. By injecting custom scripts and HTML code onto a website, hackers can harvest valuable\r\ndata, including user credit card details.\r\nIn today’s post, we’ll take a look at some recent Google Tag Manager containers used in ecommerce malware,\r\nexamine some newer forms of obfuscation techniques used in the malicious code, and track the evolution of the\r\nATMZOW skimmer linked to widespread Magento website infections since 2015.\r\nSpotting common GTM credit card skimmers\r\nWe regularly find credit card skimmers planted inside Google Tag Manager scripts. For example, last week we\r\nreported on some malware using a chain of four GTM scripts to plant a skimmer. In the past 11 months of 2023\r\nour SiteCheck remote website scanner has detected known malicious GTM containers on 327 sites with the most\r\ncommon container id GTM-WJ6S9J6 detected a total of 178 times this year.\r\nThe tag GTM-WJ6S9J6 has been already deleted by Google after reports of malicious activity, but back in\r\nOctober the vtp_html variable contained a code that injected a malicious script from gtm-statistlc[.]com\r\n(originally created on July 11, 2023):\r\nThis campaign also used many other tags and domains that mimic various analytics/statistics services, including\r\ngooqle-analytics[.]com and webstatlstics[.]com.\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 1 of 8\n\nNew ATMZOW skimmer in GTM-TVKQ79ZS\r\nThis November we found a GTM-TVKQ79ZS container with a new variation of the skimmer in the vtp_html\r\nvariable.\r\nAfter removing the first layer of obfuscation, we got the familiar ATMZOW style of code:\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 2 of 8\n\nThe ATMZOW skimmers are long known to use Google Tag Manager. Moreover, Group IB has linked this\r\nskimmer to the 2015 Guruincsite infection that affected thousands of Magento sites in the very beginning of\r\nMagecart era.\r\nNow, 8 years later, the hacker group that uses this style of obfuscation is still active. And the malware keeps\r\nevolving.\r\nExtra complexity in obfuscation\r\nSimple skimmer scripts (like the one we see in the GTM-WJ6S9J6 example above) are pretty easy to deobfuscate\r\nand discover the malicious domain. They used base64 encoding to hide the domain name and page URL attackers\r\nare interested in.\r\nif(0\u003c=location.href.indexOf(atob(\"Y2hlY2tvdXQ=\"))||0\u003c=location.href.indexOf(atob(\"b25lcGFnZQ==\")))\r\n//Decoded\r\nIf (0\u003c=location.href.indexOf('checkout')||0\u003c=location.href.indexOf('onepage'))\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 3 of 8\n\nUnlike previous variants, however, the obfuscation used in this recently discovered GTM-TVKQ79ZS container\r\nuses extra complexity to hide all the domains and activation conditions. The ATMZOW level is pretty difficult to\r\ndeobfuscate, as the decoder depends on the exact length of the script — and the moment you change anything in\r\nit, it stops working. However, when you know how the decoder works, there are multiple ways to work around it.\r\n40 new “artistic” domains\r\nThe fully deobfuscated code of November’s new variant reveals a list of 40 newly registered domains used to\r\ninject another layer of the skimmer.\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 4 of 8\n\nAll of these domains were registered via Hostinger in three batches on November 8, 10 and 12 of 2023 (the same\r\nregistrar was used for the previously mentioned malicious domains gooqle-analytics[.]com and \r\nwebstatlstics[.]com as well).\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 5 of 8\n\nNaming patterns\r\nUnlike the previous naming pattern which includes keywords related to popular statistics or analytics services, this\r\ntime attackers used a combination of three English words with the following patterns:\r\nThe first word is always related to art – e.g. sketch, color, visual, picture, canvas, draw, image, etc.\r\nThe third word makes the domain name look related to some internet service – e.g. metrics, stats, profiler,\r\ninsights, analytics, tracker, monitor, tool, etc.\r\nThe second word is randomly selected from the combination of the two previous types of keywords.\r\ncdn.sketchinsightswatch[.]com\r\ncdn.colorpalettemetrics[.]com\r\ncdn.artisticpatterndata[.]com\r\ncdn.visualartexplorer[.]com\r\ncdn.picturedataminer[.]com\r\ncdn.paintedworldstats[.]com\r\ncdn.drawinginfopro[.]com\r\ncdn.artistictrendsmap[.]com\r\ncdn.sketchanalyticsvault[.]com\r\ncdn.colorschemeobserver[.]com\r\ncdn.artdataharvest[.]com\r\ncdn.gallerytrendstracker[.]com\r\ncdn.picturetrendsmonitor[.]com\r\ncdn.brushstrokemetrics[.]com\r\ncdn.imagepatternprofiler[.]com\r\ncdn.artisticexpressiondb[.]com\r\ncdn.sketchdataanalytics[.]com\r\ncdn.canvastrendstracker[.]com\r\ncdn.visualartinsights[.]com\r\ncdn.strokepatternanalysis[.]com\r\ncdn.artstattracker[.]com\r\ncdn.drawdatahub[.]com\r\ncdn.sketchmetrics[.]com\r\ncdn.paintinfoanalyzer[.]com\r\ncdn.imageinsightvault[.]com\r\ncdn.visualdatacollector[.]com\r\ncdn.artworkanalytics[.]com\r\ncdn.sketchtrendsmonitor[.]com\r\ncdn.picinfometrics[.]com\r\ncdn.drawnstatsgather[.]com\r\ncdn.artistictrendsprobe[.]com\r\ncdn.gallerydatainsight[.]com\r\ncdn.strokeanalysislab[.]com\r\ncdn.imagestatistician[.]com\r\ncdn.artprofilingtool[.]com\r\ncdn.sketchdataharbor[.]com\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 6 of 8\n\ncdn.picturetrendsdb[.]com\r\ncdn.drawninfoinspector[.]com\r\ncdn.arttrendtrackers[.]com\r\ncdn.PaintedVisionsStats[.]com\r\nThese naming patterns are likely used to blend more organically into the digital ecosystem while art-related\r\nkeywords make them look even more benign, as many security solutions are now trained to identify phishy\r\nversions of popular analytics services.\r\nTricks to evade domain discovery\r\nTo further evade detection, the malicious code randomly selects two of those “cdn.*” domains from the list above\r\nand then injects two external scripts from the selected domains. This approach helps conceal the entire list of\r\ndomain names used in the attack from researchers who may be only performing traffic analysis, as they will be\r\nonly able to capture two domains at a time. Moreover, these two domain names are saved in local storage so on\r\nsubsequent loads in the same browser you will get the same pair of domains. This method is intended to prevent\r\nquick discovery and blocking of all domains used in the attack, inadvertently prolonging the lifespan of the\r\ncampaign.\r\nIn an effort to prevent detection of domains and suspicious traffic through their IP addresses, attackers\r\nstrategically hid these domains behind a CloudFlare firewall. After CloudFlare blocked them, we were able to\r\nuncover their real locations. At the time of writing, these domains resolve to 31.220.21[.]211, 31.220.21[.]240, \r\n62.72.7[.]89 and 62.72.7[.]90 which all belong to the Hostinger network. The same IPs were also used for gooqle-analytics[.]com and gtm-statlstic[.]com.\r\nReinfections and new containers\r\nAfter Google received reports of malicious behavior and removed the GTM-TVKQ79ZS container, the bad\r\nactors created new containers GTM-NTV2JTB4 and GTM-MX7L8F2M with the same malicious script and\r\nstarted reinfecting compromised websites.\r\nInterestingly enough, on one site we found this Google Tag Manager skimmer right next to the WebSocket\r\nlgstd[.]io skimmer that my colleague Ben Martin wrote about last week.\r\nUnderstanding threats and taking action\r\nThese specific Google Tag Manager malware samples indicate that the same gangs that were pioneers of credit\r\ncard skimming 8 years ago are still active and are constantly evolving and adapting their approaches. As of 2023,\r\ntheir main tricks are the use of Google Tag Manager, deploying complex multi-layer (and rather unconventional)\r\nobfuscation, and the use of a long list of malicious domains hidden behind a firewall.\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 7 of 8\n\nUnlike other modern skimmers that have moved most of their operations to WordPress’ WooCommerce, our\r\nanalysis indicates that the ATMZOW skimmer continues to specifically  target Magento sites.\r\nA Google Tag Manager script may look benign at first glance due to its association with a highly trusted source.\r\nHowever, any script that was not initially placed on a page by a website administrator should raise suspicions and\r\nbe considered a sign of potential compromise. As a rule of thumb, always take time to investigate strange or\r\nunfamiliar scripts in your website environments.\r\nIf you suspect that your site is infected with this malware, check our Magento cleanup guide. Make sure to\r\nscrutinize all the templates that are usually stored in core_config_data — it’s a most common location for placing\r\nclient side skimmer scripts.\r\nAnd as always, if you believe your site has malware, our highly-skilled analysts are available 24/7 to clean up a\r\nhacked site.\r\nSource: https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nhttps://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html"
	],
	"report_names": [
		"40-new-domains-of-magecart-veteran-atmzow-found-in-google-tag-manager.html"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434500,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53626c1051da5e12ff8b7cade2ef7872314c17b2.pdf",
		"text": "https://archive.orkl.eu/53626c1051da5e12ff8b7cade2ef7872314c17b2.txt",
		"img": "https://archive.orkl.eu/53626c1051da5e12ff8b7cade2ef7872314c17b2.jpg"
	}
}