{
	"id": "d19e6260-fbde-4536-9c9a-eb8d4c9c0ddd",
	"created_at": "2026-04-06T00:09:14.535496Z",
	"updated_at": "2026-04-10T03:24:29.565127Z",
	"deleted_at": null,
	"sha1_hash": "5a98dbfed437ec329446bf18c5b6816ae23015d9",
	"title": "Privacy Tools (Not) for You",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 638556,
	"plain_text": "Privacy Tools (Not) for You\r\nBy Silent Push Threat Team\r\nPublished: 2021-12-03 · Archived: 2026-04-05 19:17:44 UTC\r\nWhile looking through one of the malicious domain feeds managed for Silent Push customers, three interesting\r\ndomains were noticed:\r\nprivacytoolzforyou-7000[.]com\r\nprivacytoolzfor-you7000[.]com\r\nprivacy-tools-for-you-777[.]com\r\nCurious to learn what was on these domains, the last one was opened in a safe environment. It was registered only\r\nyesterday (the other two domains were registered on 19 November), is currently live and was not detected by Safe\r\nBrowsing, to which it has since been reported.\r\nThe site suggests it offers privacy tools as a “secure \u0026 easy way to file protect”:\r\nThe design of the website looks pretty slick and while clearly not written by a native speaker of English, it\r\nincludes cute bits such as:\r\nThe options to sign in to the website or to purchase the full version of the product don’t appear to work (nor\r\nshould one expect them to: the site is served over unencrypted HTTP), but thankfully there is a trial version that\r\ncan be used.\r\nhttps://www.silentpush.com/blog/privacy-tools-not-for-you\r\nPage 1 of 5\n\nThe links to macOS and Linux versions of the product don’t work, but the download for Windows works. It serves\r\na Windows executable from:\r\nhttp://privacy-tools-for-you-777[.]com/downloads/installer.exe\r\nUnsurprisingly, the downloaded file received isn’t a privacy tool at all, but a piece of malware. It has SHA256\r\nhash 47906fc0ac7d3be54c62933e5f66a285cd34f161ce1d8a1bbdf80dc2e1df1441, though URlhaus reports that\r\nmany others files have been served from the same URL.\r\nAll of these files have been detected as SmokeLoader, an old but still active malware downloader that has been\r\nused to serve other kinds of malware, such as the RedLine and Raccoon infostealers.\r\nA search for similar domains in Silent Push’s database gave 26 domains in total, such as privacy-toolz-for-you-3000[.]top and privacytoolsforyoufree[.]xyz, some going back as early as June of this year (see the full list at the\r\nbottom of this post).\r\nMost of these were active for a few weeks or even less. There is strong evidence to suggest they were run by the\r\nsame actor and also served SmokeLoader; see for example this entry in URLhaus. This Proofpoint blog post,\r\nwhich shows the same Privacy Tools website, suggests the campaign may go back even further.\r\nThe campaign switched to its current bulletproof hosting provider, which is currently being tracked, some time in\r\nSeptember.\r\nRogue file hosters\r\nhttps://www.silentpush.com/blog/privacy-tools-not-for-you\r\nPage 2 of 5\n\nInterestingly, the malicious file downloaded has also been served from host-data-coin-11[.]com. This is likely\r\nmore than a coincidence: the file is on the same Silent Push feed and uses the same bulletproof infrastructure. A\r\nsearch for domains with a similar pattern returned eighteen more domains, all of which use the same\r\ninfrastructure.\r\nAt least one of these domains is still active and after clicking through the Safe Browsing warning, ended up on a\r\n‘Superstar file hosting’ website.\r\nA file was able to be selected from a computer — only .exe files appear to be allowed — and uploaded, after\r\nwhich a URL was provided that did indeed serve the very same file that had uploaded. The same URL pattern has\r\nbeen seen in malware served from those domains and seems likely that this front-end has also been used by the\r\nactors themselves.\r\nInterestingly, some of these domains also appear to have been served as C2 domains for SmokeLoader, as can be\r\nseen in this sandbox report.\r\nConclusion\r\nIt is unclear what the exact link is between the two kinds of domains, but it is very likely they are operated by the\r\nsame actor.\r\nIt is also unclear in what context the URLs were served, but it’s possible that they have been distributed in specific\r\nplaces, such as forums for cryptocurrency enthusiasts, which are a popular target for infostealers.\r\nhttps://www.silentpush.com/blog/privacy-tools-not-for-you\r\nPage 3 of 5\n\nSilent Push maintains many feeds for its customers, that often include domains like the ones mentioned in the blog\r\npost, even before they become active. The Silent Push API, which supports regular expressions, allowed me to\r\nsearch for similar domains.\r\nIndicators of compromise\r\nFake privacy tools:\r\nprivacy-tools-for-you-777[.]com\r\nprivacy-toolz-for-you-3000[.]top\r\nprivacy-toolz-for-you-403[.]top\r\nprivacy-toolz-for-you-404[.]top\r\nprivacy-toolz-for-you-5000[.]top\r\nprivacy-toolz-for-you-502[.]top\r\nprivacy-toolz-for-you-503[.]top\r\nprivacytools-for-you3000[.]xyz\r\nprivacytools1234foryou[.]xyz\r\nprivacytoolsforyou[.]xyz\r\nprivacytoolsforyoufree[.]xyz\r\nprivacytoolz123foryou[.]club\r\nprivacytoolz123foryou[.]top\r\nprivacytoolz123foryou[.]xyz\r\nprivacytoolzfor-you5000[.]top\r\nprivacytoolzfor-you6000[.]top\r\nprivacytoolzfor-you7000[.]com\r\nprivacytoolzfor-you7000[.]top\r\nprivacytoolzforyou-5000[.]top\r\nprivacytoolzforyou-6000[.]top\r\nprivacytoolzforyou-7000[.]com\r\nprivacytoolzforyou-7000[.]top\r\nprivacytoolzforyou[.]xyz\r\nprivacytoolzforyou5000[.]top\r\nprivacytoolzforyou6000[.]top\r\nprivacytoolzforyou7000[.]top\r\nFile hosters and/or SmokeLoader C2:\r\ncoin-coin-coin-2[.]com\r\nfile-file-file1[.]com\r\nfile-file-file2[.]com\r\nfile-file-host4[.]com\r\nfile-file-host6[.]com\r\nfile-file-host8[.]com\r\nfile-host-host0[.]com\r\nhttps://www.silentpush.com/blog/privacy-tools-not-for-you\r\nPage 4 of 5\n\nfile-host-host6[.]com\r\nhost-coin-data-1[.]com\r\nhost-data-coin-11[.]com\r\nhost-file-file0[.]com\r\nhost-file-file4[.]com\r\nhost-file-host-3[.]com\r\nhost-file-host0[.]com\r\nhost-file-host6[.]com\r\nhost-file-host9[.]com\r\nhost-host-file6[.]com\r\nhost-host-file8[.]com\r\nhost-host-host5[.]com\r\nWould you like to use our feeds or platform to protect your organization? Please contact Silent Push so we can\r\nhelp you.\r\nSource: https://www.silentpush.com/blog/privacy-tools-not-for-you\r\nhttps://www.silentpush.com/blog/privacy-tools-not-for-you\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.silentpush.com/blog/privacy-tools-not-for-you"
	],
	"report_names": [
		"privacy-tools-not-for-you"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434154,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a98dbfed437ec329446bf18c5b6816ae23015d9.pdf",
		"text": "https://archive.orkl.eu/5a98dbfed437ec329446bf18c5b6816ae23015d9.txt",
		"img": "https://archive.orkl.eu/5a98dbfed437ec329446bf18c5b6816ae23015d9.jpg"
	}
}