{
	"id": "32515255-ad5e-4661-b602-24fbd0a5217c",
	"created_at": "2026-04-06T00:21:28.168624Z",
	"updated_at": "2026-04-10T13:13:01.58626Z",
	"deleted_at": null,
	"sha1_hash": "5d56f1f7025825a27e96833a82f3310d41498ddb",
	"title": "Stantinko: A massive adware campaign operating covertly since 2012",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2225902,
	"plain_text": "Stantinko: A massive adware campaign operating covertly since\r\n2012\r\nBy Frédéric VachonMatthieu Faou\r\nArchived: 2026-04-05 15:41:55 UTC\r\nESET Research\r\nSince the beginning of 2017, ESET has been conducting an investigation into a complex threat mainly targeting\r\nRussia and Ukraine. Stantinko has stood out.\r\n20 Jul 2017  •  , 6 min. read\r\nOverview\r\nSince the beginning of 2017, ESET researchers have been conducting an investigation into a complex threat\r\nmainly targeting Russia and Ukraine. Standing out because of its prevalence and its sophistication, Stantinko\r\nturned out to be quite a puzzle to solve. Slowly putting the pieces together, the global picture began to take shape,\r\nexposing a massive adware campaign affecting approximately half a million users.\r\nMaking heavy use of code encryption and rapidly adapting so as to avoid detection by anti-malware, Stantinko’s\r\noperators managed to stay under the radar for at least the last five years, attracting very little attention to their\r\noperations.\r\nTo infect a system, they trick users looking for pirated software into downloading executable files sometimes\r\ndisguised as torrents. FileTour, Stantinko’s initial installation vector, then loudly installs a lot of software to\r\ndistract the user while it covertly installs Stantinko’s first service in the background. Video 1 shows a fictive user\r\nrunning the malicious executable.\r\nVideo 1. Video of a user downloading and running the malicious file\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 1 of 8\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nStantinko’s operators control a huge botnet that they monetize mainly by installing malicious browser extensions\r\nthat perform ad injection and click fraud. However, they don’t stop there. The malicious Windows services they\r\ninstall enable them to execute anything on the infected host. We’ve seen them being used to send a fully featured\r\nbackdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and\r\nWordPress administrator panels in an attempt to compromise and potentially resell them.\r\nFigure 1 shows the full Stantinko threat from the infection vector to the final persistent services and related\r\nplugins.\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 2 of 8\n\nFigure 1 – Full diagram of the Stantinko threat\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 3 of 8\n\nKey features\r\nStantinko stands out in the way it circumvents antivirus detection and thwarts reverse engineering efforts to\r\ndetermine if it exhibits malicious behavior. To do so, its authors make sure multiple parts are needed to conduct a\r\ncomplete analysis. There are always two components involved: a loader and an encrypted component. The\r\nmalicious code is concealed in the encrypted component that resides either on the disk or in the Windows\r\nRegistry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is\r\ngenerated on a per-infection basis. Some components use the bot identifier and others use the volume serial\r\nnumber from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a\r\nvery difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed.\r\nMoreover, Stantinko has a powerful resilience mechanism. After a successful compromise, the victim’s machine\r\nhas two malicious Windows services installed, which are launched at system startup. Each service has the ability\r\nto reinstall the other in case one of them is deleted from the system. Thus, to successfully uninstall this threat, both\r\nservices must be deleted at the same time. Otherwise, the C\u0026C server can send a new version of the deleted\r\nservice that isn’t detected yet or that contains a new configuration.\r\nStantinko’s main functionality is to install malicious browser extensions named The Safe Surfing and Teddy\r\nProtection. Both extensions were available on the Chrome Web Store during our analysis. At first sight, they look\r\nlike legitimate browser extensions that block unwanted URLs. However, when installed by Stantinko, the\r\nextensions receive a different configuration containing rules to perform click fraud and ad injection. In Video 2,\r\nthe The Safe Surfing extension is installed. The user is redirected when clicking a link on the Rambler search\r\nengine.\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 4 of 8\n\nFigure 2 – Teddy Protection on the Chrome Web Store\r\nVideo 2. Search traffic redirection on Rambler website\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 5 of 8\n\nStantinko is a modular backdoor. Its components embed a loader allowing them to execute any Windows\r\nexecutable sent by the C\u0026C server directly in memory. This feature is used as a very flexible plugin system\r\nallowing the operators to execute anything on an infected system. Table 1 is a description of known Stantinko\r\nplugins.\r\nTable 1. Known Stantinko Plugins\r\nModule Name Analysis\r\nBrute-force Distributed dictionary-based attack on Joomla and WordPress administrative panels.\r\nSearch Parser\r\nPerforms massive distributed and anonymous searches on Google to find Joomla and\r\nWordPress websites. It uses compromised Joomla websites as C\u0026C servers.\r\nRemote\r\nAdministrator\r\nBackdoor that implements a full-range of actions from reconnaissance to data\r\nexfiltration.\r\nFacebook Bot\r\nBot performing fraud on Facebook. Its capabilities include creating accounts, liking\r\npicture or pages, and adding friends.\r\nMonetization\r\nAlthough the developers of Stantinko use methods that are most often seen in APT campaigns, their final aim is to\r\nmake money. Thus, they are present in one of the most profitable cybercrime markets.\r\nFirst, these days click fraud is a major source of revenues in the cybercrime ecosystem. Research conducted by the\r\nfirm White Ops and the Association of National Advertisers (US) has estimated the global cost of click fraud in\r\n2017 will be $6.5 billion.\r\nAs explained above, Stantinko installs two browser extensions, The Safe Surfing and Teddy Protection, which\r\ninject advertisements or redirect the user. It allows the Stantinko operators to be paid for the traffic they provide to\r\nadvertisers. Figure 4 is a summary of the redirection process.\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 6 of 8\n\nFigure 4 – Click fraud redirection process\r\nOur study also shows that they are really close to the advertisers. In some cases, including the example in Figure\r\n4, the user will reach the advertiser’s website directly after the Stantinko-owned ad network. On the other hand,\r\ntraditional click-fraud malware relies on a series of redirections between several ad networks to launder their\r\nmalicious traffic. This shows that not only are the Stantinko operators able to develop highly stealthy malware, but\r\nthey are also able to abuse the traditional ad-serving economy without getting caught.\r\nSecond, they are also trying to gain fraudulent access to the administrative accounts of Joomla and WordPress\r\nwebsites. Their attack relies on a brute-force attack using a list of credentials. The aim is to guess the password by\r\ntrying tens of thousands of different credentials. Once compromised, these accounts can be resold on the\r\nunderground market. Then, they could be used to redirect site visitors to exploit kits elsewhere or to host\r\nmalicious content.\r\nThird, our study also shows how Stantinko perpetrates social network fraud. This type of fraud has already been\r\ndescribed by ESET researchers in the Dissecting Linux/Moose white paper. It is really profitable as, for instance,\r\nprices are around $15 per 1000 Facebook likes even though they are actually generated by fake accounts\r\ncontrolled by a botnet.\r\nThe Stantinko operators developed a plugin that can interact with Facebook. It is able, among other things, to\r\ncreate accounts, 'like' a page or add a friend. To bypass Facebook’s CAPTCHA, it relies on an online anti-CAPTCHA service pictured in Figure 5. The size of the Stantinko botnet is an advantage as it allows its operators\r\nto distribute the queries among all the bots. Thus, it is more difficult for Facebook to detect this type of fraud.\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 7 of 8\n\nFigure 5 – Anti-CAPTCHA service used by Stantinko\r\nConclusion\r\nStantinko is a botnet mostly dedicated to ad-related fraud. Using advanced techniques such as code encryption and\r\nstoring code in the Windows Registry, its operators were able to stay under the radar for the past five years. This\r\nled to a botnet of approximately 500,000 infected machines.\r\nThey were also able to publish their two ad injection browser extensions on the Chrome Web Store. One of them\r\nwas first released on the Chrome Web Store in November, 2015.\r\nEven though it isn't noticeable to the user, due to the absence of CPU intensive tasks, Stantinko is a major threat,\r\nas it provides a large source of fraudulent revenue to cybercriminals. Moreover, the presence of a fully featured\r\nbackdoor allows the operators to spy on all the victimized machines.\r\nFor a comprehensive technical analysis of Stantinko, refer to our white paper. The Indicators of Compromise are\r\nprovided on our GitHub account. For any inquiries, or to make sample submissions related to the subject, contact\r\nus at: threatintel@eset.com.\r\nSource: https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nhttps://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/"
	],
	"report_names": [
		"stantinko-massive-adware-campaign-operating-covertly-since-2012"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d56f1f7025825a27e96833a82f3310d41498ddb.pdf",
		"text": "https://archive.orkl.eu/5d56f1f7025825a27e96833a82f3310d41498ddb.txt",
		"img": "https://archive.orkl.eu/5d56f1f7025825a27e96833a82f3310d41498ddb.jpg"
	}
}