{
	"id": "204a0867-8192-45e5-a39b-5b697fc3c175",
	"created_at": "2026-04-06T00:17:25.854204Z",
	"updated_at": "2026-04-10T03:24:29.465289Z",
	"deleted_at": null,
	"sha1_hash": "60c4c53e5d553e2f6dc68a934f71981ab26bbddc",
	"title": "A look into Drupalgeddon's client-side attacks | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3341636,
	"plain_text": "A look into Drupalgeddon's client-side attacks | Malwarebytes\r\nLabs\r\nBy Jérôme Segura\r\nPublished: 2018-05-17 · Archived: 2026-04-05 17:32:15 UTC\r\nDrupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In\r\nlate March 2018, Drupal was affected by a major remote code execution vulnerability (CVE-2018-7600) followed\r\nby yet another (CVE-2018-7602) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon\r\n3.\r\nThese back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate\r\nreal-world attacks. For many website owners, this situation was frustrating because the window of time to patch is\r\ngetting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may\r\nhave side effects, such as broken templates or functionality, which is why you need to make a full back up and test\r\nthe changes in the staging environment before moving to production.\r\nRolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of\r\nknowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site\r\nowner to do due diligence with their web properties, the outcome is typically websites being severely out of date\r\nand exploited, often more than once.\r\nSample set and web crawl\r\nWe decided to choose a number web properties that had not yet been validated (including all versions of Drupal,\r\nvulnerable or not). Our main source of URLs came from Shodan and was complemented by PublicWWW, for a\r\ntotal of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the\r\nprocess and were able to confirm around 900 injected web properties.\r\nMany of the results were servers hosted on Amazon or other cloud providers that were most likely set up for\r\ntesting purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other\r\ndomains we encountered spanned a variety of verticals and languages, with one common denominator: an\r\noutdated version (usually severely outdated) of the Drupal CMS.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 1 of 13\n\nFigure 1: Crawling and flagging compromised Drupal sites using Fiddler\r\nDrupal versions\r\nAt the time of this writing, there are two recommended releases for Drupal. Version 8.x.x is the latest and greatest\r\nwith some new features, while 7.x.x is considered the most stable and compatible version, especially when it\r\ncomes to themes.\r\nFigure 2: Drupal’s two main supported branches\r\nAlmost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still\r\nrepresented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security\r\nflaws have been discovered (and exploited) since then.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 2 of 13\n\nFigure 3: Percentage of compromised sites belonging to a particular Drupal version\r\nPayloads\r\nA large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with XMRig cryptocurrency miners. However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be\r\nperforming malicious actions on both server and client side.\r\nUnsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a\r\nfew different social engineering campaigns.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 3 of 13\n\nFigure 4: Breakdown of the most common payloads\r\nWeb miners\r\nDrive-by mining attacks went though the roof in the fall of 2017 but slowed down somewhat at the beginning of\r\nthe year. It’s safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased\r\nactivity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are\r\ngaining traction as well.\r\nWe are seeing the same campaign that was already documented by other researchers in early March and is\r\nensnaring more victims by the day.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 4 of 13\n\nFigure 5: A subdomain of Harvard University’s main site mining Monero\r\nFake updates\r\nThis campaign of fake browser updates we documented earlier is still going strong. It distributes a password\r\nstealer of Remote Administration Tool (RAT).\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 5 of 13\n\nFigure 6:  A compromised Drupal site pushing a fake Chrome update\r\nTech support scams (browlocks)\r\nRedirections to browser locker pages—a typical approach for unveiling tech support scams. The most common\r\nredirection we were able to document involved an intermediary site redirecting to browser locker pages using the\r\n.TK Top Level Domain (TLD) name.\r\nmysimplename[.]com/si.php window.location.replace(\"http://hispaintinghad[.]tk/index/?1641501770611\")\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 6 of 13\n\nFigure 7: A compromised Drupal host redirecting to a browser locker page\r\nWeb miners and injected code\r\nWe collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth\r\nnoting that in many cases the code is dynamic—most likely a technique to evade detection.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 7 of 13\n\nFigure 8: Collage of some of the most common miner injections\r\nSnapshots\r\nThe following are some examples of compromised sites sorted by category. We have contacted all affected parties\r\nto let them know their resources are being used by criminals to generate profit from malicious cryptomining or\r\nmalware infections.\r\nFigure 9: Education (University of Southern California)\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 8 of 13\n\nFigure 10: Government (Arkansas Courts \u0026 Community Initiative)\r\nFigure 11: Political party (Green Party of California)\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 9 of 13\n\nFigure 12: Ad server (Indian TV Revive Ad server)\r\nFigure 13: Religion (New Holly Light)\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 10 of 13\n\nFigure 14: Health (NetApp Benefits)\r\nFigure 15: Conferences (Red Hat partner conference) \r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 11 of 13\n\nFigure 16: Tech (ComputerWorld’s Brazilian portal)\r\nMalicious cryptomining remains hot\r\nIt is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also\r\nprivate APIs that make the whole process easy, and unfortunately they are being abused by bad actors.\r\nCompromised sites big and small remain a hot commodity that attackers will try to amass over time. And because\r\npatching remains an issue, the number of potential new victims never stops growing. In light of this, website\r\nowners should look into other kinds of mitigation when patching is not always an immediate option, and check\r\nwhat some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay\r\nprotected even against new types of attacks, and even when their CMS was vulnerable.\r\nMalwarebytes continues to detect and block malicious cryptomining and other unwanted redirections.\r\nIndicators of compromise\r\nCoinhive\r\n-\u003e URIs\r\ncnhv[.]co/1nt9z coinhive[.]com/lib/coinhive.min.js coinhive[.]com/lib/cryptonight.wasm coinhive[.]com\r\n-\u003e Site keys\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 12 of 13\n\nCmGKP05v2VJbvj33wzTIayOv6YGLkUYN f0y6O5ddrXo1be4NGZubP1yHDaWqyflD kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf MK\r\nCrypto-Loot\r\n-\u003e URI\r\ncryptaloot[.]pro/lib/justdoit2.js\r\n-\u003e Keys\r\n48427c995ba46a78b237c5f53e5fef90cd09b5f09e92 6508a11b897365897580ba68f93a5583cc3a15637212 d1ba2c966c5\r\nEthPocket\r\neth-pocket[.]com:8585 eth-pocket[.]de/perfekt/perfekt.js\r\nJSECoin\r\njsecoin[.]com/platform/banner1.html?aff1564\u0026utm_content=\r\nDeepMiner\r\ngreenindex.dynamic-dns[.]net/jqueryeasyui.js\r\nOther CryptoNight-based miner\r\ncloudflane[.]com/lib/cryptonight.wasm\r\nFakeUpdates\r\ntrack.positiverefreshment[.]org/s_code.js?cid=220\u0026v=24eca7c911f5e102e2ba click.clickanalytics208[.]co\r\nTech scams\r\n192.34.61[.]245 192.81.216[.]165 193.201.224[.]233 198.211.107[.]153 198.211.113[.]147 206.189.236[.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/\r\nPage 13 of 13\n\n https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/  \nFigure 10: Government (Arkansas Courts \u0026 Community Initiative)\nFigure 11: Political party (Green Party of California) \n   Page 9 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/"
	],
	"report_names": [
		"look-drupalgeddon-client-side-attacks"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60c4c53e5d553e2f6dc68a934f71981ab26bbddc.pdf",
		"text": "https://archive.orkl.eu/60c4c53e5d553e2f6dc68a934f71981ab26bbddc.txt",
		"img": "https://archive.orkl.eu/60c4c53e5d553e2f6dc68a934f71981ab26bbddc.jpg"
	}
}