{
	"id": "706dbf9c-8ec6-4244-b160-fed6da9e37a0",
	"created_at": "2026-04-06T00:18:48.054353Z",
	"updated_at": "2026-04-10T13:11:53.006437Z",
	"deleted_at": null,
	"sha1_hash": "61da2c6f029649eafb2cc35c4c1be7b795a7d638",
	"title": "MakeMoney malvertising campaign adds fake update template",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 283286,
	"plain_text": "MakeMoney malvertising campaign adds fake update template\r\nBy Threat Intelligence Team\r\nPublished: 2022-06-07 · Archived: 2026-04-05 14:00:41 UTC\r\nMalware authors and distributors are following the ebbs and flow of the threat landscape. One campaign we have\r\ntracked for a numbers of years recently introduced a new scheme to possibly completely move away from drive-by downloads via exploit kit.\r\nIn this quick blog post, we will look at this new attack chain and link it with previous activity from what we\r\nbelieve are the same threat actors.\r\nFakeUpdates (SocGholish) lookalike\r\nOur researcher Fillip Mouliatis identified a malvertising campaign leading to a fake Firefox update. The template\r\nis strongly inspired from similar schemes and in particular the one distributed by the FakeUpdates (SocGholish)\r\nthreat actors.\r\nHowever distribution and implementation are very different. Unlike FakeUpdates which uses compromised\r\nwebsites to push their template, this one is driven via malvertising. Please note the IP addresses involved in the\r\nredirection infrastructure as we will come back to them in a moment.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nPage 1 of 7\n\nThe template itself is much more simplified and appears to be in development with a fake Firefox update that\r\ncontains a couple of scripts that pull down an encrypted payload. The initial executable consists of a loader which\r\nretrieves a piece of Adware detected as BrowserAssistant. This payload was seen before and interestingly through\r\na similar malvertising campaign involving the RIG exploit kit.\r\nMakeMoney connection\r\nThe malvertising infrastructure is essentially the same one that was used in numerous drive-by campaigns with\r\nexploit kits since late 2019. For some reason the threat actors are reusing the same servers in Russia and naming\r\ntheir malvertising gates after different ad networks.\r\nSecurity researcher @na0_secsaw the “MakeMoney gate”, named after the domain makemoneywithus[.]work\r\n(188.225.75.54), redirect to the Fallout exploit kit in October 2020, although it mostly used RIG EK for several\r\nyears. Probably the earliest instance of this threat group was seen in December 2019 via the gate gettime[.]xyz\r\n(185.220.35.26).\r\nhttps://twitter.com/nao_sec/status/1332097156434391040?s=20\u0026t=GPCjh2Ik3L84ZFICcs31yg\r\nLooking at this infrastructure shows that the group reused a few servers quite predictably during these years\r\nbetween AS59504 vpsville and AS9123 TimeWeb. For example, gettime[.]xyz was hosted on the same server\r\n(185.220.35.26) as makemoneyeazzywith[.]me. Staying with the MakeMoney theme, we see makemoneywith[.]us\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nPage 2 of 7\n\non 188.225.75[.]54. That server was likely hosting a Keitaro TDS (traffic distribution system) given such\r\nhostnames as keitarotrafficdelivery[.]xyz.\r\nThere is also activity on 185.220.33.3, 185.230.140.210 and 188.225.75.54 hosting a number of impersonation\r\nhostnames such as magicpropeller[.]xyz (PropellerAds), magicpopcash[.]xyz (PopCash).\r\nhttps://twitter.com/MBThreatIntel/status/1483235125827571715?\r\ns=20\u0026t=VdtEqqjtpe_XT1TG6rAWVQ\r\nWe find it interesting that the same threat actors remained faithful to RIG EK for so long during a period where\r\nexploit kits were going out of business. They also seemed to poke fun at the same ad networks they were abusing,\r\nunless the choice for names associated with their gates was motivated by sorting out their upstream traffic.\r\nWe don’t believe we have seen the last of this threat group. Having said that, their latest social engineering scheme\r\ncould use some improvements to remove some blatant typos while their server-side infrastructure could be tidied\r\nup.\r\nIndicators of Compromise\r\nIP addresses (malvertising domains, gates)\r\n185.220.35.26\r\n188.225.75.54\r\n185.220.33.3\r\n185.230.140.210\r\nIP addresses (fake template)\r\n188.227.107.121\r\n188.227.107.92\r\nDomains (malvertising domains, gates)\r\nadcashtds2[.]xyz\r\nadcashtdssystem[.]site\r\nadsinside[.]xyz\r\nadsterramagic[.]me\r\nadstexx[.]xyz\r\nallmagnew[.]xyz\r\nalltomag[.]xyz\r\nan-era[.]shop\r\nankgomag[.]xyz\r\nanklexit[.]online\r\nankltrafficexit[.]xyz\r\nankmagicgo[.]xyz\r\nblackexit[.]xyz\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nPage 3 of 7\n\nccgmaining[.]life\r\nccgmaining[.]live\r\nccgmaining[.]work\r\nclickadusweep[.]vip\r\nclickadusweeps[.]vip\r\nclickadutds[.]xyz\r\nclicksdeliveryserver[.]space\r\nclicktds2[.]xyz\r\ncryptomoneyinside[.]xyz\r\ncryptomoneyinsider[.]biz\r\ncryptomoneyinsider[.]link\r\ncryptomoneyinsider[.]site\r\ncryptomoneyinsider[.]work\r\ncryptomoneyinsiders[.]com\r\ncryptomoneyinsiders[.]site\r\ncryptomoneyinsiders[.]work\r\ncryptomoneytds[.]xyz\r\ncryptopaycard[.]shop\r\ncryptosuite[.]pro\r\ncryptosuitetds[.]com\r\ncryptotraffic[.]vip\r\ncryptotraffictds[.]online\r\ncryptotraffictdss[.]xyz\r\ncryptozerotds[.]xyz\r\ndaiichisankyo-hc[.]live\r\nearncryptomoney[.]info\r\nexitmagall[.]xyz\r\nextradeliverytraffic[.]com\r\nextramoneymaker[.]vip\r\nfamilylabs[.]xyz\r\nfujimi[.]fun\r\ngettime[.]xyz\r\nhilldeliveryexit[.]xyz\r\nhillex[.]xyz\r\nhilllandings[.]xyz\r\nhillmag[.]xyz\r\nhillmagnew[.]xyz\r\nhilltopmagic[.]xyz\r\nhilltoptds[.]xyz\r\nhilltoptdsserver[.]xyz\r\nhilltoptdsservers[.]fun\r\nhilltoptrafficdelivery[.]com\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nPage 4 of 7\n\nhilltoptrafficdelivery[.]xyz\r\njillstuart-floranotisjillstu[.]art\r\nk-to-kd[.]me\r\nkeitarotrafficdelivery[.]com\r\nkeitarotrafficdelivery[.]xyz\r\nlahsahal[.]site\r\nmagcheckall[.]me\r\nmagicadss[.]xyz\r\nmagicadsterra[.]xyz\r\nmagicclickadu[.]xyz\r\nmagickhill[.]xyz\r\nmagickpeoplenew[.]xyz\r\nmagicpopcash[.]xyz\r\nmagicpropeller[.]xyz\r\nmagicself[.]xyz\r\nmagiczero[.]xyz\r\nmakemoneyeazzywith[.]me\r\nmakemoneynowwith[.]me\r\nmakemoneywith[.]us\r\nmakemoneywithus[.]work\r\nmizuno[.]casa\r\nmoney365[.]xyz\r\nmyallexit[.]xyz\r\nmyjobsy[.]com\r\nnawa-store[.]com\r\nnewallfrommag[.]xyz\r\nnewzamenaadc[.]xyz\r\nnewzamenaclick[.]xyz\r\nnewzamenaself[.]xyz\r\nnewzamenazero[.]xyz\r\nnippon-mask[.]site\r\nnorthfarmstock[.]xyz\r\noffers[.]myjobsy[.]com\r\noffersstudioex[.]live\r\nopenphoto[.]xyz\r\npartners[.]usemoney[.]xyz\r\nprelandingpages[.]xyz\r\npromodigital[.]me\r\npropellermagic[.]xyz\r\nsberbank[.]hourscareer[.]com\r\nsberjob[.]hourscareer[.]com\r\nselfadtracker1[.]online\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nPage 5 of 7\n\nselfadtrackerexit[.]xyz\r\nselftraffictds[.]xyz\r\nselfyourads[.]xyz\r\nshop[.]mizuno[.]casa\r\nsupersports[.]fun\r\nsurprise[.]yousweeps[.]vip\r\ntracker[.]usemoney[.]xyz\r\ntraffic[.]selfadtracker1[.]online\r\ntraffic[.]usemoney[.]xyz\r\ntrafficdeliveryclick[.]xyz\r\ntrafficdeliveryoffers[.]com\r\ntrafficdeliverysystem[.]world\r\ntraffictrackerself[.]xyz\r\ntryphoto[.]xyz\r\ntrytime[.]xyz\r\nusehouse[.]xyz\r\nusemoney[.]life\r\nusemoney[.]xyz\r\nymalljp[.]com\r\nyousweeps[.]vip\r\nzamenaad[.]xyz\r\nzamenaclick[.]xyz\r\nzamenahil[.]xyz\r\nzamenazer[.]xyz\r\nzapasnoiadc[.]xyz\r\nzapasnoiclick[.]xyz\r\nzapasnoiself[.]xyz\r\nzapasnoizero[.]xyz\r\nzermag[.]xyz\r\nzernewmagcheck[.]xyz\r\nzerocryptocard[.]shop\r\nzeroexit[.]xyz\r\nzerok2exit[.]xyz\r\nzeroparktraffic[.]xyz\r\nzeroparktrakeroutside[.]shop\r\nzerotdspark[.]space\r\nzerotracker[.]shop\r\nReferences\r\nhttps://twitter.com/MBThreatIntel/status/1483235125827571715\r\nhttps://twitter.com/MBThreatIntel/status/1361824286499950601\r\nhttps://twitter.com/malware_traffic/status/1412128664721014785\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nPage 6 of 7\n\nhttps://twitter.com/malware_traffic/status/1357513424566124548\r\nhttps://twitter.com/FaLconIntel/status/1351739449932083200\r\nhttps://twitter.com/tkanalyst/status/1226125887256416256\r\nhttps://twitter.com/david_jursa/status/1346562997305696262\r\nhttps://twitter.com/nao_sec/status/1334289601125445633\r\nhttps://twitter.com/FaLconIntel/status/1298661757943087105\r\nhttps://twitter.com/nao_sec/status/1294871134001799168\r\nhttps://twitter.com/david_jursa/status/1232996830520193024\r\nhttps://twitter.com/david_jursa/status/1229354505583628288\r\nhttps://twitter.com/nao_sec/status/1211975197219151876\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/"
	],
	"report_names": [
		"makemoney-malvertising-campaign-adds-fake-update-template"
	],
	"threat_actors": [],
	"ts_created_at": 1775434728,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61da2c6f029649eafb2cc35c4c1be7b795a7d638.pdf",
		"text": "https://archive.orkl.eu/61da2c6f029649eafb2cc35c4c1be7b795a7d638.txt",
		"img": "https://archive.orkl.eu/61da2c6f029649eafb2cc35c4c1be7b795a7d638.jpg"
	}
}