{
	"id": "d5c22080-b579-467b-a591-158d33adba73",
	"created_at": "2026-04-06T00:18:43.727883Z",
	"updated_at": "2026-04-10T03:22:05.407181Z",
	"deleted_at": null,
	"sha1_hash": "a47abaf4da7764511f0ee6dbe2a1d60f4790ac5a",
	"title": "CSS-JS Steganography in Fake Flash Player Update Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2933190,
	"plain_text": "CSS-JS Steganography in Fake Flash Player Update Malware\r\nBy Denis Sinegubko\r\nPublished: 2020-11-02 · Archived: 2026-04-06 00:02:46 UTC\r\nThis summer, MalwareBytes researcher Jérôme Segura wrote an article about how criminals use image files (.ico)\r\nto hide JavaScript credit card stealers on compromised e-commerce sites.\r\nIn a tweet, Affable Kraut also reported another similar obfuscation technique using .ico files to conceal JavaScript\r\nskimmers.\r\nFrom the sample in his tweet, the “www.google-analytics.com URL is clearly visible within the malicious script.\r\nHowever, this script was only used as a dictionary of characters to build a URL for the real payload\r\n(priangan[.]com/wp-content/languages/blogid/favicon.ico and lebs[.]site/favicon.ico in other variations).\r\nSteganography in CSS\r\nBoth of these two cases conceal malware within real, benign files — a technique referred to as steganography.\r\nDuring a recent investigation this October, we came across another interesting variant leveraging the same\r\ntechnique. Instead of loading .ico files and extracting JavaScript from the EXIF data, however, the malware was\r\nfound nestled within a .css file.\r\nThe script, which was almost identical to the one found in Affable Kraut’s tweet, had been injected at the bottom\r\nof the .js files wp-includes/js/wp-emoji-release.min.js, wp-includes/js/jquery/jquery.js, and at the top of\r\nindex.php as seen below.\r\nInfected index.php\r\nThis time, the //static.xx.fbcdn.net[.]com/plrhg URL was easily seen in plain text.\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 1 of 11\n\nThe string visually resembles a real URL used by Facebook: //static.xx.fbcdn.net. However, in reality the\r\nstatic.xx.fbcdn.net[.]com (with extra .com) does not even exist. It’s presence serves as a red herring: it’s real\r\npurpose is to provide a character dictionary to build the real malicious URL, which this script tries to load via\r\nXMLHttpRequest: “//polobear[.]shop/fonts.css\r\nSince .css is just a text file, how can someone conceal malicious code in it? This part of the injected script\r\nexplains it:\r\nCSS to JavaScript algorithm\r\nThe algorithm takes the part after the last “}” in the requested .css, splits it into pieces separated by spaces, and\r\nthen uses those pieces to construct binary representation of character codes, converting them to real characters\r\nusing the fromCharCode function.\r\nThis method essentially constructs the JavaScript function character by character, which is then executed once the\r\nwhole file is processed.\r\nDemonstration of How It Works\r\nTo further illustrate this example, let’s review the fonts.css file containing the malicious payload:\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 2 of 11\n\nContents of polobear[.]shop/fonts.css\r\nAt first glance, there really doesn’t appear to be anything suspicious here. Just some benign CSS rules.\r\nThere are, however, many empty lines at the bottom of the file. Very many. 56,964 empty lines! And the size of\r\nthis small fonts.css file is about 150 Kilobytes!\r\nEmpty lines are normally ignored by browsers and CSS parsers. While strange, this is still absolutely benign in\r\nnormal circumstances. However we know that this malware uses the file not as CSS but as a source of a\r\nJavaScript code — and its binary representation is concealed by sequences of tab and non-tab characters.\r\nRevealing the Code\r\nIf we select the empty lines after the last “}” character in a text editor, another story is revealed:\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 3 of 11\n\nSelecting invisible contents in text editor\r\nLooks like Morse code with sequences of dots and dashes, doesn’t it?\r\nWhen reviewed in hex, it appears like this:\r\nHex view of fonts.css\r\nHere you can explicitly see that the lines are not that empty. They consist of sequences of tabs (09), spaces (20)\r\nand line feeds (0A).\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 4 of 11\n\nIn these sequences, spaces work as delimiters between individual bytes (characters). Tabs and line feeds form\r\nbinary representations of characters, where tab is 1 and line feed is 0.\r\nFor example, the first encrypted character after the last “}” is 09-09-09-0A-09-09, which can be converted to the\r\nbinary “111011”. This is equal to decimal 59, which is the character code for “;” (semicolon).\r\nConverting Empty Lines to JavaScript Code\r\nUsing this algorithm, we decoded all the 56,964 lines and got 20,233 bytes of this malicious JavaScript code:\r\nResult of conversion of empty lines to JavaScript code\r\nInteresting — it’s the same WiseLoop JS Obfuscation that is found in EXIF metadata of .ico files used by web\r\nskimmers! In this case, however, it didn’t turn out to be a credit card skimmer.\r\nFake Flash Player updates\r\nHere’s the decoded version of the script:\r\nDecoded script obtained from fonts.css\r\nWhat the decoded script does is create an iframe from lopiax[.]us with a fake Flash Player update\r\nrecommendation.\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 5 of 11\n\nFake Flash Player update notification\r\nWhile Flash player is reaching end of life on December 31, 2020 and all major browsers will stop supporting it in\r\na couple months, Flash Player updates are still quite a popular lure for social engineering attacks that trick people\r\ninto installing malware on their computers.\r\nThis particular popup seems to be related to what MalwareBytes calls the Domen social engineering kit.\r\nThe only way to get rid of this popup is to click on the Update button. This initiates a download of the\r\nadobeflpl_installer.zip file with an HTA file with VB script that uses PowerShell to download malicious .exe and\r\n.dll files (including the NetSupport RAT).\r\nThe download link changes quite often, pointing to malicious files on various compromised sites.\r\nThe zip files also change in size, but are still reliably detected by many antiviruses.\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 6 of 11\n\nVirusTotal detections\r\nRevelations of the polobear[.]shop Site\r\nThis malware is not a leftover from some old attack. It’s pretty recent because the domain polobear[.]shop was\r\nregistered just a few weeks ago on October 9th, 2020.\r\nThe site is not properly protected, and we can see directories and files hosted there.\r\nFile listing on polobear[.]shop\r\nIn the /tmp/active directory, you can see IP addresses of computers attacked by this malware in real time. Around\r\n5-10 new IPs are typically listed every few seconds.\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 7 of 11\n\nIPs of attacked computers\r\nImportant files\r\nGenerate.php\r\nThe generate.php file is responsible for the generation of JavaScript code which attackers inject into\r\ncompromised websites.\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 8 of 11\n\ngenerate.php\r\nThe script’s interface shows that the generated code has been defined to work for the polobear[.]shop domain.\r\nAttackers can choose a version with or without the “Anti-Debug” feature. As an Anti-Debug mechanism, the\r\nscript puts the main functionality into the requestAnimationFrame function callback.\r\nThe CSS-JS name tells us that the script was specifically designed to work with CSS files as the source of JS\r\npayload.\r\nOn every load of the generate.php script, variable names randomly change — leaving the remaining parts of the\r\ncode intact.\r\nGate.php\r\nGate.php is a common name for data exfiltration scripts used by web skimmers. In this case, however, this is the\r\nfile that generates the fonts.css response with a payload concealed by tabs, spaces and line feeds.\r\nMost likely this is accomplished by an .htaccess rule for .css files, since fonts.css is not present in the file list.\r\nMoreover, when a request to fonts.css files is considered unwanted by the malware, a  “The requested URL was\r\nnot found on this server” page with a 200 response code is displayed — instead of the 404 that you get for any\r\nother types of really nonexistent pages on the site.\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 9 of 11\n\nGeoIP.dat (1).zip\r\nAccording to the timestamp found on the /index page, the first file uploaded to the site was GeoIP.dat (1).zip.\r\nThis occurred on October 9th, 2020 — the same date the polobear[.]shop domain was registered.\r\nThe zip archive contains three files: geoip.inc, GeoIP.dat (both created on Sept 3, 2020) and index.php (Oct 1,\r\n2020). The first two files belong to a GeoIP library which helps identify the geographic origin of the requests.\r\nThe index.php file is more interesting, though. It’s a boilerplate script for fake Flash Player update attacks. The\r\nscript checks to ensure that a visitor is not a bot and comes from an eligible country (in this file it’s: USA, Italy,\r\nGermany, UK and Canada).\r\nIf the user agent and geographic location match the success criteria, then a web page is displayed with the Flash\r\nPlayer update warning.\r\nCode that generates fake Flash Player Update warnings\r\nActual download links are not present in the file. These must be specified by the attacker whenever they prepare a\r\nnew download location. Most likely, something similar currently works on the lopiax.us site.\r\n162.0.235[.]12 Server\r\nAt this moment, polobear[.]shop is hosted on the server IP 162.0.235[.]12 which belongs to Namecheap Inc.\r\nA quick search shows that this IP address is associated with multiple phishing sites:\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 10 of 11\n\nLast seen domains hosted on 162.0.235[.]12\r\nWe found a number of active phishing sites targeting many popular platforms:\r\nPayPal: tierretyr[.]live and Pp-login-alert[.]com.\r\nDocusign: dorcsign[.]cloud, Doscug[.]live.\r\nBanking sites: www.ehb-onlinebank[.]ml, halifax-alerts[.]com, ing-app-nl[.]me.\r\nA hacker admin panel also exists on hxxps://techvita[.]biz/PL341/panel/admin.php (located on the same\r\nserver).\r\nTechvita[.]biz has also been found receiving requests from Windows malware (with detections by Azorult,\r\nLokibot and GuLoader signatures), as  seen in this JoeSandbox report.\r\nConclusion\r\nMultiple types of web malware (including web skimmers and social engineering malware droppers) have recently\r\nstarted using this same 3-step approach to obfuscation in their attacks.\r\nTo begin, attackers inject an obfuscated script into a compromised environment. Next, the malicious script loads a\r\nseemingly benign file from a remote third-party website — for example, an ICO or CSS file. An obfuscated\r\nmalicious payload concealed within the inconspicuous file is then extracted at whim.\r\nOne distinctive trait of this approach is that the obfuscation algorithms used for each step are very specific and\r\nstay the same — regardless of the type of the attack. This suggests that attackers are using the same toolkit\r\ncontaining steganography features to hide the malicious behavior of their injections.\r\nFront-end scripts like the one described for generate.php clearly demonstrate that they were created to be used by\r\nan unlimited number of users. The script allows any bad actors to easily incorporate their payload into an attack by\r\ninstalling it on their own domain, without making any changes to the code — we can assume this feature allows\r\nfor easy monetization and distribution of the malicious toolkit.\r\nAs attackers continue to look for ways to automate their malware campaigns and avoid detection, it’s likely that\r\nwe may see even more attacks using similar steganography-obfuscation approaches.\r\nFor site owners it doesn’t change much though. They should keep their site software up-to-date, employ website\r\nsecurity best practices, and leverage integrity monitoring to detect unwanted changes.\r\nSource: https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nhttps://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html"
	],
	"report_names": [
		"css-js-steganography-in-fake-flash-player-update-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a47abaf4da7764511f0ee6dbe2a1d60f4790ac5a.pdf",
		"text": "https://archive.orkl.eu/a47abaf4da7764511f0ee6dbe2a1d60f4790ac5a.txt",
		"img": "https://archive.orkl.eu/a47abaf4da7764511f0ee6dbe2a1d60f4790ac5a.jpg"
	}
}