{ "id": "2ae053b4-109d-4432-a980-80d4cd4d300d", "created_at": "2026-04-06T00:13:00.836173Z", "updated_at": "2026-04-10T13:12:33.537774Z", "deleted_at": null, "sha1_hash": "afd44adf1849e1227356a12359196c029b2620f4", "title": "The many tentacles of Magecart Group 8", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1947777, "plain_text": "The many tentacles of Magecart Group 8\r\nBy Threat Intelligence Team\r\nPublished: 2021-09-12 · Archived: 2026-04-05 22:05:49 UTC\r\nThis blog post was authored by Jérôme Segura\r\nDuring the past couple of years online shopping has continued to increase at a rapid pace. In a recent survey done\r\nby Qubit, 70.7% of shoppers said they increased their online shopping frequency compared to before COVID-19.\r\nCriminals gravitate towards opportunities, and these trends have made digital skimming attacks such as Magecart\r\nall the more profitable.\r\nTo protect our customers, we need to constantly look out for novel attacks. Having said that, we sometimes need\r\nto check for past ones too. In fact, many threat actors will reuse certain patterns or resources which allows us to\r\nmake connections with previous incidents.\r\nOne Magecart group that has left a substantial amount of bread crumbs from their skimming activity has been\r\ndocumented under various names (Group 8, CoffeMokko, Keeper, FBseo). It is believed to be one of the older\r\nthreat actors in the digital skimming space.\r\nIn this blog post, we publish a number of connections within their infrastructure usage that we’ve been able to\r\nuncover by cross-referencing several data sources.\r\nReconnecting with Magecart Group 8\r\nIn a recent article, RiskIQ researchers unravelled a large part of the infrastructure used by Magecart Group 8 and\r\nhow they migrated to different hosts in particular Flowspec and OVH over time.\r\nWe had been looking at Group 8 also, but starting from a different angle. Back in June we were checking skimmer\r\ncode that looked somewhat different than anything we could categorize. We didn’t think much of it until in July\r\nEric Brandel tweeted about a skimmer he called ‘checkcheck’ that was using some interesting new features and\r\nwas essentially the same thing we had found.\r\nAfter some additional research we noticed that some parts of the code were unique but not new. In particular the\r\nexfiltration of credit card data was using a string swapping function identical to the one used by the ‘CoffeMokko‘\r\nfamily described by Group-IB. In their blog, they mention some overlap with the original Group 1 (RiskIQ) that\r\nwas eventually merged into what is now Group 8.\r\nFrom there, we were reacquainted with a threat group that we had not seen in a while but that had been busy.\r\nThere were a number of domain names that were new to us. We rapidly got down a rabbit hole and lost track of\r\nthe big picture. However, the blog from RiskIQ helped to put some perspective on one part of the infrastructure\r\nthat we referred to as Flowspec – OVH.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 1 of 12\n\nMost of the domains and IP addresses have already been covered by RiskIQ. However we were to create some\r\nmapping that showed some interesting historical connections between well-known past campaigns. In Part 1, we\r\nwill explore those links.\r\nWe had also uncovered another large part of infrastructure while reporting our findings on ‘checkcheck’ to Eric\r\nBrandel. Then in August, Denis tweeted about some of those domains which interestingly are old but somehow\r\nmanaged to stay low for a long time. We will review those in Part 2.\r\nPart 1: Flowspec and OVH\r\nThe RiskIQ article describes this part of the infrastructure in great details. We will review some connecting points\r\nthat allowed us to rediscover older campaigns. Flowspec is a known bulletproof hosting service that has been used\r\nbeyond just skimmers, but also for phishing, ransomware and other malware.\r\n[1] The domain safeprocessor[.]com was hosted at 176.121.14[.]103 (Flowspec) and 178.33.231[.]184 (OVH). It\r\nwas listed in the indicators of compromise (IOCs) from Gemini Advisory’s “Keeper” Magecart Group Infects 570\r\nSites blog post. On the same OVH IP is the domain foodandcot[.]com listed in the IOCs section for Group-IB’s\r\nMeet the JS-Sniffers 4: CoffeMokko Family.\r\n[2] scriptopia[.]net was also on 176.121.14[.]103 (Flowspec) and 178.33.71[.]232 (OVH). The domain was\r\nspotted by Dmitry Bestuzhev on the website for a Chilean wine. Other domains on that IP were also caught by\r\nRommel.\r\n[3] mirasvit[.]net shares the same registrant as scriptopia[.]net. It was hosted at 194.87.144[.]10 and\r\n176.121.14[.]143 (Flowspec). That IP address came across Denis’ radar in a tweet and was largely covered by\r\nRiskIQ.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 2 of 12\n\n[4] shourve[.]com shares the same registrant as the other skimmer domains hosted at 178.33.71[.]232. It was\r\nhosted at 5.135.247[.]142. On that same IP is adaptivestyles[.]com which shared the same registrant as\r\nscriptopia[.]net, and fileskeeper[.]org from which Gemini Advisory derived the name of their blog post.\r\n[5] stairany[.]com hosted at 5.135.247[.]141 (OVH) appeared in a report by CSIS Group. Another domain on that\r\nIP address is clipboardplugin[.]com which was mentioned by Félix Aimé along with a screenshot of a carding\r\nwebsite.\r\n[6] csjquery[.]com shares the same registrant as stairany[.]com and is hosted at 169.239.129[.]35 (ZAPPIE-HOST). On that IP are hundreds of carding sites.\r\n[7] zoplm[.]com hosted at 37.59.47[.]208 (OVH) and 51.83.209[.]11 (OVH) shares the same registrant as\r\ncigarpaqe[.]com and fleldsupply[.]com mentioned in our blog using Homoglyph domains.\r\n[8] 176.121.14[.]189 (Flowspec) was covered by RiskIQ for its number of skimmer domains that later moved to\r\nVelia.net hosting.\r\nPart 2: ICME and Crex Fex Pex\r\nThis bit of infrastructure was interesting because it tied back to activity we saw from domains like jquery[.]su.\r\nThis was actually the starting point of our investigation, which eventually led to Part 1: Flowspec and OVH and\r\nback to Group 8.\r\nCrex Fex Pex (Крекс-фекс-пекс) refers to a Russian play with a character that looks like Pinocchio. However in\r\nour case it is a bulletproof hoster that has seen significant skimmer activity.\r\n[1] gstaticx[.]com was hosted at 217.8.117[.]166 (Crex Fex Pex) and 185.246.130[.]169 (ICME). We can see a\r\nrecent compromise here, and the skimmer (which uses that character swapping function) in particular here.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 3 of 12\n\n[2] googletagnamager[.]com hosted at 217.8.117[.]141 (Crex Fex Pex) shared the same registrant as\r\ngstaticx[.]com. Interestingly, one version of this skimmer from googletagnamager[.]com/ki/x19.js loaded\r\nJavaScript from jquery[.]su.\r\nWe can find a similar path structure at jquery[.]su/ki/x2.js which also references the same min-1.12.4.js script. A\r\nversion of this script can be seen here (capture).\r\n[3] The domain jquery[.]su was registered by alexander.colmakov2017@yandex[.]ru. The same email address\r\nwas used to register serversoftwarebase[.]com which is connected to brute force attacks against various CMS. In\r\nthat blog post, we mention googletagmanager[.]eu hosted at 185.68.93[.]22 which is associated with a campaign\r\nagainst MySQL/Adminer.\r\n[4] googletagmanages[.]com has the same registrant as googletagnamager[.]com. contrary to the other domains\r\nwe’ve seen so far, this one is on Amazon. Reviewing the IP addresses which hosted it (AS14618-Amazon), we\r\nfind hundreds of typosquat domains for skimming (see IOCs section for list). It seems though that most were not\r\nused, perhaps just kept for a rainy day.\r\nDigital skimming artifacts\r\nWhile checking this infrastructure we came across a number of artifacts related to web skimming activity\r\nincluding webshells, panels, and other tools. With such a sprawling network, it’s not hard to imagine that the\r\ncriminals themselves may have a tough time keeping track of everything they have.\r\nTracking digital skimmers is a time consuming effort where one might easily get lost in the noise. Criminals are\r\nconstantly setting up new servers and moving things around. In addition, with the help of bulletproof services,\r\nthey make it difficult to disrupt their infrastructure.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 4 of 12\n\nHowever we and many researchers regularly publish information that helps to identify and block new domains\r\nand IP addresses. We also work with law enforcement and have reported many of these artifacts, in particular the\r\nstolen customer data. Finally, we also notify merchants although too many are still unaware of this threat and lack\r\nthe proper contact details.\r\nMalwarebytes customers are protected against digital skimmers thanks to the web protection module available in\r\nour consumer and enterprise products.\r\nIndicators of Compromise (IOCs)\r\nSkimmer domains\r\nadaptivestyles[.]com\r\nagilityscripts[.]com\r\namazonawscdn[.]com\r\nanduansury[.]com\r\nankese[.]com\r\nassetstorage[.]net\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 5 of 12\n\nbootstrapmag[.]com\r\nbraincdn[.]org\r\ncdncontainer[.]com\r\ncdnforplugins[.]com\r\nchatajax[.]com\r\ncigarpaqe[.]com\r\nclipboardplugin[.]com\r\ncsjquery[.]com\r\ndevlibscdn[.]com\r\nfileskeeper[.]org\r\nfleldsupply[.]com\r\nfoodandcot[.]com\r\nfreshchat[.]info\r\nfreshdepor[.]com\r\nfrocklay[.]com\r\ngoogle-adware[.]com\r\nhottrackcdn[.]com\r\nhqassets[.]com\r\njquery-apl[.]com\r\njqueryalert[.]com\r\njqueryapiscript[.]com\r\njsassets[.]net\r\njsvault[.]net\r\nmage-checkout[.]org\r\nmagento-info[.]com\r\nmagento-stores[.]com\r\nmagento-updater[.]com\r\nmechat[.]info\r\nmirasvit[.]net\r\npanelsaveok[.]com\r\npaypaypay[.]org\r\npayprocessor[.]net\r\npushcrew[.]pw\r\nsafeprocessor[.]com\r\nsagecdn[.]org\r\nsainester[.]com\r\nscriptdesire[.]com\r\nscriptopia[.]net\r\nsecure4d[.]net\r\nsecurity-magento[.]com\r\nsecurity-payment[.]su\r\nsecurityscr[.]com\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 6 of 12\n\nseoagregator[.]com\r\nshoppersbaycdn[.]com\r\nshourve[.]com\r\nslickjs[.]org\r\nspeedtransaction[.]com\r\nspotforassets[.]com\r\nstairany[.]com\r\nswappastore[.]com\r\ntheresevit[.]com\r\nunderscorefw[.]com\r\nv2-zopim[.]com\r\nverywellfitnesse[.]com\r\nw3schooli[.]com\r\nwebadstracker[.]com\r\nwebscriptcdn[.]com\r\nwinqsupply[.]com\r\nwordpress-scripts[.]com\r\nzoplm[.]com\r\nadwords-track[.]com\r\nadwords-track[.]top\r\ncarders[.]best\r\ncdn-secure[.]net\r\nclickinks-api[.]com\r\ndrhorveys[.]com\r\ndrnarveys[.]com\r\nfaviconx[.]com\r\nfont-staticx[.]com\r\nfonts-googleapi[.]com\r\nfontsctatic[.]com\r\nfontsctaticx[.]com\r\nfontsgoooglestatic[.]com\r\nfontstatics[.]com\r\nfontstaticx[.]com\r\nfrontstatics[.]com\r\ng-staticx[.]com\r\nga-track[.]com\r\ngctatic[.]com\r\ngctatics[.]com\r\ngoogle-tagmanager[.]com\r\ngoogleatagmanager[.]com\r\ngooglestag[.]com\r\ngooglestaticx[.]com\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 7 of 12\n\ngooglestatix[.]com\r\ngoogletagmahager[.]com\r\ngoogletagmamager[.]com\r\ngoogletagmanagen[.]com\r\ngoogletagmanages[.]com\r\ngoogletagnamager[.]com\r\ngoogletaqmanager[.]com\r\ngoogletaqmanaqer[.]com\r\ngstaticx[.]com\r\ngstaticxs[.]com\r\nhs-scrlpts[.]com\r\njquery-statistika[.]info\r\njquery[.]su\r\nscaraabresearch[.]com\r\nstaticzd-assets[.]com\r\nv2zopim[.]com\r\nvalidcvv[.]ru\r\nRelated IP addresses\r\n169[.]239[.]129[.]35\r\n176[.]121[.]14[.]103\r\n176[.]121[.]14[.]143\r\n176[.]121[.]14[.]189\r\n178[.]33[.]231[.]184\r\n178[.]33[.]71[.]232\r\n194[.]87[.]144[.]10\r\n37[.]59[.]47[.]208\r\n5[.]135[.]247[.]141\r\n5[.]135[.]247[.]142\r\n51[.]83[.]209[.]11\r\n54[.]38[.]49[.]244\r\n185[.]209[.]161[.]143\r\n185[.]246[.]130[.]169\r\n193[.]105[.]134[.]147\r\n217[.]8[.]117[.]140\r\n217[.]8[.]117[.]141\r\n217[.]8[.]117[.]166\r\n5[.]188[.]44[.]32\r\n74[.]119[.]239[.]234\r\n76[.]119[.]1[.]112\r\n91[.]215[.]152[.]133\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 8 of 12\n\nTyposquat\r\ngoogheusercontent[.]com\r\ngooglatagmanager[.]com\r\ngooglausercontent[.]com\r\ngoogle5sercontent[.]com\r\ngoogleafalytics[.]com\r\ngoogleanadytics[.]com\r\ngoogleanahytics[.]com\r\ngoogleanal9tics[.]com\r\ngoogleanalxtics[.]com\r\ngoogleanaly4ics[.]com\r\ngoogleanalydics[.]com\r\ngoogleanalypics[.]com\r\ngoogleanalytacs[.]com\r\ngoogleanalytias[.]com\r\ngoogleanalytibs[.]com\r\ngoogleanalyticc[.]com\r\ngoogleanalyticr[.]com\r\ngoogleanalyticw[.]com\r\ngoogleanalytigs[.]com\r\ngoogleanalytiks[.]com\r\ngoogleanalytkcs[.]com\r\ngoogleanalytmcs[.]com\r\ngoogleanalytycs[.]com\r\ngoogleanalyuics[.]com\r\ngoogleanalyvics[.]com\r\ngoogleanamytics[.]com\r\ngoogleananytics[.]com\r\ngoogleanclytics[.]com\r\ngoogleanelytics[.]com\r\ngoogleanilytics[.]com\r\ngoogleanqlytics[.]com\r\ngoogleaoalytics[.]com\r\ngooglecnalytics[.]com\r\ngoogledagmanager[.]com\r\ngoogleenalytics[.]com\r\ngoogleesercontent[.]com\r\ngoogleinalytics[.]com\r\ngooglepagmanager[.]com\r\ngoogleqnalytics[.]com\r\ngoogleqsercontent[.]com\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 9 of 12\n\ngoogletacmanager[.]com\r\ngoogletaemanager[.]com\r\ngoogletag-anager[.]com\r\ngoogletageanager[.]com\r\ngoogletagianager[.]com\r\ngoogletaglanager[.]com\r\ngoogletagmafager[.]com\r\ngoogletagmajager[.]com\r\ngoogletagmalager[.]com\r\ngoogletagmanacer[.]com\r\ngoogletagmanaeer[.]com\r\ngoogletagmanafer[.]com\r\ngoogletagmanagar[.]com\r\ngoogletagmanagdr[.]com\r\ngoogletagmanage2[.]com\r\ngoogletagmanageb[.]com\r\ngoogletagmanagep[.]com\r\ngoogletagmanages[.]com\r\ngoogletagmanagev[.]com\r\ngoogletagmanagez[.]com\r\ngoogletagmanaggr[.]com\r\ngoogletagmanagmr[.]com\r\ngoogletagmanagur[.]com\r\ngoogletagmanaoer[.]com\r\ngoogletagmanawer[.]com\r\ngoogletagmancger[.]com\r\ngoogletagmaneger[.]com\r\ngoogletagmaniger[.]com\r\ngoogletagmanqger[.]com\r\ngoogletagmaoager[.]com\r\ngoogletagmcnager[.]com\r\ngoogletagminager[.]com\r\ngoogletagmqnager[.]com\r\ngoogletagoanager[.]com\r\ngoogletaomanager[.]com\r\ngoogletawmanager[.]com\r\ngoogletcgmanager[.]com\r\ngoogletigmanager[.]com\r\ngoogletqgmanager[.]com\r\ngoogletsercontent[.]com\r\ngoogleu3ercontent[.]com\r\ngoogleuagmanager[.]com\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 10 of 12\n\ngoogleucercontent[.]com\r\ngoogleuqercontent[.]com\r\ngoogleurercontent[.]com\r\ngoogleusarcontent[.]com\r\ngoogleusdrcontent[.]com\r\ngoogleuse2content[.]com\r\ngoogleusebcontent[.]com\r\ngoogleusepcontent[.]com\r\ngoogleuseraontent[.]com\r\ngoogleuserbontent[.]com\r\ngoogleusercgntent[.]com\r\ngoogleuserckntent[.]com\r\ngoogleusercmntent[.]com\r\ngoogleusercnntent[.]com\r\ngoogleusercoftent[.]com\r\ngoogleusercojtent[.]com\r\ngoogleusercoltent[.]com\r\ngoogleusercon4ent[.]com\r\ngoogleusercondent[.]com\r\ngoogleuserconpent[.]com\r\ngoogleusercontant[.]com\r\ngoogleusercontdnt[.]com\r\ngoogleuserconteft[.]com\r\ngoogleusercontejt[.]com\r\ngoogleusercontelt[.]com\r\ngoogleuserconten4[.]com\r\ngoogleusercontend[.]com\r\ngoogleusercontenp[.]com\r\ngoogleusercontenu[.]com\r\ngoogleusercontenv[.]com\r\ngoogleuserconteot[.]com\r\ngoogleusercontgnt[.]com\r\ngoogleusercontmnt[.]com\r\ngoogleusercontunt[.]com\r\ngoogleuserconuent[.]com\r\ngoogleusescontent[.]com\r\ngoogleusgrcontent[.]com\r\ngoogleusmrcontent[.]com\r\ngooglevagmanager[.]com\r\ngooglganalytics[.]com\r\ngoogluanalytics[.]com\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 11 of 12\n\ngooglutagmanager[.]com\r\ngoogmeanalytics[.]com\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/" ], "report_names": [ "the-many-tentacles-of-magecart-group-8" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434380, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afd44adf1849e1227356a12359196c029b2620f4.pdf", "text": "https://archive.orkl.eu/afd44adf1849e1227356a12359196c029b2620f4.txt", "img": "https://archive.orkl.eu/afd44adf1849e1227356a12359196c029b2620f4.jpg" } }