{
	"id": "a1c423ac-7486-4200-8c3c-bb53d2bf851f",
	"created_at": "2026-04-06T00:13:38.938081Z",
	"updated_at": "2026-04-10T13:11:47.073972Z",
	"deleted_at": null,
	"sha1_hash": "d4ae47b573cb2e6fb9014719b335808a5c624054",
	"title": "The LandUpdate808 Fake Update Variant - Malasada Tech",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3977987,
	"plain_text": "The LandUpdate808 Fake Update Variant - Malasada Tech\r\nBy By Aaron Samala\r\nPublished: 2024-07-02 · Archived: 2026-04-05 18:07:05 UTC\r\nDiscover the LandUpdate808 fake update variant, a new cybersecurity threat tracked by our team. This article\r\ndetails its unique delivery chain, payload variations, and indicators of compromise, emphasizing the importance of\r\ndistinguishing it from other fake update variants like SocGholish.\r\nTable of Contents\r\nIntro:\r\nWhy is it being tracked as LandUpdate808?\r\nInitial:\r\nFirst part of the delivery chain:\r\nThe fake update page:\r\nThe payload:\r\nIOCs:\r\nIntro:\r\nThere are a handful of fake update variants. The most popular is SocGholish. We’ve often observed some of the\r\nother fake update variants referred to as SocGholish, but we try to make the distinction. Some of the other variants\r\ninclude Clear Fake, and Smart Ape. There’s also a new variant that is being referenced as ClickFix. This\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 1 of 13\n\ncollaboration between Casey Kuwada, April Bucaneg, and Aaron Samala introduces the LandUpdate808 Fake\r\nUpdate Variant that we’ve been tracking. The payload for this follows the pattern:\r\n“update_DD_MM_YYYY_#######”, and the extension has been observed as either a JS, EXE, or MSIX.\r\nWhy is it being tracked as LandUpdate808?\r\nWhen we first started tracking it, it used the two following URIs: /p/land.php, and /wp-content/uploads/update.php\r\nin its delivery chain. We added the 808 because we’re from Hawaii, and we add our area code to just about\r\neverything to signal that it’s from Hawaii. Just the other day I was telling my mainland friend about some 808\r\nsandwiches I was eating. They were regular sandwiches, but since we here, they’re 808 sandwiches.\r\nThe delivery chain has since changed – it no longer uses /p/land.php for the first stage, and the final step in the\r\ninitial delivery stage has changed from /wp-content/uploads/update.php to /wp-includes/pomo/update.php. We\r\nspeculate that we first started monitoring this variant during its development. The JS code wasn’t obfuscated, and\r\nwe observed them bypassing some of their filtering methods by hardcoding the IP variable. This intro has drawn\r\non “fir tiw long”, let’s get into it.\r\nInitial:\r\nWhen we found this, we searched if anyone had already wrote about this for us to use as a source. We observed\r\nGroup-IB Threat Intelligence had tweeted some good content here. You can pivot off the domains they provided\r\nand see if you come to the same conclusions.\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 2 of 13\n\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 3 of 13\n\nFirst part of the delivery chain:\r\nThe first part crafts the request for the fake update page loader. The code to perform this task was previously been\r\nobserved in the root HTML, a local jquery-migrate.min.js file, a local theme.min.js files, or most recently – a\r\nremote adcount.js (edveha[.]com).\r\nThis part involves pulling the IP using the Cloudflare trace, and then encoding that with other variables, and using\r\nthose variables in the URL of the GET request for the next phase. This stage has been observed requesting content\r\nfrom  a remote land.php resource (previously land.php, now it is a remote js.php). It returns the html [if the\r\nrequest meets some unknown filters] to load the fake update screen that tries to trick the user into clicking the\r\ndownload button. The early observed samples show the code was not obfuscated, which made it much easier to\r\nunderstand.\r\nIt appears that the land.php endpoint was actor-owned in the beginning.\r\nThe snip below shows the callout to “https://www.cloudflare.com/cdn-cgi/trace“. The returned object will be\r\nparsed for the user’s public IP, and that will be encoded and used in the URI path of the next request. The snip is\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 4 of 13\n\nfrom https://urlscan.io/responses/1c7a68c7d4560860ee83d0f10a7e93000eb2d213d7e72dffef784d7b81ffefc7/\r\nThe snip below shows the function to get the OS, then it generates a request to land.php with the btoa values of\r\nthe uDevice(OS), IP, refferer [sic], UA, domain, and location in the URL value. The snip is also from\r\nhttps://urlscan.io/responses/1c7a68c7d4560860ee83d0f10a7e93000eb2d213d7e72dffef784d7b81ffefc7/\r\nThe snip above shows the early stages of it when we suspect the actor was actively developing this delivery chain.\r\nThe code for this part is now obfuscated. Also, it is now generating a request to an external js.php resource as\r\nobserved in the snip below.\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 5 of 13\n\nIn later variations, we’ve observed the domain is no longer hard-coded. To get the domain, there is a callout to a\r\nremote get.php resource.\r\nThe snip below shows the network tab showing these requests.\r\nThe snip below shows the code to open a request to the B64 decoded value of requestD.\r\nThe snip below shows the CyberChef output decoding the string.\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 6 of 13\n\nsepticfl[.]com/h/get.php was observed serving the response “aHR0cHM6Ly9hc2hsZXlwdWVybmVyLmNvbS9w”\r\nwhich converts to the unneutered version of “https[:]//ashleypuerner[.]com/p”\r\nAfter the code is executed, a cookie is added. In some variations it is the isDone value, and in other variations it is\r\nthe isVisited11 value. The snip below shows the isDone value is being set to true after the execution.\r\nThe cookie is set to expire in 4 days. When the victim re-accesses the compromised domain, it will first check if\r\nthe cookie already exists. If it does, it will not perform the follow-on tasks.\r\nHere are some snips below showing the cookie operations.\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 7 of 13\n\nIn early iterations, if the delivery failed, the page would turn blank because it would rewrite the html content with\r\nnothing. This cookie check feature allowed the user to load the compromised site by refreshing the page.\r\nIn newer iterations, the actor has implemented code to handle the failed request. In the snip below, we observe that\r\nit now prints “JQUERY is installed” to the console, and then it reloads the page.\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 8 of 13\n\nThe fake update page:\r\nWe have observed the following basic, no-frills fake update page.\r\nThe link target was first observed to be a resource that ends with /wp-content/upgrade/update.php, but it has more\r\nrecently been observed using /wp-includes/pomo/update.php.\r\nThe payload:\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 9 of 13\n\nThe payload was initially observed as a JS file, but it has also been observed as an EXE, and MSIX, and then back\r\nto an EXE file. It appears the operators change the file type around every few weeks.\r\nIt appears that the endpoint serving the payload may be actor-controlled.\r\nOne of the JS payload variations appeared to be a downloader that loaded the next stage from\r\ndovuzu3rz[.]top/1.php?s=spam. However, at the time of testing, it appeared that the domain was down.\r\nOne variation of the EXE payload was observed in Any Run triggering an ET alert “Neshta Variant Related\r\nActivity”. This occurred when the sample beaconed to 64[.]95.10.243/api/mytest.\r\nThe payloads deserve more attention, but we’ve decided to keep the focus of this effort on the delivery chain.\r\n“That was by design”. We’ve included a list of hashes in the IOCs below. We’ve confirmed each hash is in VT for\r\nyour perusing.\r\nIOCs:\r\nDomains:\r\nSuspected compromised domains that initiate requests for the fake update content:\r\nrazzball[.]com =\u003e edveha[.]com/adcount.js (as of 28JUN24)\r\nmonitor[.]icef[.]com =\u003e uhsee[.]com/p/land.php (as of 08MAY24)\r\nmonitor[.]icef[.]com =\u003e septicfl[.]com/h/get.php (as of 04JUN24)\r\ncareers-advice-online[.]com =\u003e uhsee[.]com/p/land.php (as of 26MAY24)\r\nwww[.]ecowas[.]int =\u003e edveha[.]com/adcount.js (as of 13JUN24)\r\n   Note: this domain was previously observed delivering SG via the delivery chain: www[.]ecowas[.]int =\u003e\r\negisela[.]com (Keitaro TDS) =\u003e event[.]coachgreb[.]com (SocGholish domain) (as of 13MAR24)\r\nsixpoint[.]com =\u003e zoomzle[.]com/p/land.php (as of 10JUN24)\r\nsixpoint[.]com =\u003e elamoto[.]com/p/land.php (as of 07APR24)\r\nwww[.]eco-bio-systems[.]de =\u003e kongtuke.com/p/land.php (as of 26MAY24)\r\nevolverangesolutions[.]com =\u003e uhsee.com/p/land.php (as of 04JUN24)\r\nwww[.]natlife[.]de =\u003e kongtuke.com/p/land.php (as of 22JUN24)\r\nwww[.]sunkissedindecember[.]com =\u003e uhsee.com/p/land.php (as of 30MAY24)\r\nfajardo[.]inter[.]edu =\u003e kongtuke.com/p/land.php (as of 27APR24)\r\nfup[.]edu[.]co =\u003e kongtuke.com/p/land.php (as of 27APR24)\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 10 of 13\n\nlauren-nelson[.]com =\u003e elamoto[.]com/p/land.php (as of 30MAY24)\r\nwww[.]netzwerkreklame[.]de =\u003e kongtuke.com/p/land.php (as of 10JUN24)\r\ndigimind[.]nl =\u003e kongtuke.com/p/land.php (as of 21JUN24)\r\nwww[.]itslife[.]in =\u003e kongtuke.com/p/land.php (as of 29MAY24)\r\necohortum[.]com =\u003e kongtuke.com/p/land.php (as of 29MAY24)\r\nwww[.]thecreativemom[.]com =\u003e uhsee.com/p/land.php (as of 21MAY24)\r\nbackalleybikerepair[.]com =\u003e uhsee.com/p/land.php (as of 24JUN24)\r\nwww[.]mocanyc[.]org =\u003e uhsee.com/p/land.php (as of 22MAY24)\r\nwww[.]mocanyc[.]org =\u003e edveha[.]com/adcount.js (as of 01JUL24)\r\nwww[.]acsmaterial[.]com: for this one, we were unable to confirm this domain; we added it because of the excerpt\r\nin the snip below shows that it once included the code. By the time we accessed it, it no longer had the\r\nLandUpdate808 code as seen below.\r\nwww[.]hypnoticasia[.]com =\u003e ashleypuerner.com/p/land.php (as of 02JUN24)\r\ngov2x[.]com =\u003e edveha[.]com/adcount.js (as of 20JUN24)\r\nsollishealth[.]com =\u003e edveha[.]com/adcount.js =\u003e edveha[.]com/js.php =\u003e espumadesign.com//wp-content/upgrade/update.php (as of 18JUN24)\r\nmichiganchronicle[.]com =\u003e edveha[.]com/adcount.js (as of 27JUN24)\r\nwww[.]parksavers[.]com =\u003e edveha[.]com/adcount.js (as of 27JUN24)\r\nperryssteakhouse[.]com =\u003e edveha[.]com/adcount.js (as of 27JUN24)\r\ncdoiq2024[.]org =\u003e edveha[.]com/adcount.js (as of 26JUN24)\r\nwww[.]ccl[.]org =\u003e edveha[.]com/adcount.js (as of 25JUN24)\r\nmy[.]networknuts[.]net =\u003e edveha[.]com/adcount.js (as of 18JUN24)\r\nwww[.]cheericca[.]org =\u003e edveha[.]com/adcount.js (as of 15JUN24)\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 11 of 13\n\nwww[.]mrsbrimbles[.]co[.]uk =\u003e septicfl[.]com/h/get[.]php =\u003e ashleypuerner.com/p/land.php (as of 29MAY24)\r\nvanillajoy[.]themlmlife[.]com =\u003e ashleypuerner.com/p/land.php (as of 29MAY24)\r\nblacksportsonline[.]com =\u003e ashleypuerner.com/p/land.php (as of 21JUN24)\r\nwww[.]barcaforum[.]com =\u003e ashleypuerner.com/p/land.php (as of 04JUN24)\r\ncriminalnotebook[.]ca/index.php/Main_Page =\u003e ashleypuerner.com/p/land.php (as of 30MAY24)\r\nDomains observed serving the Fake Update page code:\r\nkongtuke[.]com\r\nuhsee[.]com\r\nzoomzle[.]com\r\nelamoto[.]com\r\nashleypuerner[.]com\r\nedveha[.]com\r\nDomains observed serving malicious payloads:\r\nwww[.]netzwerkreklame[.]de/wp-content/upgrade/update.php EXE with\r\nSHA256:5685ab9d495bcb14407dd23a83790a76ed1a149cac651f2b792bc775ff4cf732 (as of 24MAY24)\r\ndigimind[.]nl/wp-content/upgrade/update.php JS with\r\nSHA256:db7827bb6788f0a7dae5ef2dc0f3c389ab2616fabed27d646b09ecceb7c1eea9 (as of 05JUN24)\r\nmonlamdesigns[.]com/wp-content/upgrade/update.php EXE with\r\nSHA256:e45802322835286cfe3993fe8e49a793acd705755d57d8fc007341bf3b842518 (as of 29MAY24)\r\nsustaincharlotte[.]org/wp-content/upgrade/update.php JS with\r\nSHA256:4ea6b1bbf04591a975196fac9baa7d42882fdbcde5e264f01d4e94416cef92fc (as of 31MAY24)\r\nchicklitplus[.]com/wp-content/upgrade/update.php MSIX with\r\nSHA256:08d4a681aadff5681947514509c1f2af10ff8161950df2ae7f8ee214213edc17 (as of 17JUN24)\r\nespumadesign[.]com/wp-content/upgrade/update.php MSIX with\r\nSHA256:3802c396e836de94ee13e38326b3fb937fcf0d6f6ef9ccdf77643be65de4c8ee (as of 21JUN24)\r\nowloween[.]com/wp-content/uploads/update.php JS with\r\nSHA256:89002670cc7207a5e9424e932611e617d2e2048ceb8c579c85c3ec14aac8d924 (as of 24JUN24)\r\nwildwoodpress.org/wp-includes/pomo/update.php MSIX with\r\nSHA256:63629c87fe460abb657a504bb9786b913b1250288681520cee9e9fbcb14e888f (as of 25JUN24)\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 12 of 13\n\nwww[.]napcis[.]org/wp-includes/pomo/update.php MSIX with\r\nSHA256:69d267234d62fd6ffd1c6a12b36835b1454dce4a6df1b370e549e275961ae235 (as of 28JUN24)\r\nwww[.]sunkissedindecember[.]com/wp-includes/pomo/update.php MSIX with\r\nSHA256:69d267234d62fd6ffd1c6a12b36835b1454dce4a6df1b370e549e275961ae235 (as of 01JUL24)\r\nrm-arquisign[.]com/wp-includes/pomo/update.php EXE with\r\nSHA256:125b397a627f37c70e2cf2461c6a6583a975ba78617995751cacb32525a3b875 (as of 01JUL24)\r\nDomains that we haven’t observed doing anything malicious, but we suspect are related and are good\r\ncandidates for monitoring:\r\nbarcelonafcblog[.]com\r\ndestinationsunknown[.]com\r\ntable[.]fastplot[.]net\r\npadlock[.]locksmithlibertygrove[.]com[.]au\r\nbalm[.]4rt[.]eu\r\nk[.]ajigili[.]ir\r\nPost navigation\r\nSource: https://malasada.tech/the-landupdate808-fake-update-variant/\r\nhttps://malasada.tech/the-landupdate808-fake-update-variant/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malasada.tech/the-landupdate808-fake-update-variant/"
	],
	"report_names": [
		"the-landupdate808-fake-update-variant"
	],
	"threat_actors": [
		{
			"id": "4390d8ec-605d-493a-81ee-d5ef80c07046",
			"created_at": "2025-05-29T02:00:03.223467Z",
			"updated_at": "2026-04-10T02:00:03.873701Z",
			"deleted_at": null,
			"main_name": "TAG-124",
			"aliases": [
				"LandUpdate808"
			],
			"source_name": "MISPGALAXY:TAG-124",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434418,
	"ts_updated_at": 1775826707,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4ae47b573cb2e6fb9014719b335808a5c624054.pdf",
		"text": "https://archive.orkl.eu/d4ae47b573cb2e6fb9014719b335808a5c624054.txt",
		"img": "https://archive.orkl.eu/d4ae47b573cb2e6fb9014719b335808a5c624054.jpg"
	}
}