{
	"id": "4b8ca611-1261-46e8-91ac-87edb70e1143",
	"created_at": "2026-04-06T00:06:08.839634Z",
	"updated_at": "2026-04-10T03:20:36.50832Z",
	"deleted_at": null,
	"sha1_hash": "e2096138af18eedf838816f0a176b7043c47ccd5",
	"title": "'FakeUpdates' campaign leverages multiple website platforms | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1228913,
	"plain_text": "'FakeUpdates' campaign leverages multiple website platforms |\r\nMalwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2018-04-09 · Archived: 2026-04-05 16:57:09 UTC\r\nA malware campaign which seems to have started at least since December 2017 has been gaining steam by\r\nenrolling a growing number of legitimate but compromised websites. Its modus operandi relies on social\r\nengineering users with fake but convincing update notifications.\r\nSimilar techniques were used by a group leveraging malvertising on high traffic websites such as Yahoo to\r\ndistribute ad fraud malware. The patterns are also somewhat reminiscent of EITest’s HoeflerText campaign where\r\nhacked websites are scrambled and offer a font for download. More recently, there has been a campaign affecting\r\nMagento websites that also pushes fake updates (for the Flash Player) which delivers the AZORult stealer by\r\nabusing GitHub for hosting.\r\nToday, we are looking at what we call the ‘FakeUpdates campaign’ and describing its intricate filtering and\r\nevasion techniques. One of the earliest examples we could find was reported by BroadAnalysis on December 20,\r\n2017. The update file is not an executable but rather a script which is downloaded from DropBox, a legitimate file\r\nhosting service, as can be seen in the animation below.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 1 of 17\n\nFigure 1: A typical redirection to the ‘FakeUpdates’ scheme from a hacked site“\u003e\r\nThis campaign affects multiple Content Management Systems (CMS) in somewhat similar ways. Several of the\r\nwebsites we checked were outdated and therefore vulnerable to malicious code injection. It is possible that\r\nattackers used the same techniques to build their inventory of compromised sites but we do not have enough\r\ninformation to confirm this theory.\r\nWordPress and Joomla\r\nBoth WordPress and Joomla sites that were hacked bear the same kind of injection within their CMS’ JavaScript\r\nfiles.\r\nFigure 2: A Compromised WordPress site pushing a fake Google Chrome update\r\nFigure 3: A Compromised Joomla site pushing a fake Mozilla Firefox update\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 2 of 17\n\nSome commonly injected files include the jquery.js and caption.js libraries where code is typically appended and\r\ncan be spotted by doing a comparison with a clean copy of the same file.\r\nFigure 4: Diffing a clean and suspicious copy of the same library\r\nThe additional blurb of code is responsible for the next chain of events that loads the fraudulent layer onto the\r\nwebsite you are visiting. The image below shows a beautified version of the code injected in the CMS platforms,\r\nwhose goal is to call the redirection URL:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 3 of 17\n\nFigure 5: Injected code responsible for the redirection\r\nWe wrote a simple crawler to browse a list of sites and then parsed the results. We were able to identify several\r\nhundred compromised WordPress and Joomla websites even after a small iteration through the list. Although we\r\ndon’t have an exact number of sites that are affected, we surmise that it is in the thousands.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 4 of 17\n\nFigure 6: A partial list of compromised sites\r\nSquarespace\r\nSquarespace is another popular Content Management System that is also affected by the same campaign. This was\r\npointed out by @Ring0x0 and we found a forum post dated February 28, where a Squarespace user is asking for\r\nhelp, saying “it basically redirected me to a full page “your version of chrome needs updating“”.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 5 of 17\n\nFigure 7: A Squarespace user reporting that their sites was tampered with\r\nSo I login to the admin panel and in the GIT HISTORY it shows that one of my users which has never even\r\nlogged in before, has sent an upload: site-bundle.js last week, along with some other big list of files {sic}.\r\nWe dug deeper into these compromises and identified a slightly different redirection mechanism than the one used\r\non WordPress or Joomla sites. With Squarespace, a blurb of JavaScript is injected directly into the site’s homepage\r\ninstead.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 6 of 17\n\nFigure 8: Traffic showing a malicious redirection taking place on a Squarespace site\r\nIt pulls a source file from query[.]network that in turn retrieves bundle.js from boobahbaby[.]com:\r\nFigure 9: The injected code present in hacked Squarespace sites \r\nbundle.js contains the same script we described earlier that is used to call the redirection URL:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 7 of 17\n\nFigure 10: The same redirection code used in WP and Joomla infections is used here\r\nAccording to this PublicWWW query, a little over 900 SquareSpace sites have been injected with this malicious\r\nredirection code.\r\nFigure 11: Identifying other hacked Squarespace sites using a string pattern\r\nRedirection URL and filtering\r\nAll CMSes trigger redirection URIs with similar patterns that eventually load the fraudulent update theme. Based\r\non our tests, the URIs have identifiers that apply to a particular CMS; for example cid=221 is associated with\r\nWordPress sites, while cid=208 with Joomla.\r\nWordPress track.positiverefreshment[.]org/s_code.js?cid=221\u0026v=8fdbe4223f0230a93678 track.positiveref\r\nJoomla connect.clevelandskin[.]com/s_code.js?cid=208\u0026v=e1acdea1ea51b0035267 track.positiverefreshme\r\nSquareSpace track.amishbrand[.]com/s_code.js?cid=232\u0026v=47acc84c33bf85c5496d\r\nOpen Journal Systems track.positiverefreshment[.]org/s_code.js?cid=223\u0026v=7124cc38a60ff6cb920d\r\nUnknown CMS track.positiverefreshment[.]org/s_code.js?cid=211\u0026v=7c6b1d9ec5023db2b7d9 track.positive\r\nThere are other interesting artifacts on this infrastructure, such as an ad rotator:\r\ntrack.positiverefreshment.net:81/adrotator/banner.js?cid=100\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 8 of 17\n\nBut if we focus on the redirection code itself, we notice that potential victims are fingerprinted and the ultimate\r\nredirection to the FakeUpdates template is conditional, in particular with only one hit per single IP address. The\r\nlast JavaScript is responsible for creating the iframe URL to that next sequence.\r\nFigure 12: Fingerprinting, cookie verification and iframe redirection are performed here\r\nFakeUpdates theme\r\nThere are templates for the Chrome, Firefox and Internet Explorer browsers, the latter getting a bogus Flash\r\nPlayer update instead.\r\nFigure 13: Attackers are targeting browsers with professional looking templates\r\nThe decoy pages are hosted on compromised hosts via sub-domains using URIs with very short life spans. Some\r\nof those domains have a live (and legitimate website) whereas others are simply parked:\r\nLegitimate (shadowed) domain:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 9 of 17\n\nhttps://pask.spgolfshoes[.]com/95b40f61578eed04ff464c5055990abbupdate{trimmed}\r\nFigure 14: This property’s credentials have most likely been stolen and used to register a malicious subdomain\r\nParked domain:\r\nhttp://zlsk.redneckonize[.]com/wordpress/article.php?f=445327\u0026g={trimmed}\r\nFigure 15: Parked domains can hide ulterior motives\r\nFinal infection chain and payloads\r\nThe infection starts with the fake update disguised as a JavaScript file retrieved from the Dropbox file hosting\r\nservice. The link to Dropbox, which is updated at regular intervals, is obfuscated inside of the the first web session\r\nbelonging to the fake theme.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 10 of 17\n\nFigure 16: the fileURL variable contains the Dropbox URL\r\nThis JavaScript is heavily obfuscated to make static analysis very difficult and also to hide some crucial\r\nfingerprinting that is designed to evade virtual machines and sandboxes.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 11 of 17\n\nFigure 17: The malicious JavaScript downloaded from DropBox\r\nAccording to this very good and detailed analysis of the JS file, this is because step2 of the victim’s profiling uses\r\nWScript.Network and WMI to collect system information (BIOS, manufacturer, architecture, MAC address,\r\nprocesses, etc) and eventually makes the decision to continue with the payload or end the script without delivering\r\nit.\r\nA failed infection will only contain 2 callbacks to the C2 server:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 12 of 17\n\nFigure 18: A host that is not a genuine machine was detected and infection aborted\r\nWhile a successful infection will contain 3 callbacks to the C2 server (including the payload):\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 13 of 17\n\nFigure 19: When all checks pass, the user is served the payload\r\nThe encoded payload stream is decoded by wscript.exe and a malicious binary (Chrome_71.1.43.exe in this case),\r\ndropped in the %temp% folder. That file was digitally signed and also employed various evasion techniques (such\r\nas an immediate reboot) to defeat sandboxes.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 14 of 17\n\nFigure 20: A digitally signed file is no guarantee for safety\r\nUpon examination, we determined that this is the Chtonic banking malware, a variant of ZeusVM. Once the\r\nsystem has restarted, Chtonic retrieves a hefty configuration file from 94.100.18[.]6/3.bin.\r\nIn a second replay attempt, we got the NetSupport Remote Access Tool, a commercial RAT instead. Its installation\r\nand configuration were already well covered in this blog. Once again, we noticed the heavy use of obfuscation\r\nthroughout the delivery of this program that can be used for malicious purposes (file transfer, remote Desktop,\r\netc.).\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 15 of 17\n\nFigure 21: Traffic from the RAT infection, showing its backend server\r\nConclusion\r\nThis campaign relies on a delivery mechanism that leverages social engineering and abuses a legitimate file\r\nhosting service. The ‘bait’ file consists of a script rather than a malicious executable, giving the attackers the\r\nflexibility to develop interesting obfuscation and fingerprinting techniques.\r\nCompromised websites were abused to not only redirect users but also to host the fake updates scheme, making\r\ntheir owners unwitting participants in a malware campaign. This is why it is so important to keep Content\r\nManagement Systems up to date, as well as use good security hygiene when it comes to authentication.\r\nMalwarebytes blocks the domains and servers used in this attack, as well as the final payload.\r\nIndicators of compromise\r\nRedirection infrastructure:\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 16 of 17\n\n23.152.0[.]118 84.200.84[.]236 185.243.112[.]38 185.77.129.11 eventsbysteph[.]com query[.]network con\r\nC2\r\nmy.gobiox[.]com login3.kimbrelelectric[.]com (thanks @nao_sec)\r\nDropped binaries:\r\nChtonic\r\n6f3b0068793b277f1d948e11fe1a1d1c1aa78600712ec91cd0c0e83ed2f4cf1f 94.100.18[.]6/3.bin\r\nNetSupport RAT\r\n4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/\r\nPage 17 of 17\n\n https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/    \nFigure 18: A host that is not a genuine machine was detected and infection aborted\nWhile a successful infection will contain 3 callbacks to the C2 server (including the payload):\n   Page 13 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/"
	],
	"report_names": [
		"fakeupdates-campaign-leverages-multiple-website-platforms"
	],
	"threat_actors": [],
	"ts_created_at": 1775433968,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2096138af18eedf838816f0a176b7043c47ccd5.pdf",
		"text": "https://archive.orkl.eu/e2096138af18eedf838816f0a176b7043c47ccd5.txt",
		"img": "https://archive.orkl.eu/e2096138af18eedf838816f0a176b7043c47ccd5.jpg"
	}
}