{
	"id": "9c738393-3c22-4653-a34d-42c99c36578f",
	"created_at": "2026-05-01T03:09:00.215098Z",
	"updated_at": "2026-05-01T03:10:50.528301Z",
	"deleted_at": null,
	"sha1_hash": "eaabd5ce228550ab7a902c8acdd43434da6c98bc",
	"title": "New attacks by UltraRank group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1142599,
	"plain_text": "New attacks by UltraRank group\r\nArchived: 2026-05-01 02:51:45 UTC\r\nIn August 2020, Group-IB published the report “UltraRank: the unexpected twist of a JS-sniffer triple threat”. The\r\nreport described the operations of the cybercriminal group UltraRank, which in five years of activity had\r\nsuccessfully attacked 691 eCommerce stores and 13 website service providers.\r\nIn November 2020, Group-IB experts discovered a new wave of UltraRank attacks. Even though new attacks\r\nwere detected at the time, part of the group’s infrastructure remained active and some sites were still infected. The\r\ncybercriminals did not use existing domains for new attacks but switched to a new infrastructure to store\r\nmalicious code and collect intercepted payment data.\r\nAs part of UltraRank’s new campaign, Group-IB Threat Intelligence team discovered 12 eCommerce websites\r\ninfected with their JavaScript-sniffer. Eight of them remain infected at the moment of publication. Group-IB has\r\nsent notifications to the infected websites.\r\nThis time the JS sniffer’s code was obfuscated using Radix obfuscation. This obfuscation pattern had been used\r\nby only a few cybercriminal groups, one of which was the UltraRank group (Figure 1). After deobfuscating the\r\ncode, Group-IB found that the attacks used a sniffer from the SnifLite family, already known to Group-IB experts\r\nand used by the threat actor UltraRank. Due to the relatively small number of infected websites, the attackers most\r\nlikely used the credentials in the CMS administrative panel, which, in turn, could have been compromised using\r\nmalware or as a result of brute force attacks.\r\nDuring their most recent series of attacks UltraRank stored their malicious code on the website mimicking a\r\nlegitimate Google Tag Manager domain. The analysis of the threat actor’s infrastructure revealed that the main\r\nserver was hosted by Media Land LLC, which is connected with a bullet-proof hosting company.\r\nThis blog post examines UltraRank’s new campaign, provides recommendations to banks, payment systems, and\r\nonline merchants. You’ll also find indicators of compromise, attackers’ TTPs and relevant mitigation and defense\r\ntechniques in accordance with MITRE ATT\u0026CK and MITRE Shield that we recommend to use to protect against\r\nUltraRank.\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 1 of 8\n\nFigure 1: Fragment of the obfuscated sniffer code\r\nAnalysis of the JS Sniffer code\r\nThe SnifLite JS sniffer family has been used by UltraRank since at least January 2019, when it was utilized in an\r\nattack on the Adverline advertising network. Malicious code is uploaded to the infected website by a link to a JS\r\nfile located on the website hXXp://googletagsmanager[.]co/, the domain disguised as a legitimate domain of the\r\nGoogle Tag Manager googletagmanager.com. The cybercriminals’ website hXXp://googletagsmanager[.]co/ is\r\nalso used to collect intercepted payment card data as a sniffer gate (Figure 2).\r\nFigure 2: Fragment of the deobfuscated JS sniffer code with a link to the gate to collect intercepted cards\r\nThe function responsible for intercepting payment information in the SnifLite sniffer family is shown in Figure 3.\r\nThe data collection algorithm is based on the function querySelectorAll, like in the FakeLogistics and WebRank\r\nsniffer families used by the group earlier. A comparison of these three families was outlined in the report\r\n“UltraRank: the unexpected twist of a JS-sniffer triple threat.”\r\nAfter data is collected, it is written to local storage in an object named google.verify.cache.001.\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 2 of 8\n\nFigure 3: Fragment of the JS sniffer code with a function responsible for collecting payment card data\r\nData is collected and sent only if the current address of the page where the user is located contains one of the\r\nfollowing keywords (Figure 4):\r\nonepage\r\ncheckout\r\nstore\r\ncart\r\npay\r\npanier\r\nkasse\r\norder\r\nbilling\r\npurchase\r\nbasket\r\nBefore sending an intercepted payment card, its data is extracted from the _google.verify.cache.001object stored\r\nlocally and transmitted to the cybercriminals by sending an HTTP GET request.\r\nFigure 4: Fragment of the JS sniffer code with the function to send the collected data to the cybercriminals’ server\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 3 of 8\n\nDuring further analysis of infections by UltraRank, Group-IB team discovered a sample of a JS sniffer without\r\nobfuscation, identical to what was found on one of the cybercriminals’ websites earlier, which linked UltraRank to\r\nthe new attacks.\r\nAnalysis of the infrastructure\r\nWhile analyzing the sniffer infrastructure, a standard PHP script was found, which is typical of all of UltraRank’s\r\nwebsites. In addition to the common information about the sent request and the server, the script displayed the\r\nserver’s real IP address. At the time of analysis, the googletagsmanager[.]co domain had an IP address of\r\n8.208.16[.]230 (AS45102, Alibaba (US) Technology Co., Ltd.). At the same time, the real server address was\r\n45.141.84[.]239 (Figure 5), owned by Media Land LLC (AS206728). According to an article by Brian Krebs,\r\nMedia Land LLC is connected with a bulletproof hosting company operated by an underground forum user going\r\nby the nickname Yalishanda, which provides services to cybercriminals. Presumably, Yalishanda’s service uses\r\ncloud servers rented from various suppliers, including Alibaba, to host part of the cybercriminals’ infrastructure.\r\nIn addition to the server IP address, the script output also specifies the directory where the website files are located\r\non the server hXXp://googletagsmanager[.]co/: worker.\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 4 of 8\n\nFigure 5: Script output with information about the server where the domain googletagsmanager.co is located\r\nThe IP address 45.141.84[.]239 is also linked to the website hXXp://s-panel[.]su/. During its analysis, the same\r\nscript on all websites in UltraRank’s infrastructure was found again (Figure 6). In this case, the directory where all\r\nthe website files were located is called panel.\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 5 of 8\n\nFigure 6: Script output with information about the server where the domain s-panel.su is located\r\nIn addition to the common server, Group-IB’s Graph Network Analysis system detected the SSL certificate\r\n50e15969b10d40388bffbb87f56dd83df14576af. This certificate was on both the domain googletagsmanager.co\r\nand the server with the IP address 45.141.84[.]239, which is associated with the domain s-panel[.]su (Figure 7).\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 6 of 8\n\nFigure 7: Certificate Link graph 50e15969b10d40388bffbb87f56dd83df14576af from Group-IB Threat\r\nIntelligence system\r\nThroughout further analysis of the website hXXp://s-panel[.]su/, a login form was detected. Presumably, this\r\nwebsite is used by the cybercriminals as a sniffer control panel: all stolen payment card data is collected in the\r\npanel for subsequent exfiltration and resale.\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 7 of 8\n\nFigure 8: Login form found on the site s-panel.su\r\nThe googletagsmanager[.]info domain was also discovered. In September 2020, this domain had the same IP\r\naddress as googletagsmanager[.]co (8.208.96.88). However, at the time of writing, the website was inactive and\r\nno cases of eCommerce infections using it were found.\r\nIndicators of compromise\r\ngoogletagsmanager[.]co\r\ngoogletagsmanager[.]info\r\ns-panel[.]su\r\nRecommendations\r\nTo date, Group-IB experts have studied 96 different JS sniffer families, whereas only 38 malware families of this\r\ntype were known when the report “Crime without punishment: in-depth analysis of JS sniffers” was published.\r\nAttacks on eCommerce stores using malicious JavaScript are becoming an increasingly popular way to\r\nobtain large amounts of user payment information for subsequent resale. As a result of UltraRank installing\r\nmalicious code on the Ticketmaster website by hacking the third-party provider Inbenta, user payment data was\r\nleaked. Ticketmaster was fined £1.25 million for this. In addition, British Airways was fined £20 million for a data\r\nleak caused by malicious code injected in one of the JavaScript libraries used on their website and mobile app.\r\nTherefore, the threat of JS sniffers is relevant not only for owners of eCommerce stores, but also for all\r\nservices that use and process bank card payments online. Group-IB experts have compiled a list of\r\nrecommendations that will help various eCommerce participants minimize potential damage, prevent infection, or\r\ndetect existing malicious activity.\r\nSource: https://www.group-ib.com/blog/ultrarank\r\nhttps://www.group-ib.com/blog/ultrarank\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/ultrarank"
	],
	"report_names": [
		"ultrarank"
	],
	"threat_actors": [],
	"ts_created_at": 1777604940,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eaabd5ce228550ab7a902c8acdd43434da6c98bc.pdf",
		"text": "https://archive.orkl.eu/eaabd5ce228550ab7a902c8acdd43434da6c98bc.txt",
		"img": "https://archive.orkl.eu/eaabd5ce228550ab7a902c8acdd43434da6c98bc.jpg"
	}
}