{
	"id": "8f7b3719-c29d-4265-99ca-5c9aa6fe58d8",
	"created_at": "2026-04-06T00:06:49.217524Z",
	"updated_at": "2026-04-10T13:12:30.692845Z",
	"deleted_at": null,
	"sha1_hash": "f1a6b20608fff2c12df7d514492a5404a7aca3d3",
	"title": "Terror EK via Malvertising delivers Tofsee Spambot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43768,
	"plain_text": "Terror EK via Malvertising delivers Tofsee Spambot\r\nPublished: 2017-03-24 · Archived: 2026-04-05 20:15:41 UTC\r\nSummary:\r\nThis was a great find, Terror EK in the wild from malvertising. The landing page appeared to be in the\r\ncompromised site itself and was not loaded from an iframe, etc. The site just displayed jibberish (Lorem Ipsum).\r\nThe EK used three Flash files, attempted a Silverlight exploit and triggered several interesting ET signatures.\r\nThere was also almost no obfuscation of the code as well.\r\nThe payload was Tofsee and a thanks goes to @Antelox for confirming it. Tofsee is a spambot known to send\r\nspam emails. It has been dropped by Rig EK in the past. I did not see much email traffic however I was using a\r\nproxy which may have caused some traffic to not be logged.\r\nAnyway this is a great find and I hope you can gain a lot of information from it.\r\nBackground Information:\r\nA few articles and samples on Terror exploit kit:\r\nhttps://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit–More-like-Error-Exploit-Kit/\r\nhttp://www.broadanalysis.com/2016/06/13/rig-exploit-kit-from-5-200-55-156-sends-tofsee-spambot/\r\nArticle on Tofsee:\r\nhttps://www.cert.pl/en/news/single/tofsee-en/\r\nDownloads\r\n230317TerrorTofsee-\u003e Contains pcapng, payloads and flash files in password protected zip.\r\nNotable Details:\r\n52.29.235.194 – eu4.echo-ice.com- Part of  a malvertising chain\r\n173.208.245.114 – paydayloanservice.net – Part of a malvertising chain\r\n128.199.233.119 –  Terror EK Traffic\r\n103.48.6.14– Tofsee Post Infection\r\n111.121.193.242 –  Tofsee Post Infection\r\nPayload was Tofsee Spambot (rad6AC11.tmp.exe created kxuepssx.exe)\r\nDetails of infection chain:\r\nhttps://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/\r\nPage 1 of 2\n\n(click to enlarge!)\r\nFull Details:\r\nSource: https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/\r\nhttps://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/"
	],
	"report_names": [
		"terror-ek-delivers-tofsee-spambot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775826750,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1a6b20608fff2c12df7d514492a5404a7aca3d3.pdf",
		"text": "https://archive.orkl.eu/f1a6b20608fff2c12df7d514492a5404a7aca3d3.txt",
		"img": "https://archive.orkl.eu/f1a6b20608fff2c12df7d514492a5404a7aca3d3.jpg"
	}
}