{
	"id": "fc6f8ef8-e328-4495-ab01-320122341fa6",
	"created_at": "2026-04-06T01:30:35.421521Z",
	"updated_at": "2026-04-10T13:12:05.710519Z",
	"deleted_at": null,
	"sha1_hash": "fb2b58eeffdb9201bd91db42a6c6ae3f9bdb1ac0",
	"title": "The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1564286,
	"plain_text": "The shadow knows: Malvertising campaigns use domain\r\nshadowing to pull in Angler EK | Proofpoint US\r\nBy December 15, 2015 Proofpoint Staff\r\nPublished: 2015-12-15 · Archived: 2026-04-06 01:08:57 UTC\r\nMost online ads are displayed as a result of a chain of trust, from the publishers to the malicious advertiser via ad\r\nagencies and/or ad networks.\r\nFor “traffers” (that is, actors bringing traffic to a malicious destination; for example, exploit kits) that rely on\r\nmalvertising, one of the goals is to gain access to a high-profile ad network such as DoubleClick, Bing Ads,\r\nAdTech or AppNexus. A reputable, high-profile ad network provides traffers with access to higher-quality traffic,\r\nand the more reputable an ad network appears, the easier it is for traffers to reach this target traffic.\r\nUncovering domain shadowing\r\nIn early November, one of those high-profile ad agencies appeared in Proofpoint sensors as “referrer” to Angler\r\nexploit kit. Further investigation by Proofpoint researchers determined that the creative in question (ad\r\nbanners) was pointing to content from https://ads.mikeholt[.]com and landing at www.mikeholt[.]com.\".\r\nFigure 1 Creative served by the abused ad agency (click to enlarge)\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 1 of 11\n\nFigure 2 A fake online ad for an authentic Website, displayed using a shadowed domain of that Website\r\nA disparity in the SSL certificate used by both servers is the first hint that something is suspicious about this ad.\r\nFigure 3 Shadowed domain SSL certificate vs legitimate site owner's domain SSL certificate\r\nComparison of the SSL certificates for two domains is a clue that this could be a case of “domain shadowing” [3]. \r\nDomain shadowing is a technique for generating malicious subdomains from a legitimate domain, typically using\r\nstolen registration credentials for the domain owner. With the stolen credentials, the threat actor can create a large\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 2 of 11\n\nnumber of fraudulent subdomains (for example, ads.mikeholt[.]com) below the legitimate domain mikeholt[.]com.\r\n(The domain owners for these examples were contacted as part of this investigation and alerted to the fact that\r\ntheir registration credentials have probably been compromised.) The attacker can then configure servers on the\r\nfraudulent subdomain to perform filtering and redirection actions that pull in their preferred exploit kit.\r\nMultiple parallel campaigns\r\nFurther investigation identified other campaigns employing other compromised domains and abused ad agencies.\r\nFor example:\r\nadv.mtcharlestonlodge[.]com\r\nFigure 4: Example of ad with stolen creative linking to malicious domain\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 3 of 11\n\nFigure 5: SSL certificate details for compromised domain\r\nmedia.healthy-homemakers[.]com\r\npromo.loopnetworksllc[.]com\r\nAn exploit kit out of nowhere\r\nResearchers who have the opportunity to replay this attack in a controlled environment will not be able to see\r\nmuch without SSL man-in-the-middle capabilities (Fig 6); instead the attack will appear to be Angler EK\r\nmaterializing ‘out of thin air’. \r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 4 of 11\n\nFigure 6: Traffic captured on the 2015-11-21 without MITM capabilities\r\nA look in the SSL tunnel\r\nOne of the reasons that malvertising is appealing to threat actors is that the ad agency / network itself performs a\r\nsignificant portion of the targeting, including geo, browser and other options. However, the malicious ad server\r\nalso includes filtering settings, and as a result non-targeted clients (such as known IP address, wrong country) will\r\nreceive harmless ad code. \r\nFigure 7: Harmless code served by the server if the client does not match the filtering options or if the campaign\r\nis on hold\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 5 of 11\n\nWhen a targeted client visits a site served by the infected content delivery network (CDN), the attack follows\r\nthese steps:\r\n1. Send a post to filter proxied traffic.\r\n2. A global JavaScript reads the results of the filtering;\r\n3. If the reply is as expected, decode a bogus GIF (Fig. 8).\r\n4. Check the system using two information disclosure bugs in Microsoft Internet Explorer to avoid\r\nresearchers, sandboxes and some security products.\r\n5. Abuse an HTTPS open redirect by DoubleClick. [2]\r\n6. Land the browser on Angler EK without a referrer.\r\nFigure 8: Malicious code sent by the fake ad server, including fake GIF image file\r\nDecoding the fake GIF produces a JavaScript function (Fig. 9). \r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 6 of 11\n\nFigure 9: Encoded JavaScript function inside a \"GIF\"\r\nClient filtering\r\nThe decoded JavaScript function leverages two information disclosure bugs in Internet Explorer in order to\r\nfiltering potential victims. (Fig. 10)\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 7 of 11\n\nFigure 10: Decoded fake GIF showing redirect and additional filtering\r\nIn order, these checks are:\r\nA variation of a technique used by Magnitude and Angler EKs and is used to filter the client by certain\r\nsecurity products.\r\nA MimeType check in order to filter certain shellex associations, including .py, .pcap and .saz (Fig. 10).\r\nBoth of these bugs were reported to Microsoft in May.\r\nAll replay attempts of this threat revealed fileless Angler EK [4] [5] threads loading Bedep in memory. The Bedep\r\nin action is \"buildId\" 1926. Over the course of November, Proofpoint researchers have observed this Bedep\r\nversion loading a variety of malware payloads including Fileless Ursnif [4], Ramnit, Blowcrypt, some Vawtrak\r\ncampaigns 13 and 60 [7], and most recently Reactor Bot.\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 8 of 11\n\nConclusion\r\nMalvertising is by now a well-known attack vector and organizations, web sites, and ad network operators have\r\nadapted their defenses to detect and defend against it. As this example, shows, however, threat actors are also\r\nevolving their techniques, using more sophisticated attack chains that make it more difficult for even diligent ad\r\nagencies and ad network operators to detect malvertising in their ad streams. These adaptations will enable\r\nmalvertising to remain an effective malware distribution method for months to come.\r\nReferences\r\n[1] https://en.wikipedia.org/wiki/Online_advertising\r\n[2] http://malware.dontneedcoffee.com/2015/10/a-doubleclick-https-open-redirect-used.html\r\n[3] http://blogs.cisco.com/security/talos/angler-domain-shadowing\r\n[4] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html\r\n[5] https://hiddencodes.wordpress.com/2014/10/01/digging-deep-into-angler-fileless-exploit-delivery-2/\r\n[6] http://malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html\r\n[7] https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows\r\nIndicators of Compromise (IOC’s)\r\nads.mikeholt[.]com 209.126.110.7 Shadowed domain\r\nadv.mtcharlestonlodge[.]com 209.126.118.13 Shadowed domain\r\nmedia.healthy-homemakers[.]com 209.126.118.11 Shadowed domain\r\npromo.loopnetworksllc[.]com 209.126.118.18 Shadowed domain\r\ndelivery.dpis[.]com 209.126.118.18 Shadowed domain\r\npromo.socialmagnetmarketing[.]com 209.126.118.14 Shadowed domain\r\nPOS Reco “Fileless” Ursnif c1bc86552e558cc37ee7df3a16ef8ac7 2015-11-22\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 9 of 11\n\nRamnit 2839b5e418adc25b0d3a2b9bd04efb99 2015-11-21\r\nBlocrypt d37994ac8bb0df034d942c10ae471094 2015-11-07\r\nVawtrak 13 2408e9df8cb82e575002176a4dcd69a5 2015-11-15\r\nVawtrak 60 d3670b3a2bba2ff92f2e7cbfc63be941 2015-11-21\r\nReactor Bot b37717d09b61cbfe5c023e8d5fd968ed 2015-11-23\r\nninthclub[.]com 81.177.22.179 Vawtrak C\u0026C\r\natlasbeta[.]com 176.9.188.147 Vawtrak C\u0026C\r\nalutqlyzoxglge7s[.]com 95.211.205.229 Bedep Domain\r\nbrowneyandrebun[.]net 107.170.83.113 Ursnif C\u0026C\r\nzwietrzyla1morinaga.efloridacoupons[.]com 8.26.21.113 Angler EK\r\ncloud75[.].eu 51.255.59.117 Reactor Bot C\u0026C\r\nET signatures:\r\n(NOTE: older rules would fire on older traffic)\r\n2018558 || ET TROJAN Win32/Ramnit Checkin\r\n2019678 || ET TROJAN Ursnif Checkin\r\n2019400 || ET TROJAN Possible Bedep Connectivity Check\r\n2021418 || ET TROJAN Bedep HTTP POST CnC Beacon\r\n2022141 || ET CURRENT_EVENTS Angler encrypted payload Nov 23\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 10 of 11\n\n2811284 || ETPRO CURRENT_EVENTS Angler or Nuclear EK Flash Exploit M2\r\n2814948 || ETPRO CURRENT_EVENTS Possible EK Redir SSL Cert\r\n2815003 || ETPRO CURRENT_EVENTS Angler EK Landing Nov 18 2015\r\n2815071 || ETPRO CURRENT_EVENTS Possible Angler EK Payload Nov 23 2015\r\n2814630 || ETPRO CURRENT_EVENTS Possible Angler EK IE DHE Post M2\r\n2807957 || ETPRO TROJAN Win32/TrojanDownloader.Blocrypt Checkin\r\n2814112 || ETPRO TROJAN Vawtrak HTTP CnC Beacon\r\n2813060 || ETPRO TROJAN Vawtrak Retrieving Module\r\nSource: https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nhttps://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows"
	],
	"report_names": [
		"The-Shadow-Knows"
	],
	"threat_actors": [],
	"ts_created_at": 1775439035,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb2b58eeffdb9201bd91db42a6c6ae3f9bdb1ac0.pdf",
		"text": "https://archive.orkl.eu/fb2b58eeffdb9201bd91db42a6c6ae3f9bdb1ac0.txt",
		"img": "https://archive.orkl.eu/fb2b58eeffdb9201bd91db42a6c6ae3f9bdb1ac0.jpg"
	}
}