Discover and read the best of Twitter Threads about #keitarotds

Most recents (1)

1/ Part of the script used by #TA569 (Initial Access Broker) to inject the Keitaro TDS code into compromised sites 🚩

In this variant, if the IP is correct and the red_ok cookie is not declared, the injection is shown and the infection flow continues until #SocGholish or others. ImageImageImage
2/ Two #KeitaroTDS domains in use by #TA569:
- jqueryns[.]com
- jqscr[.]com "new"

In the IP of the latter there is also the domain jqueryj[.]com with a panel that at first sight I cannot recognize 🧐 but is some kind of bot/stealer/clipper, very likely related. / @ViriBack ImageImageImageImage
3/ To get an idea of the scope, if we search on publicwww for the domain "jqueryns[.]com" we get 2196 infected sites, for the domain "jqscr[.]com" we get another 196 compromised sites so far.

- publicwww.com/websites/%22jq…
- publicwww.com/websites/%22jq…

More results in Google too 🤦‍♂️ ImageImageImageImage
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!