The British government sanctioned Xinbi, a Chinese-language cryptocurrency marketplace accused of enabling large-scale online fraud and human exploitation, in a move targeting the financial infrastructure behind global scam networks.
The Record from Recorded Future News – Read More
Hambardzum Minasyan of Armenia has been accused of being involved in the development and administration of the infostealer malware.
The post Alleged RedLine Malware Administrator Extradited to US appeared first on SecurityWeek.
SecurityWeek – Read More
Improve the smart home and your personal life with these great tech deals I’ve found during Amazon’s Spring Sale 2026. They’re all less than $100.
Latest news – Read More
Spammers are constantly seeking new ways to reach the widest audience possible while dodging email filters — all to ensure their “tempting” offers land in your inbox rather than the spam folder. To pull this off, bad actors are increasingly pivoting to legitimate platforms, dreaming up sophisticated ways to weaponize them for their own gain.
We’ve previously covered scam attacks using Google Forms, where fraudulent emails were sent directly from Google’s mail servers. In those cases, links were shielded by the reputable forms.gle domain, allowing them to breeze past spam filters. Now, a similar tactic has been implemented using Yandex Surveys. Here’s a look at how this new scam works, and how you can stay safe.
Online survey tools are fairly common these days. Marketing professionals use them to gather feedback, HR departments use them for employee engagement, and researchers use them to study target audiences. But how are scammers getting in on the action?
They create a survey, embed links to fraudulent websites within the body, and blast out emails containing the survey link to their mailing lists. Standard anti-spam filters see URLs like yandex.com/poll/… as legitimate. Recipients often have the same reaction, reasonably assuming, “It’s a link to a well-known service — what could go wrong?”
Our experts have tracked a massive spike in these emails. In January, Kaspersky Premium blocked just over 2200 of these messages; by February, that number soared to over 32 000. We’re looking at aggressive scaling here — nearly a 15-fold increase in just one month.
Here’s a survey page containing a scam message and link. The visible portion features a well-known crypto exchange logo and an active link to the attackers’ site. At the bottom, you’ll notice a couple of dots — more on these later
Spammers distribute these survey links through their own channels, often hijacking website feedback forms that lack sender verification. The fact that the message originates from a legitimate network provides yet another green flag for anti-spam filters to let these emails slide right through.
A crypto scam email in English sent through a feedback form on a Greek website
The most popular themes for this type of spam currently involve crypto scams — promising users a windfall in digital currency — and links to sketchy dating sites.
To build a survey that doesn’t actually look like one, attackers take advantage of the platform’s extended survey mode.
Yandex Surveys allows users to swap out a simple question for a text block, which can include descriptions, images, or videos. This is exactly where scammers embed their pitch and the link to their phishing site. They use the built-in “Upload media” feature to add official-looking logos and other embellishments that sell the illusion.
To make sure the victim doesn’t see the “Next” button or the standard disclaimer — which warns that surveys are created by third parties and that Yandex isn’t responsible for the content — the scammers pad the space below the scam block with invisible characters. For instance, they might add dozens of lines of transparent emojis; you can’t see them, but they still take up screen real estate. Further down, past the point where most people would stop scrolling, they simply drop in punctuation marks, one per line.
To understand how these surveys are built, we used a test survey to retrace the scammers’ steps. Transparent emojis are used to create dead space under the scam block, followed by punctuation marks further down where few users are likely to scroll
The result? The user sees nothing but the fraudulent offer and the link, while everything else is pushed off-screen. It’s the same technique we’ve seen used with Google Forms.
Beyond the benefit of using legitimate URLs, another perk for the scammers is that this method doesn’t cost them a dime. They aren’t paying the service for promotion, or using the built-in targeting tools; they simply blast the link to their own database. In this scenario, the service is essentially being used as good-reputation web page hosting.
To top it off, the scammers can jump into the “Statistics” section of the survey to track click-through rates in real-time and then export the data into a spreadsheet. This is basically a turnkey analytics suite.
Once a victim clicks the link in the survey and lands on the attackers’ website, they are greeted by a professional-looking site running a classic “prize giveaway” scheme.
How to avoid taking the bait:
Finally, it’s worth noting that scammers didn’t actually hack Yandex Surveys; instead, they took a creative — albeit malicious — approach to repurposing the tool for their own ends. Since Yandex Surveys is scheduled to shut down on April 6, 2026, this specific scheme will soon hit a dead end. Still, scammers are constantly hunting for the next loophole to exploit. Your best defense remains a healthy dose of skepticism toward any unexpected email — even if the links point to a domain you know and trust.
Other tricks spammers use:
Kaspersky official blog – Read More
A large-scale magecart operation remained active for over 24 months, leveraging an infrastructure of 100+ domains. While the targeted victims are e-commerce websites, the actual pressure falls on banks and payment systems.
As ANY.RUN’s analysis shows, threat actors applied multi-step checkout hijacking, payment page mimicry, and WebSocket-based exfiltration of card data.
This report provides both executive-level insights and technical analysis of the campaign.
A large-scale magecart operation has been identified, active for at least 24 months and supported by over 100 domains. In observed cases, threat actors deployed a multi-stage checkout hijacking framework, incorporating:
A total of 17 WooCommerce websites were infected between February 2024 and April 2025 and are likely linked to this campaign, reflecting its longevity and operational stability.
The geographic scope is of the campaign is global. Among the victims are organizations from at least 12 countries, including the United Kingdom and Denmark. However, there’s a notable concentration of such incidents in Spain, France, and United States.
Some cases are confirmed directly via telemetry and network traffic, while others are identified via infrastructural correlation.
From an industry perspective, mostly retail e-commerce companies were targeted, although in some cases, non-commercial organizations have been affected, too.
However, the primary pressure here falls on banks, as cardholders faced financial exposure and their trust in payment systems suffered.
Despite the global impact, the ties to Spain and its payment ecosystem in particular are obvious in this magecart campaign.
Mimicry of RedSys, a payment system used in Spain, lies in the foundation of the attacks. The campaign infrastructure features domains and visual artifacts designed to fit Spanish payment context. In some cases, user payment flows included legitimate Redsys domain sis.redsys.es for added credibility.
The approach made the malicious activity of the campaign convincing within Spanish payment context.
Payment Mimicry
A significant portion of the infrastructure is registered via NICENIC INTERNATIONAL GROUP and disguised as legitimate web services, including analytics platforms, CDN resources, jQuery libraries, andpayment services. If you access them directly, they’ll act as technical placeholders or will simulate legitimate redirects. This complicates attribution.
Multi-Stage Delivery Architecture
The injected JavaScript contains only a minor loader that connects to external infrastructure, receives configuration data, and loads the next stage. The loader uses the fallback mechanism: it iterates through backup domains until a valid response is received. This allows the campaign to go on even if some components of the infrastructure get blocked.
Dynamic Payload Delivery
The next stage isn’t openly stored inside an infected file. It’s delivered dynamically via a staging response. Thanks to this, the operators modify delivery domains, payload paths, and control infrastructurewithout infecting the website again.
Different domains aren’t necessarily serve different campaigns. Instead, they have different roles: staging responses, payload delivery, or for WebSocket/C2 and command handlers.
Other Factors
As a result, the compromised website becomes only an initial access point. Subsequent payload delivery and data exfiltration can be flexibly modified inside the external infrastructure.
Following the compromise of a website, attackers modify one of the site’s embedded JavaScript files with a small, obfuscated loader. It doesn’t feature the main card-stealing logic but acts as an initialdelivery tool. It executes in the victim’s browser and receives parameters for the next stage from external infrastructure.
Next, the obfuscated part of the loader refers to one of the pre-determined domains from the fallback infrastructure list. It returns a JSON configuration featuring the next stage’s address, WebSocket/C2 server address, and an extra HTTP handler for auxiliary communication.
These values are delivered as encoded arrays of numeric character codes, which are then decrypted in the victim’s browser.
In case no response was received or the JSON was invalid, the loader automatically switches to the next domain from the list. This mechanism ensures continued operation even in the presence of partial infrastructure disruption or blocking.
After receiving a valid staging response, the loader takes the URL of the next JavaScript and dynamically adds it to the DOM via a new <script src=…> element.
Code fragment responsible for the execution of the malicious activity
At this point, the primary malicious payload is loaded into the page. Notably, this payload may be delivered from different domains, such as:
jquerybootstrap[.]com
newassetspro[.]com
assetsbundle[.]com
bundlefeedback[.]com
and others.
In any case, the delivery stage is the same. The operators rotate payload sources to increase the infrastructure’s durability.
After loading, the main payload begins executing within the context of the store’s webpage and waits for the checkout/payment DOM to appear.
At this stage, it:
Once checkout is loaded, payment hijacking begins.
In some cases, the mimicry is built around a payment scenario that is visually and logically close to a legitimate PSP flow. In cases related to Spain Redsys mimicry is especially notable, but payment overall can adapt to storefronts, countries, and local PSPs.
The core payload waits for the checkout form to appear and is responsible for the reception, validation, and sending payment data from the fake payment form.
The payload adapts to user environments with frontend localization capabilities and supports multiple languages: English, Spanish, Arabic, French.
There’s a state machine with the following states: init, return, confirm, alert, getData, allowing for controlled progression through the attack lifecycle.
Code for handling WebSocket connections to the C2 server for the control of the attack flow. Part 1.
Code for handling WebSocket connections to the C2 server. Part 2
An example of the final result of the mimicry can be seen below:
There’s a heavily obfuscated JavaScript inside the HTML page. It uses techniques like that to avoid detection:
The strings that are stored in an obfuscated form are decrypted using the VM:
The payload is responsible for the formatting and validation of Visa/Mastercard payment data that are entered into the fake form, as well as UI state modification, and event or data delivery via postMessagemethod:
After activation, the malicious payload establishes a connection to the control infrastructure, e.g., via WebSocket.
This channel is used for:
In one of the analyzed cases, WebSocket was used as the primary channel for card data exfiltration, while the C2 server was disguised as a Redsys domain (redsysgate[.]com).
During the skimmer’s operation, it retrieves malicious JavaScripts from URLs that look like so:
hxxps://<c2_domain>/<base64_text>.js?_=<digits>
Then, WebSocket connections are used for control and data transmission at:
wss://<c2_domain>/?token=<base64_data>
When the user enters their data, an event is sent containing the exfiltrated information. In response, the server provides instructions on what to do next and what content to display, such as the logo of the payment system associated with the entered card (Visa/MasterCard).
This is important for the understanding of the campaign: attackers are not simply stealing card data, they embed exfiltration into a seemingly legitimate payment context.
When a user enters their card details into the spoofed payment interface, the payload takes them to the attackers’ external infrastructure.
The following data was being transmitted in network traffic:
The transmission does not occur via a standard form POST request, but instead through a separate WebSocket channel, making detection via conventional HTTP logs more difficult.
Importantly, within the same cluster, the visual scenario of the attack may vary. In some cases, Redsys-themed mimicry is observed; in others, PayPlug-like or generic card form scenarios are used.
This does not necessarily indicate different campaigns: within a single malware family, the same loader, staging infrastructure, and exfiltration mechanism may be reused while applying different front-end disguises.
In addition to manipulating the payment step and stealing card data, the same malicious payload was also used as a platform to push the installation of an Android application in APK format.
The script checked the user’s environment and, if certain conditions were met, displayed a separate mobile scenario offering the user to download an app. This included promises of discounts or bonuses, along with instructions on how to enable installation from “Unknown Sources.”
Based on the contents of the payloads, this scenario was localized into at least several languages, including English, Spanish, Arabic, and French. This indicates that the campaign was targeting a broad international audience and relied on a prepared, rather than ad hoc, infrastructure.
This scenario had several localization options, including English, Spanish, Arabian, and French, indicating the campaign’s global focus targeting particular, not random infrastructures.
This magecart campaign reflects a shift from opportunistic skimming toward structured, infrastructure-driven payment attacks. By combining checkout hijacking, high-fidelity payment mimicry, and real-time exfiltration, attackers embed malicious activity directly into legitimate transaction flows. This not only increases effectiveness but also complicates detection and response.
Deep visibility into active attacks and continuous threat monitoring are required for efficient detection and prevention of such breachers.
ANY.RUN delivers interactive malware analysis and actionable threat intelligence, enabling security teams to investigate threats more efficiently, gain clearer visibility into attacker behavior, and respond with greater confidence.
We focus on:
Browse TI Lookup for related threats
Case 1: Confirmed checkout hijacking and WebSocket exfiltration of BIN, PAN, expiry date, and CVV.
Case 2: The same loader cluster and staging infrastructure but without confirmed card exfiltration (possibly due to redirection to a legitimate external payment flow)
View analysis
Case 3: Confirmed use of the same loader cluster and staging infrastructure.
Payload URL: hxxps[:]//<c2_domain>/<base64_text>.js?_=<digits>
C2 WebSocket URL: wss[:]//<c2_domain>/?token=<base64_data>
bundle-feedback[.]com
doubleclickcache[.]com
analyticsgctm[.]com
hotjarcdn[.]com
firefoxcaptcha[.]com
solutionjquery[.]com
jquerybootstrap[.]com
assetsbundle[.]com
bundle-referrer[.]com
categorywishlist[.]com
cachesecure[.]com
securedata-ns[.]com
analysiscache[.]com
newassetspro[.]com
explorerpros[.]com
redsysgate[.]com
The post Active Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
From drones to missiles to submarines, the $30.5 billion defense startup wants to transform how the tools of war are made. It’s not all going as planned.
Security Latest – Read More
Spring is the perfect time to focus on your overall wellness, and these devices can help. Plus, they are all discounted during Amazon’s Big Spring Sale.
Latest news – Read More
Amazon’s Big Spring Sale is live through March 31, and there are plenty of savings from Shark (including hair tools, cleaning gear, and more).
Latest news – Read More
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.
“Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data,” Sansec said in a report published this week.
The attack,
The Hacker News – Read More
The computer giants have announced new security capabilities for PCs and printers.
The post Dell and HP Roll Out Quantum-Resistant Device Security and AI-Era Cyber Resilience appeared first on SecurityWeek.
SecurityWeek – Read More