Shady attracts shady! Lately, cybercriminals have been found manipulating adult website visitors and redirecting victims to malicious websites serving up malware.

What & Why

Researchers discovered an Malsmoke campaign that appears to have begun mid-October.

  • The threat actors, who have been active throughout 2020, are pushing adult site users to download a fake Java update in their malvertising attacks.
  • Sites such as bravoporn[.]com and xhamster[.]com with hundreds of millions of users are, reportedly, at the risk of downloading Zloader, a banking malware.
  • The reason to go after high traffic adult portals can be set straight; the more the visitors higher the number of infected systems.

How does it work?

The new campaign works across all major web browsers, including Google Chrome.

  • When a user clicks to play a video clip, a new browser containing a grainy video pops up. 
  • In the background, however, victims are redirected to malicious pages such as landingmonster[.]online until they land on a “decoy” porn site.
  • The movies play for a few seconds and suddenly an overlay message surfaces saying the Java Plug-in 8.0 was not found.
  • The fake Java update is, in fact, a digitally signed Microsoft installer, loaded with a number of libraries and executables—that final payload is Zloader.

Activity review of malsmoke actors

The name malsmoke campaign came from Smoke Loader malware that the group drops via the Fallout exploit kit.

  • Since the beginning of the year, malsmoke operators have been running successful exploit kit campaigns, until they decided to pick a new trick involving social engineering.
  • The hacker group launched attacks on the systems of porn surfers running older versions of Adobe Flash Player and Internet Explorer, infecting most of the adult networks with malware on the web.

Stay safe

Atmost care at your own risk