Remember the recently profiled themed malicious campaign?

It appears that over the past 24 hours, the cybercriminals behind it have resumed spamvertising millions of emails pointing to additional compromised URls in a clear attempt to improve their click-through rates.

More details:

Sample screenshot of the spamvertised email:

Sample screenshot of the Java script redirection:

Sample spamvertised compromised URls: hxxp://; hxxp://; hxxp://; hxxp://; hxxp://; hxxp://; hxxp://

Sample Black Hole exploit kit landing URL: hxxp://

Detection rate for a sample Java script redirection: MD5: 75e030e741875d29f12b179f2657e5fd – detected by 5 out of 42 antivirus scanners as Trojan.JS.Iframe.aby; Trojan.Webkit!html

Upon successful client-side exploitation, the campaign drops MD5: 864e1dec051cbd800ed59f6f91554597 – detected by 3 out of 42 antivirus scanners as W32/Yakes.AP!tr

Once executed, the malware phones back to (, AS32181). Another domain is known to have been responding to the same IP in the past, namely, hxxp://

Webroot SecureAnywhere users are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This