Reading Time: ~ 3 min.

Historical cybercrime performance activity of multiple gangs and individuals has shown us that, in order for them to secure multiple revenue streams, they have the tendency to multi-task on multiple fronts while operating and serving the needs of customers within different cybercrime-friendly market segments.

A logical question emerges in the context of the fact that 99% of all the spamvertised campaigns we’re currently intercepting rely on the latest version of the Black Hole Exploit Kit – is Paunch, the author of the kit, multi-tasking as well? What’s the overall impact of his ‘vertical market integration‘ practices across the Web beyond maintaining the largest market share of malicious activity in regard to Web malware exploitation kits?

Let’s find out by discussing two of his well known revenue sources and sample a campaign that’s relying on the managed iFrame/Javascript crypting/obfuscating service that he’s also operating.

More details:

Sample advertisement for the iFrame/Javascript crypting/obfuscating service operated by Paunch, within the kit’s control panel:


This is the most popular advertisement that was featured within the kit since day one, in an attempt by its author to not only achieve a decent brand awareness for the service, but also actually convert his current Black Hole Exploit Kit customers into customers of the crypting/obfuscating service as well. The results? Pretty decent conversion rates, based on a systematic tracking of the pseudo-random obfuscations generated by the service, and actually used in campaigns intercepted in the wild.

At a later stage, things slightly changed, perhaps due to the fact that Paunch’s service has gained the necessary market share. The author of the kit started soliciting advertisements from fellow cybercriminals, like the following ad:


What’s so special about the iFrame/Javascript crypting/obfuscation service operated by Paunch? It supports multiple crypting/obfuscating algorithms, as well as API keys, allowing ‘on-the-fly’ obfuscation for his customers to take advantage of.

Sample entry page for Paunch’s crypting/obfuscating service:


Sample Black Hole Exploit Kit campaigns’ pseudo-random obfuscation examples that used Paunch’s service:


Sample static javascript obfuscation courtesy of Paunch’s service, and known to have been used in previously profiled malicious campaigns:


URLs known to have included the same obfuscated Javascript in the past:

Sample campaign that relied on the same Javascript obfuscation:

hxxp:// -> hxxp:// – (AS16276) – Email: -> hxxp://eheph.AlmostMy.COM/hulk -> hxxp://

The following malicious redirectors are known to have responsed to the same IP ( in the past:

What’s particularly interesting about these domains is that we have a seperate MD5 phoning back to two of these domains, namely, and (MD5: 8545473E7F34B5D5A611D757D9444E3D – detected by 2 out of 42 antivirus scanners as Trojan-Ransom.Win32.Birele.aegw).

This campaign is just the tip of the iceberg, and so is Paunch’s underground ecosystem multi-tasking projects. What’s for certain is the fact that, just like the majority of cybercriminals, he’s got multiple sources of revenue through ‘vertical market integration’ development projects.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This