2026-05-136 minhigh

No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution

Cybercriminals are increasingly abusing the Keitaro adtech platform to optimize the distribution of malware, phishing, and scams. By leveraging Keitaro's built-in tracking, cloaking, and traffic distribution capabilities, actors can efficiently target victims, evade detection, and scale operations across multiple threat types including wallet drainers and infostealers.

Conf:highAnalyzed:2026-03-26reports

Authors: Infoblox Threat Intel, Confiant

ActorsTilapiaParabensTheNovostiHircusPircusAirportArrestStealCDonutLoaderRemcos RATRustyStealer

Phishing Malvertising Keitaro Scams TDS

Source:Infoblox

IOCs · 5

domain
honknft[.]comMalicious domain used in a Phantom cryptocurrency wallet drainer scam.
domain
investarmco[.]comDomain used by the HircusPircus threat actor for investment scams.
domain
meetdatefind[.]comTDS domain used to route users from hijacked domains to adult content.
sha256
b98b53ca03e3e9009b31bcc37b90b206064b25effce449dde63c51cef6a47470DonutLoader malware payload used to inject StealC.
url
hxxp://62[.]60[.]178[.]163/ce369e7324834845.phpStealC v2 Command and Control (C2) server URL.

Key Takeaways

Threat actors widely abuse the Keitaro adtech platform (tracker, TDS, cloaker) to optimize the distribution of malware, phishing, and scams.
96% of spam campaigns leveraging Keitaro instances led to cryptocurrency wallet drainers.
Malware operators use Keitaro hosted on bulletproof providers (e.g., AS214351) to deliver payloads like StealC, DonutLoader, and Remcos RAT.
Actors employ sophisticated evasion techniques like hash-busting in spam and exploit DNS lame delegation (Sitting Ducks) for domain hijacking.

Affected Systems

Windows
Cryptocurrency Wallets
Web Browsers (Chrome, Edge)

Vulnerabilities (CVEs)

Sitting Ducks (DNS Lame Delegation)

Attack Chain

Threat actors initiate campaigns using spam emails or malvertising to drive traffic to Keitaro-managed instances. Keitaro acts as a Traffic Distribution System (TDS) and cloaker, filtering out security scanners and routing viable victims to malicious landing pages. Depending on the campaign, victims are subjected to credential phishing, cryptocurrency wallet drainers, or prompted to download malware such as DonutLoader and StealC. In malware campaigns, loaders execute and inject infostealers into browser processes to exfiltrate sensitive data to actor-controlled C2 servers.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but mentions the use of JA4+ network fingerprinting to identify Keitaro admin consoles.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the execution and injection behaviors of payloads like DonutLoader and StealC, but the initial delivery via web traffic and TDS routing is network-centric. Network Visibility: High — TDS routing, Keitaro admin panels, and C2 communications are highly visible at the network layer and can be fingerprinted. Detection Difficulty: Moderate — Detecting the final malware payloads is standard, but attributing the dynamic TDS/cloaking infrastructure requires advanced network fingerprinting and threat intelligence.

Required Log Sources

DNS Logs
Web Proxy/Gateway Logs
Process Creation (Event ID 4688)
Network Connections (Event ID 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Hunt for unusual HTTP redirection chains involving known TDS patterns (e.g., subdomains containing 'trk' or 'tds') leading to newly registered domains.	Web Proxy/Gateway Logs	Delivery	Medium
Monitor for process injection events where unknown or unsigned binaries inject code into browser processes like chrome.exe or msedge.exe.	EDR/Sysmon Event ID 8 (CreateRemoteThread) or 10 (ProcessAccess)	Execution/Defense Evasion	Low
Search email gateway logs for HTML messages containing large blocks of randomized, non-rendered HTML comments, indicating potential hash-busting evasion attempts.	Email Gateway Logs	Initial Access	Low

Control Gaps

Standard anti-spam filters vulnerable to hash-busting techniques.
DNS lame delegations allowing domain hijacking (Sitting Ducks vulnerability).

Key Behavioral Indicators

Multiple HTTP 302 redirects across different TLDs.
Presence of Keitaro admin panel default paths or JA4+ fingerprints on bulletproof hosting ASNs.

False Positive Assessment

Medium

Recommendations

Immediate Mitigation

Block known malicious IPs and domains associated with Keitaro abuse, StealC C2s, and wallet drainers.

Infrastructure Hardening

Audit DNS configurations to identify and remediate lame delegations, preventing Sitting Ducks domain hijacking.
Implement strict email authentication (DMARC, SPF, DKIM) to reduce spoofed spam.

User Protection

Deploy ad-blocking and anti-tracking browser extensions to disrupt malvertising and TDS routing.
Educate users on the risks of connecting cryptocurrency wallets to unknown or unsolicited airdrop sites.

Security Awareness

Train employees to recognize localized phishing attempts and lookalike domains impersonating financial institutions or internal HR systems.

MITRE ATT&CK Mapping

T1583.008 - Acquire Infrastructure: Malvertising
T1566.001 - Phishing: Spearphishing Attachment
T1566.002 - Phishing: Spearphishing Link
T1059.005 - Command and Scripting Interpreter: Visual Basic
T1055 - Process Injection
T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
T1584.001 - Compromise Infrastructure: Domains

Additional IOCs

Ips:
- 158[.]94[.]208[.]165 - IP address hosting the honknft.com wallet drainer scam.
Domains:
- object[.]brovanti[.]com - Attacker-controlled ScreenConnect control web portal.
- membros[.]mtcreatingimages[.]com - Domain used in Spotify phishing emails.
- estrategicadesenvolvimento[.]com[.]br - Domain used for dynamically crafted phishing links in localized spam.
- cooldece[.]com - Scam domain impersonating the Phantom platform.
- health[.]tenerium[.]org - Domain hosting health scams.
- terrainane[.]com - Domain used by TheNovosti for clickbait ads.
- hotelbiloxi[.]com - Domain used by AirportArrest for clickbait ads.
- petalsage[.]com - Domain used by AirportArrest for fake news landing pages.
- holzveredler247[.]com - Domain used by AirportArrest for fake news landing pages.
- top9mediatrk[.]com - TDS domain associated with health product scams.
- leadshub[.]trk-links[.]com - TDS domain associated with online gambling.
- tds[.]favbet[.]partners - TDS domain associated with online gambling.
- yellowusheart[.]net - Domain hosting pornography delivered via hijacked domains.
- cibcsecurity2fa[.]com - Lookalike domain impersonating Canadian financial institutions.
- rbcdevice-login[.]com - Lookalike domain impersonating Canadian financial institutions.
Urls:
- hxxps://membros[.]mtcreatingimages[.]com/spotify - Phishing link used in Spotify lure.
- hxxps://estrategicadesenvolvimento[.]com[.]br/Webmail/webmail.php?email={victim@email} - Dynamically crafted phishing link for webmail credential harvesting.
- hxxps://honknft[.]com/connect/rh7_1a7r72zi-kk4k4z?b=1 - Wallet drainer connection URL.
File Paths:
- RO_20251105_99465416.01_995989.vbs - Malicious VBS file associated with Remcos RAT delivery.
- SWIFT PLATA din ordinul.vbs - Malicious VBS file associated with Remcos RAT delivery.
- Reservations.vbs - Malicious VBS file associated with AgentTesla delivery.
- 546__DC_00_generated_script.bat - Malicious batch script associated with FormBook delivery.
Other:
- 224b4a27cdb24c8b - StealC v2 Traffic RC4 Key.
- RDwVeiiY3f - StealC v2 String/Config RC4 Key.
- 7065635553 - StealC v2 Botnet ID.