Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro
Cybercriminals are widely abusing the Keitaro ad tracking software as a Traffic Distribution System (TDS) to route victims to malware, crypto drainers, and scams. By utilizing cracked licenses, advanced traffic filtering, and third-party cloaking integrations, threat actors effectively evade detection while precisely targeting users based on device and geolocation.
Authors: Infoblox Threat Intel, Confiant
Source:
Infoblox
- domainapiexplorerzone[[.]]comConfirmed TA2726 TDS domain
- domainrapiddevapi[[.]]comConfirmed TA2726 TDS domain
- domainryptosell[[.]]shopCrypto scam page impersonating MAJOR crypto
- domainsubiz[[.]]tds11111[[.]]comFake search page indicating malicious file download
- domaintds11111[[.]]comPublishing affiliate domain used for malicious redirects
Key Takeaways
- Threat actors heavily abuse the Keitaro ad tracker as a Traffic Distribution System (TDS) and cloaking layer for malware, spam, and malvertising.
- Actors leverage cracked or stolen Keitaro licenses (especially versions 7-9) to bypass validation and operate malicious infrastructure.
- Cookie collisions occur across different campaigns due to shared or stolen licenses, complicating threat actor attribution.
- Third-party cloaking kits like HideClick and Adspect are integrated into Keitaro flows to evade detection by bots and security scanners.
- Threat actors exploit domain registrar promotions to bulk-register infrastructure for their campaigns.
Affected Systems
- Web Browsers
- Adtech Supply Chains
- Windows PCs
- Android Devices
Attack Chain
Threat actors acquire domains in bulk, often during registrar promotions, and deploy cracked versions of the Keitaro tracker. They configure Keitaro as a Traffic Distribution System (TDS) using custom flows, filters, and third-party cloaking kits (like HideClick or Adspect) to fingerprint incoming traffic. Victims are lured via spam emails or malvertising; upon clicking, Keitaro evaluates their device, OS, and IP. Targeted users are seamlessly redirected to malicious payloads such as SocGholish or crypto drainers, while bots and security scanners are served benign decoy pages.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules (YARA, Sigma, etc.) are provided in the article.
Detection Engineering Assessment
EDR Visibility: Low — TDS routing and cloaking occur entirely server-side before any payload is delivered to the endpoint. Network Visibility: High — Network telemetry can capture DNS queries to known TDS domains, HTTP redirect chains, and specific Keitaro tracking cookies. Detection Difficulty: Hard — Keitaro is a legitimate tool, and threat actors use advanced cloaking and conditional routing to hide malicious landing pages from analysts and automated scanners.
Required Log Sources
- DNS Logs
- Web Proxy Logs
- HTTP/HTTPS Traffic Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Search web proxy logs for HTTP responses setting 5-character alphanumeric cookies or specific Keitaro cookies (_token, _subid) followed by rapid redirects to suspicious or newly registered domains. | Web Proxy Logs | Delivery | Medium |
| Monitor for unexpected inline JavaScript execution that replaces DOM content without a full page reload, potentially indicating KClient JS abuse. | Web Proxy Logs / Browser Telemetry | Delivery | High |
Control Gaps
- Lack of strict Content Security Policies (CSP) allowing unsafe-inline scripts
- Inability of standard web filters to bypass server-side cloaking
Key Behavioral Indicators
- Presence of Keitaro default cookies (_token, _subid)
- 5-character alphanumeric cookies from older Keitaro versions
- High volume of DNS queries to newly registered domains during registrar promotions
False Positive Assessment
- Medium. Keitaro is a legitimate ad-tracking software used by benign marketers. Blocking all Keitaro infrastructure or cookies may impact legitimate advertising and affiliate marketing flows.
Recommendations
Immediate Mitigation
- Block the provided TA2726 and scam-related domains and IP addresses at the firewall and DNS levels.
Infrastructure Hardening
- Implement strict Content Security Policies (CSP) on web properties, specifically avoiding 'unsafe-inline' to mitigate KClient JS DOM swapping.
User Protection
- Deploy ad-blocking extensions and robust web filtering to protect users from malvertising and known TDS networks.
Security Awareness
- Educate users on the risks of clicking links in unsolicited emails, particularly those offering cryptocurrency airdrops or government dividends.
MITRE ATT&CK Mapping
- T1583.001 - Acquire Infrastructure: Domains
- T1584.004 - Compromise Infrastructure: Server
- T1189 - Drive-by Compromise
- T1027 - Obfuscated Files or Information
- T1566.002 - Phishing: Spearphishing Link
Additional IOCs
- Ips:
104[[.]]21[.]9[.]36- Cloudflare IP associated with subiz[.]tds11111[.]com172[[.]]67[.]141[.]109- Cloudflare IP associated with subiz[.]tds11111[.]com188[[.]]114[.]97[.]3- Cloudflare IP associated with tonamlchecks[.]com
- Domains:
blessedwirrow[[.]]org- Confirmed TA2726 domainrednosehorse[[.]]com- Confirmed TA2726 domaindigdonger[[.]]org- Confirmed TA2726 domainfetchapiutility[[.]]com- Confirmed TA2726 domainscyphoserippleepidosite[[.]]com- Landing page domain routed from subiz[.]tds11111[.]comtonamlchecks[[.]]com- Domain associated with scam pagehmedshop[[.]]shop- Domain running outdated Keitaro version 9 with cracked licensejuxysij[[.]]hkjhsuies[[.]]com[[.]]es- Domain running outdated Keitaro version 9 with cracked licenseswim39[[.]]ru- Domain running outdated Keitaro version 9 with cracked licensesunpetalra[[.]]com- Domain used in fake Russian government dividend income scam
- Other:
_token- Standard Keitaro tracking cookie_subid- Standard Keitaro tracking cookie3mt5l- Example of a 5-character alphanumeric cookie used in older Keitaro versions