{
  "name": "Inside Keitaro Abuse Part 2: One Platform, Many Threats",
  "slug": "inside-keitaro-abuse-part-2-one-platform-many-threats",
  "description": "This analysis examines how threat actors abuse Keitaro, an advertising performance tracker, for various malicious purposes. The report covers a wide range of threats, including malware delivery, phishing, scams, and illegal content distribution. Key findings include the use of Keitaro for cloaking and traffic distribution in malvertising campaigns, spam operations leveraging Keitaro for cryptocurrency wallet draining, and the abuse of Keitaro in investment scams. The report also highlights specific threat actors and their tactics, such as domain hijacking for adult content delivery and the use of fake arrests as clickbait for investment scams. Overall, the analysis demonstrates how Keitaro's features make it attractive to cybercriminals seeking to maximize their reach with minimal effort.",
  "published": "2026-03-27T07:46:13+00:00",
  "created_at": "2026-03-27T07:46:13+00:00",
  "modified_at": "2026-03-27T08:59:09+00:00",
  "created_at_opencti": "2026-03-27T07:46:13+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-27",
    "cloaking",
    "domain hijacking",
    "donutloader",
    "keitaro",
    "phishing",
    "rustystealer",
    "screenconnect",
    "stealc",
    "traffic distribution"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "158.94.209.29"
      },
      {
        "id": "",
        "name": "62.60.226.248"
      },
      {
        "id": "",
        "name": "62.60.178.163"
      }
    ],
    "malware": [
      {
        "id": "8184fb33-b978-4407-b88e-fdd1fdf81c79",
        "name": "DonutLoader",
        "slug": "donutloader"
      },
      {
        "id": "legacy:malware:bd5e900cb57b2f39",
        "name": "StealC",
        "slug": "stealc"
      },
      {
        "id": "legacy:malware:542a5c49e125c8ca",
        "name": "RustyStealer",
        "slug": "rustystealer"
      },
      {
        "id": "legacy:malware:1e181522bb980dc7",
        "name": "ScreenConnect",
        "slug": "screenconnect"
      }
    ],
    "attack_patterns": [
      {
        "id": "75702b35-b790-4504-a1e0-7829e76f22e9",
        "name": "T1585"
      },
      {
        "id": "6babd5aa-5112-4f14-a660-60d756a65d6d",
        "name": "T1586"
      },
      {
        "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf",
        "name": "T1584"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24",
        "name": "T1583"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "29f7ff93-033b-4f8d-8691-5bcaa438c80f",
        "name": "T1592"
      },
      {
        "id": "d570881a-1f73-41ca-ad6c-fc29256c76f9",
        "name": "T1595"
      },
      {
        "id": "7616ff60-a18f-4663-9824-b889aa01c8ce",
        "name": "T1588"
      },
      {
        "id": "9c5a20d1-0df9-4e99-bcc5-0b731a78b5d1",
        "name": "T1608"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "invitezone.space"
      },
      {
        "id": "",
        "name": "meetdatefind.com"
      },
      {
        "id": "",
        "name": "digitalwealth-au.com"
      },
      {
        "id": "",
        "name": "iralfdgs.com"
      },
      {
        "id": "",
        "name": "talagram.store"
      },
      {
        "id": "",
        "name": "estrategicadesenvolvimento.com.br"
      },
      {
        "id": "",
        "name": "life-booste.com"
      },
      {
        "id": "",
        "name": "nywav.life"
      },
      {
        "id": "",
        "name": "someotherbox.com"
      },
      {
        "id": "",
        "name": "qezybu.com"
      },
      {
        "id": "",
        "name": "hublink1.space"
      },
      {
        "id": "",
        "name": "linda-makeup.com"
      },
      {
        "id": "",
        "name": "newtotalca.com"
      },
      {
        "id": "",
        "name": "bmosecure-webportal.com"
      },
      {
        "id": "",
        "name": "pilyf.life"
      },
      {
        "id": "",
        "name": "bncloginsecuriter.com"
      },
      {
        "id": "",
        "name": "mydhl725378-order442-online.com"
      },
      {
        "id": "",
        "name": "moplih.com"
      },
      {
        "id": "",
        "name": "interac-gigadat0012.info"
      },
      {
        "id": "",
        "name": "click-link.online"
      },
      {
        "id": "",
        "name": "ziqiwui.click"
      },
      {
        "id": "",
        "name": "gigadat-interac6302.com"
      },
      {
        "id": "",
        "name": "suxady.top"
      },
      {
        "id": "",
        "name": "quietfostdio.com"
      },
      {
        "id": "",
        "name": "azgrvfra.com"
      },
      {
        "id": "",
        "name": "authentifybmo.com"
      },
      {
        "id": "",
        "name": "interac-gigadat15.info"
      },
      {
        "id": "",
        "name": "gigadat-claiminterac.info"
      },
      {
        "id": "",
        "name": "etransfer-auth-cra.com"
      },
      {
        "id": "",
        "name": "boost-core.today"
      },
      {
        "id": "",
        "name": "ca24watch.com"
      },
      {
        "id": "",
        "name": "strong-tips.info"
      },
      {
        "id": "",
        "name": "top9mediatrk.com"
      },
      {
        "id": "",
        "name": "hotelbiloxi.com"
      },
      {
        "id": "",
        "name": "fedexca-orderstatus.link"
      },
      {
        "id": "",
        "name": "promoswn.shop"
      },
      {
        "id": "",
        "name": "adressinvalidepostescanada-enligne38846.info"
      },
      {
        "id": "",
        "name": "tipboost-info.com"
      },
      {
        "id": "",
        "name": "holzveredler247.com"
      },
      {
        "id": "",
        "name": "petalsage.com"
      },
      {
        "id": "",
        "name": "fitness-zenew.info"
      },
      {
        "id": "",
        "name": "dhlmanagemypack0099.com"
      },
      {
        "id": "",
        "name": "your-link.online"
      },
      {
        "id": "",
        "name": "dailycrepoton.com"
      },
      {
        "id": "",
        "name": "hublink2.space"
      },
      {
        "id": "",
        "name": "yourlnk.online"
      },
      {
        "id": "",
        "name": "talagram.online"
      },
      {
        "id": "",
        "name": "qiqaly.top"
      },
      {
        "id": "",
        "name": "fedexdelivery.ca"
      },
      {
        "id": "",
        "name": "uzelart.com"
      },
      {
        "id": "",
        "name": "yellowusheart.net"
      },
      {
        "id": "",
        "name": "the-social-spot.com"
      },
      {
        "id": "",
        "name": "promoswf.shop"
      },
      {
        "id": "",
        "name": "cibcsecurity2fa.com"
      },
      {
        "id": "",
        "name": "promoswu.shop"
      },
      {
        "id": "",
        "name": "hublink3.space"
      },
      {
        "id": "",
        "name": "rbcsecurityservices.com"
      },
      {
        "id": "",
        "name": "burkespitbbq.com"
      },
      {
        "id": "",
        "name": "cooldece.com"
      },
      {
        "id": "",
        "name": "ucaboodle.com"
      },
      {
        "id": "",
        "name": "energy-zone.top"
      },
      {
        "id": "",
        "name": "leadshub.trk-links.com"
      },
      {
        "id": "",
        "name": "gigadat-interac-0910.com"
      },
      {
        "id": "",
        "name": "rujas.biz"
      },
      {
        "id": "",
        "name": "membros.mtcreatingimages.com"
      },
      {
        "id": "",
        "name": "charityvirtue.com"
      },
      {
        "id": "",
        "name": "rbcdevice-login.com"
      },
      {
        "id": "",
        "name": "jexyni.top"
      },
      {
        "id": "",
        "name": "costcorebate-groceries2026.com"
      },
      {
        "id": "",
        "name": "hublink4.space"
      },
      {
        "id": "",
        "name": "tds.favbet.partners"
      },
      {
        "id": "",
        "name": "trending-now.today"
      },
      {
        "id": "",
        "name": "click-link.space"
      },
      {
        "id": "",
        "name": "honknft.com"
      },
      {
        "id": "",
        "name": "linkhub2.space"
      },
      {
        "id": "",
        "name": "myrbcsecureddevice.com"
      },
      {
        "id": "",
        "name": "canadapostshipment.info"
      },
      {
        "id": "",
        "name": "jaceviu.shop"
      },
      {
        "id": "",
        "name": "mygroceries2costco.com"
      },
      {
        "id": "",
        "name": "invitationlink.space"
      },
      {
        "id": "",
        "name": "gyruvi.top"
      },
      {
        "id": "",
        "name": "click-link.store"
      },
      {
        "id": "",
        "name": "cibc-registration-access-online.com"
      },
      {
        "id": "",
        "name": "parceltrackdelfedex.com"
      },
      {
        "id": "",
        "name": "investarmco.com"
      },
      {
        "id": "",
        "name": "tdonlineverif.com"
      },
      {
        "id": "",
        "name": "coreflow-news.info"
      },
      {
        "id": "",
        "name": "bnc-websecurity.com"
      },
      {
        "id": "",
        "name": "promoswh.shop"
      },
      {
        "id": "",
        "name": "terrainane.com"
      },
      {
        "id": "",
        "name": "linkhub1.online"
      },
      {
        "id": "",
        "name": "your-lnk.online"
      },
      {
        "id": "",
        "name": "invitehub.site"
      },
      {
        "id": "",
        "name": "promoswm.shop"
      },
      {
        "id": "",
        "name": "health.tenerium.org"
      },
      {
        "id": "",
        "name": "object.brovanti.com"
      },
      {
        "id": "",
        "name": "rbclogin-digital.com"
      },
      {
        "id": "",
        "name": "curated-nest.pro"
      },
      {
        "id": "",
        "name": "cra-signin-partner-id.com"
      },
      {
        "id": "",
        "name": "tdcommercial-securedlogins.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69c643d531ed0d8ae740f7dc",
    "https://www.infoblox.com/blog/threat-intelligence/no-reach-no-risk-the-keitaro-abuse-in-modern-cybercrime-distribution/"
  ]
}