A newly discovered social engineering toolkit has distributed a wide range of phony web page overlays, generating at least 100,000 page views in a few weeks.
Domen uses a cleverly written client-side script (“template.js”) to deliver these fraudulent overlays, which are loaded as an iframe from compromised websites and displayed on top of the website’s actual legitimate content. Most of the compromised websites run on WordPress.
Every time a user visits a compromised site that has been injected with the Domen toolkit, communication takes place with a remote server hosted at asasasqwqq[.]xyz
The Domen toolkit offers the same fingerprinting (browser, language) and choice of templates using client-side (template.js) script which includes a range of browsers, desktops, and mobiles in about 30 different languages.
Unauthorized system access
Malware Hash (MD5/SHA1/SH256)