Have You Downloaded Windows 11? Check Your Accounts: They Might Not Be Yours Anymore
Hackers are marketers too. Now they count "clicks" on trojans.
Hackers are marketers too. Now they count "clicks" on trojans.
According to a DomainTools report, a financially motivated cybercriminal group deployed a large-scale infrastructure of fake websites masquerading as government tax services, banking applications, adult content (18+) pages, and software for Windows. The campaign began in the fall of 2024 and involved over 80 domains used to distribute trojans for Android and Windows. The attackers' primary goals are stealing credentials and financial information, as well as gaining access to systems through fake login forms.
One facet of this scheme involved sites posing as official Windows installation pages. These resources prompted users to download what was purported to be a "system installation helper," which was actually malware. To bypass security filters, the attackers used unusual obfuscation methods, including excessively long URLs with numerous spaces (encoded as %20). This structure complicates automated link analysis and can confuse systems that use regular expressions to search for suspicious patterns.
A distinctive feature of the campaign was the use of tracking tools typical for advertising networks. Embedded Facebook* trackers were discovered in the code of the landing pages. This indicates that the attack is built on the principles of digital marketing: the criminals tracked "conversions," meaning the number of users who clicked on the malicious link, and likely attracted traffic through paid advertising campaigns.
The infrastructure associated with this activity includes the domain registrars PDR Ltd. d/b/a PublicDomainRegistry.com and GMO Internet, while hosting was provided by BL Networks and H2nexus Ltd. The predominant top-level domains used were .pro, .shop, .com, .icu, and .top. For registration, the attackers used temporary email domains like fviainboxes.com, dropjar.com, replyloop.com, yopmail.com, robot-mail.com, and protonmail.com. This highlights their intent to operate anonymously and to quickly change their infrastructure after blocks or complaints.
The most active fake resources mimicked TikTok, YouTube, and gambling platforms marked 18+. Other domains posed as websites of major banks and crypto exchanges, including USAA, PMC, Bloomberg, and Binance. A separate part of the network was used to distribute fake Windows 11 installers and TrustCon VPN applications, creating an illusion of legitimacy and enticing users to download infected files. Visually, these pages copied the design of the original sites, and clicking the "Download" button initiated the download of a trojan disguised as an official installer.
Based on the nature and organization of the infrastructure, the campaign resembles the work of a "black market agency," where the main goal is the scale and efficiency of deception, not technical perfection. The criminals use templated website builders that allow for rapid design cloning for any theme, which speeds up the deployment of new pages and complicates the fight against them. This strategy ensures constant domain renewal and evasion of blocks, browser warnings, and threat lists.
The social and psychological techniques used in these attacks pose a particular danger. The main bet is placed on curiosity and the desire to access "forbidden" or exclusive content. Victims of such tricks are often embarrassed to report the incident, which allows malicious campaigns to exist longer and remain undetected by antivirus systems and researchers.
An analysis of the infrastructure shows that the campaign is persistent and will likely continue with new sets of domains and themes. Users should exercise increased caution when clicking on links, especially those leading to pages offering downloads of applications related to banking, social networks, or system tools. Visual similarity to original sites does not guarantee their safety—in many cases, it is the forgery that turns out to be the most dangerous.
