Security researchers have uncovered a sophisticated traffic distribution network leveraging deceptive education-themed domains to deliver malware and phishing attacks.
The operation, tracked under infrastructure indicators pointing to TOXICSNAKE, uses legitimate-looking university and educational institution branding to deceive users into visiting malicious websites.
This tactic exploits the trust users place in educational platforms, making it an effective social engineering vector for cybercriminals operating commodity malware-as-a-service operations.
The attack campaign centers on a multi-stage delivery mechanism designed to distribute malware, phishing content, and scam landing pages to victims.
Initial access begins when users encounter deceptively branded landing pages mimicking real educational institutions. Once visitors arrive at these fake education portals, obfuscated JavaScript code automatically executes within their browsers, initiating the infection chain.
The first-stage loader contains a hidden decoder that constructs a remote URL and injects malicious code into the page, while simultaneously storing a one-time execution flag in browser storage to avoid repeated detections.
Macs-Hit analysts identified the malware infrastructure after recovering a JavaScript loader from the domain toxicsnake-wifes[.]com, which acts as a traffic distribution system (TDS) node designed to route victims toward different payloads based on their geographic location, device type, and browser information.
The second stage attempts to fetch upstream payloads, though researchers encountered HTTP 504 errors during their investigation, indicating inactive or blocked upstream infrastructure at the time of analysis.
The investigation revealed that this is not an isolated incident but rather part of a coordinated cluster of domains sharing identical operational security patterns.
Related domains include pasangiklan[.]top, asangiklan[.]top, ourasolid[.]com, refanprediction[.]shop, and xelesex[.]top, all bearing the same education-themed branding and operating from similar infrastructure.
Infrastructure and Evasion Tactics
The entire operation runs through bulletproof hosting providers, specifically HZ Hosting Ltd (ASN AS202015), which maintains a permissive abuse policy.
The malicious domains are registered using disposable WHOIS information and rely on Regway nameservers, a common pattern among CIS-region cybercriminals.
All domains resolve to IP addresses within the 185.33.84.0/23 netblock, with each domain assigned a dedicated IP address—a tactic designed to evade broad IP-based blocking.
The attackers leverage automated certificate generation through Let’s Encrypt, obtaining free TLS certificates valid for ninety-day periods. This approach enables rapid domain replacement and infrastructure rotation.
The obfuscated JavaScript loader implements tokenization to create unique session identifiers per visitor, preventing security sandboxes from accurately analyzing the threat by routing different analysis environments to benign content while delivering actual payloads to real victims.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
