A sophisticated traffic distribution system (TDS) hiding behind education-themed domains. The operation uses bulletproof hosting to deliver phishing pages, scams, and malware files.
Analysts triaged a first-stage JavaScript loader from hxxps[:]//toxicsnake-wifes[.]com/promise/script.js. This revealed a commodity cybercrime farm routing victims to harmful payloads.
The main domain, toxicsnake-wifes[.]com, acts as a TDS node. It injects db.php with a session token.
During malware Files analysis, the second stage returned a 504 gateway timeout, showing upstream issues.
Static and dynamic checks in an isolated VM, plus OSINT, confirmed the setup. The infrastructure shares WHOIS details like [email protected] and Regway nameservers.
It sits in HZ Hosting Ltd’s AS202015 block (185.33.84.0/23), a known bulletproof provider.
Multiple domains follow the same pattern, using education lures like “university” branding.
Related sites include pasangiklan[.]top, asangiklan[.]top, ourasolid[.]com, refanprediction[.]shop, and xelesex.top.
VirusTotal and sandbox data show past payload deliveries. This points to an operator cluster, not isolated incidents.
Technical Breakdown
The first-stage JavaScript deobfuscates via XOR to build a remote loader URL. It generates a random token, stores a localStorage flag to run once, and fetches /promise/db.php?
This TDS endpoint fingers visitors by user-agent, referrer, and geo before redirecting to phishing or malware.
Runtime tests confirmed safe execution in a VM browser. The loader hit the endpoint but got a 504, likely from blocked upstream C2.
Network scans resolved to IPs like 185.33.84.152 and 185.33.84.189. Let’s Encrypt certs run from December 23, 2025, to March 23, 2026, fitting burner ops.
OSINT pivots on the email and Regway DNS uncovered the cluster. Passive DNS and crt.sh logs showed no SAN siblings but confirmed issuance. Reverse IP queries revealed single-tenant VPS use.
| IOC Category | Details |
|---|---|
| Domains | toxicsnake-wifes[.]com, pasangiklan[.]top, asangiklan[.]top, ourasolid[.]com, refanprediction[.]shop, xelesex[.]top |
| URLs | hxxps[:]//toxicsnake-wifes[.]com/promise/script.js, /promise/db.php? |
| IPs | 185.33.84.152, 185.33.84.189 (185.33.84.0/23) |
| ASN | AS202015 (HZ Hosting Ltd) |
| Nameservers | dns1-4.regway[.]com |
| oreshnik@mailum[.]com |
Tactics and Risks
Actors use obfuscation, dynamic injection, and tokenization for evasion. TDS routes based on victim profile to scams, credential theft, or droppers.
Goals center on financial gain via phishing or info-stealers. Risks include wallet drains or persistent access.
The education theme tricks users into clicking, mimicking safe school sites. Bulletproof hosting resists takedowns, enabling persistence.
Site owners should offline affected domains, restore backups, and rotate credentials. Scan for injected files like script.js. Users: Avoid these domains; use VMs for tests.
Report to [email protected] (AS202015), Regway, and Let’s Encrypt. Submit to VirusTotal and Hybrid Analysis. SOC teams can hunt tokenized GETs to /db.php or IPs in 185.33.84.0/23.
This TDS farm highlights commodity threats evolving with disposable infra. Vigilance against themed lures remains key as bulletproof networks grow.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.