Security researchers have exposed a significant cyber threat campaign utilizing deceptive education-themed malicious domains to distribute malware and facilitate phishing attacks. This operation, identified by cybersecurity analysts and tracked under infrastructure indicators pointing to TOXICSNAKE, weaponizes the trust users place in educational institutions by creating fake websites that mimic legitimate university and college portals. This social engineering tactic allows cybercriminals to prey on unsuspecting individuals through commodity malware-as-a-service operations.
The sophisticated multi-stage attack chain begins when users are enticed to visit these counterfeit educational landing pages. Upon arrival, obfuscated JavaScript code executes automatically within their browsers, initiating an infection sequence. The initial loader, discovered on a domain identified as toxicsnake-wifes[.]com, contains a hidden decoder. This decoder constructs a remote URL and injects malicious code into the compromised page. To evade detection and prevent repeated executions, a one-time flag is stored in the browser’s local storage.
Infrastructure and Evasion Tactics Behind Education-Themed Malicious Domains
The infrastructure powering this campaign is designed for stealth and resilience, relying heavily on bulletproof hosting providers. Specifically, HZ Hosting Ltd, operating under ASN AS202015, offers a permissive abuse policy, allowing the malicious operators to function with a low risk of disruption. The domains are registered using disposable WHOIS information and utilize Regway nameservers, a common characteristic observed among cybercriminals in the Commonwealth of Independent States (CIS) region.
All identified malicious domains resolve to IP addresses within the 185.33.84.0/23 netblock. Each domain is assigned a dedicated IP address, a deliberate strategy to thwart broad IP-based blocking by security systems. The attackers also leverage automated certificate generation through Let’s Encrypt, securing free TLS certificates with ninety-day validity periods. This rapid renewal process enables swift domain replacement and continuous infrastructure rotation, making the threat more persistent.
The obfuscated JavaScript loader further enhances evasion through tokenization. This process generates unique session identifiers for each visitor, effectively preventing security sandboxes from accurately analyzing the threat. By routing different analysis environments to benign content, the system ensures that actual payloads are delivered only to genuine victims, not to security researchers or automated analysis tools.
Macs-Hit analysts first identified this malware infrastructure after recovering the aforementioned JavaScript loader. The domain toxicsnake-wifes[.]com functions as a traffic distribution system (TDS) node, directing victims to various payloads based on specific criteria such as their geographic location, device type, and browser information. While researchers attempted to fetch upstream payloads, they encountered HTTP 504 errors during their investigation, indicating that the upstream infrastructure was inactive or blocked at the time of analysis.
This operation is not an isolated incident but part of a coordinated cluster of domains exhibiting identical operational security patterns. Related domains that have been identified and share these characteristics include pasangiklan[.]top, asangiklan[.]top, ourasolid[.]com, refanprediction[.]shop, and xelesex[.]top. These domains also feature similar education-themed branding and operate from comparable infrastructure, suggesting a unified and organized effort by the threat actors.
The security community is actively monitoring the TOXICSNAKE infrastructure and the broader landscape of deceptive domain usage. The continuous evolution of these tactics necessitates ongoing vigilance from both cybersecurity firms and end-users. The reliance on bulletproof hosting and automated certificate issuance highlights the persistent challenges in disrupting such operations. Future efforts will likely focus on identifying and mitigating the underlying hosting infrastructure and on raising public awareness about the risks associated with clicking on unsolicited links, particularly those masquerading as legitimate educational resources.