Magecarts fifth team began using KPOT for stealing activities
In August 2019, a fifth Magecart team was observed using KPOT Trojan malware to conduct stealing activities. KPOT is a type of information stealer malware that targets sensitive data on infected systems. This activity was monitored by Antiy CERT and reported by AlienVault OTX. Although no specific affected software versions or known exploits in the wild have been identified, the malware is associated with Magecart, a well-known cybercriminal group specializing in digital skimming and data theft. The threat is assessed as medium severity due to its potential to compromise confidentiality and integrity of data, but with limited public details on exploitation ease or scope. European organizations, especially those with e-commerce platforms or handling payment data, could be targeted. Mitigation requires enhanced endpoint detection, network monitoring for unusual data exfiltration, and user awareness to prevent infection. Countries with significant e-commerce sectors and historical Magecart activity, such as the UK, Germany, and France, are likely more at risk. Overall, defenders should prioritize detection and response capabilities focused on malware stealing credentials and payment information.
AI Analysis
Technical Summary
The threat involves a Magecart-affiliated cybercriminal team that began leveraging KPOT Trojan malware in August 2019 to conduct data stealing operations. KPOT is an information stealer malware family known for harvesting credentials, cookies, and other sensitive information from infected endpoints. Magecart groups are notorious for targeting online payment systems by injecting malicious code into e-commerce websites to skim payment card data. The use of KPOT by this fifth Magecart team represents an evolution in their tactics, shifting from purely web-based skimming to endpoint malware to broaden their data theft capabilities. The monitoring by Antiy CERT indicates active campaigns, although no specific software vulnerabilities or affected product versions have been disclosed. The lack of known public exploits suggests that infection vectors may rely on phishing, social engineering, or exploitation of unpatched systems. The medium severity rating reflects the potential impact on confidentiality and integrity of sensitive data, balanced against the limited information on exploitation ease and scope. The threat underscores the importance of comprehensive security controls that cover both web application security and endpoint protection to detect and prevent data theft by sophisticated malware like KPOT.
Potential Impact
For European organizations, the KPOT malware used by Magecart poses a significant risk to the confidentiality and integrity of sensitive data, particularly payment card information and user credentials. Successful infections can lead to financial fraud, reputational damage, regulatory penalties under GDPR, and loss of customer trust. Organizations operating e-commerce platforms or handling large volumes of payment data are especially vulnerable. The malware’s ability to steal data from endpoints can bypass traditional web application firewalls and skimming detection, making detection more challenging. This threat could disrupt business operations if data breaches lead to investigations or remediation efforts. Additionally, compromised credentials can facilitate further lateral movement or escalation within corporate networks. The medium severity suggests that while the threat is serious, it may require user interaction or specific infection vectors, limiting its immediate widespread impact. Nonetheless, the financial and regulatory consequences for European entities could be substantial if the malware is not detected and mitigated promptly.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy to mitigate KPOT-related threats. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying KPOT malware signatures and anomalous behaviors such as credential harvesting or unusual network connections. Network monitoring should focus on detecting suspicious outbound traffic indicative of data exfiltration. Regular phishing awareness training is critical to reduce the risk of initial infection via social engineering. Organizations should enforce strict application whitelisting and least privilege principles to limit malware execution. Patch management must be rigorous to close vulnerabilities that could be exploited to deliver KPOT. Additionally, implementing multi-factor authentication (MFA) can reduce the impact of stolen credentials. For e-commerce platforms, continuous monitoring for Magecart-style skimming scripts and integrity checks of web assets are recommended. Incident response plans should be updated to include KPOT-specific detection and containment procedures. Collaboration with threat intelligence providers can enhance early warning and contextual understanding of emerging Magecart campaigns.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain
Indicators of Compromise
- url: http://setseta.com/
- url: http://setseta.com//set.exe
- url: http://setseta.com//taskis.exe
- url: http://setseta.com/set.exe
- url: http://setseta.com/taskis.exe
- url: http://setseta.com/tasks1.exe
- url: https://setseta.com/
- url: https://setseta.com//set.exe
- url: https://setseta.com//taskis.exe
- url: http://kaiwachis.ug/
- url: http://kaiwachis.ug/NShnObEA4XwtlDCC/login.php
- url: http://kaiwachis.ug/nshnobea4xwtldcc/gate.php
- url: http://1stpubs.com/
- url: http://1stpubs.com/cgi-sys/suspendedpage.cgi
- url: http://1stpubs.com/taskhs.exe
- url: http://1stpubs.com/tasks.exe
- url: http://icherryls.com/
- url: http://icherryls.com/exec.exe
- url: http://icherryls.com/msa.exe
- url: http://icherryls.com/taskid.exe
- url: http://www.icherryls.com/
- url: http://www.icherryls.com/1.exe
- url: http://3prokladkaeu.com/
- url: http://3prokladkaeu.com/cgi-sys/suspendedpage.cgi
- url: http://d3f4.com.hk/
- url: http://d3f4.com.hk/OfJ3qDlVoGBRGjYK/conf.php
- url: http://d3f4.com.hk/OfJ3qDlVoGBRGjYK/config.php
- url: http://qposhgames.com/
- url: http://qposhgames.com/set1.exe
- url: http://qposhgames.com/taskis.exe
- url: http://qposhgames.com/tasks.exe
- url: http://3eueu.com/
- url: http://2ndpub.com/
- url: http://2ndpub.com/taskid.exe
- url: http://2ndpub.com/taskidd.exe
- url: http://2ndpub.com/taskis.exe
- url: http://2ndpub.com/taskmg.exe
- url: https://2ndpub.com/
- url: https://commbank.detailsconfirm.in/
- url: http://j5h4f9b6.com/
- url: http://j5h4f9b6.com/taskid.exe
- url: http://inewsmvo.com/
- url: http://inewsmvo.com/X76kw.exe
- url: http://inewsmvo.com/set.exe
- url: http://inewsmvo.com/taskhs.exe
- url: http://k0j8h7f6d5s4.com/
- url: http://k0j8h7f6d5s4.com/set.exe
- url: http://k0j8h7f6d5s4.com/taskid.exe
- url: http://k0j8h7f6d5s4.com/taskis.exe
- url: http://k0j8h7f6d5s4.com/tasks.exe
- url: http://3pubss.com/
- url: http://3pubss.com/builds.exe
- url: http://3pubss.com/taskhs.exe
- url: http://3pubss.com/tasks.exe
- domain: www.icherryls.com
- hash: 316c7341dda84ff946cc0c486b4c2471f48e727bce941c7f3654536e84850be3
- hash: c4999f638d0949f1809ed3fc9ee4f3c9db1b63facc3fc080fae4fd8726e9b803
- hash: 0a5507644cea578173cf6dd089b3cf95d239156c872e89c27465cd33a72ba407
- hash: 5ea45bdecbeb279a84b84cd152f4feaceafdf71df94a3d8e76c4d7f45183a099
- hash: 5dc0e8d8c8760f3dfba0fa544809778e8b4ed3626de77169e86b8c545dc3a020
- hash: c8529146a338fa2482b649992703f2f3f5f67b2ef2130b984b723d6e70dfba9b
- domain: detailsconfirm.in
- domain: 1stpubs.com
- domain: setseta.com
- domain: k0j8h7f6d5s4.com
- domain: icherryls.com
- domain: kaiwachis.ug
- domain: 3prokladkaeu.com
- domain: d3f4.com.hk
- domain: qposhgames.com
- domain: 3eueu.com
- domain: inewsmvo.com
- domain: 2ndpub.com
- domain: 3pubss.com
- domain: j5h4f9b6.com
- url: http://3eueu.com/set.exe
- url: http://D3f4.com.hk/OfJ3qDlVoGBRGjYK/conf.php
- url: http://Setseta.com/set.exe
- url: http://Inewsmvo.com/set.exe
- url: http://3prokladkaeu.com/set.exe
- url: http://Commbank.detailsconfirm.in/204/js/main2.js
- url: http://K0j8h7f6d5s4.com/set.exe
- url: http://Kaiwachis.ug/NShnObEA4XwtlDCC/gate.php
- url: http://3prokladkaeu.com/taskis.exe
- url: http://Qposhgames.com/set.exe
- url: http://Maper.info/XGu48
- url: http://2ndpub.com/set.exe
- url: http://Icherryls.com/exec.exe
- url: http://35.246.189.253/gate/log.php
- url: http://1stpubs.com/set.exe
- url: http://J5h4f9b6.com/set.exe
- url: http://3pubss.com/set.exe
- domain: commbank.detailsconfirm.in
- hash: e55adc77da695df375ab985469b5e5e4
- hash: 852b3467f3a79e805b91d0cac01bd328
- hash: fceac5474b5f4db3508aa2b008e90930
- hash: 0e65c933f2e53ecee4c677bad5f84899
- hash: f7219a040364923c858070ebaaaf1ea0
- hash: 9d2c60cad96e3c1c6e6fae0faca55cb0
Magecarts fifth team began using KPOT for stealing activities
Description
In August 2019, a fifth Magecart team was observed using KPOT Trojan malware to conduct stealing activities. KPOT is a type of information stealer malware that targets sensitive data on infected systems. This activity was monitored by Antiy CERT and reported by AlienVault OTX. Although no specific affected software versions or known exploits in the wild have been identified, the malware is associated with Magecart, a well-known cybercriminal group specializing in digital skimming and data theft. The threat is assessed as medium severity due to its potential to compromise confidentiality and integrity of data, but with limited public details on exploitation ease or scope. European organizations, especially those with e-commerce platforms or handling payment data, could be targeted. Mitigation requires enhanced endpoint detection, network monitoring for unusual data exfiltration, and user awareness to prevent infection. Countries with significant e-commerce sectors and historical Magecart activity, such as the UK, Germany, and France, are likely more at risk. Overall, defenders should prioritize detection and response capabilities focused on malware stealing credentials and payment information.
AI-Powered Analysis
Technical Analysis
The threat involves a Magecart-affiliated cybercriminal team that began leveraging KPOT Trojan malware in August 2019 to conduct data stealing operations. KPOT is an information stealer malware family known for harvesting credentials, cookies, and other sensitive information from infected endpoints. Magecart groups are notorious for targeting online payment systems by injecting malicious code into e-commerce websites to skim payment card data. The use of KPOT by this fifth Magecart team represents an evolution in their tactics, shifting from purely web-based skimming to endpoint malware to broaden their data theft capabilities. The monitoring by Antiy CERT indicates active campaigns, although no specific software vulnerabilities or affected product versions have been disclosed. The lack of known public exploits suggests that infection vectors may rely on phishing, social engineering, or exploitation of unpatched systems. The medium severity rating reflects the potential impact on confidentiality and integrity of sensitive data, balanced against the limited information on exploitation ease and scope. The threat underscores the importance of comprehensive security controls that cover both web application security and endpoint protection to detect and prevent data theft by sophisticated malware like KPOT.
Potential Impact
For European organizations, the KPOT malware used by Magecart poses a significant risk to the confidentiality and integrity of sensitive data, particularly payment card information and user credentials. Successful infections can lead to financial fraud, reputational damage, regulatory penalties under GDPR, and loss of customer trust. Organizations operating e-commerce platforms or handling large volumes of payment data are especially vulnerable. The malware’s ability to steal data from endpoints can bypass traditional web application firewalls and skimming detection, making detection more challenging. This threat could disrupt business operations if data breaches lead to investigations or remediation efforts. Additionally, compromised credentials can facilitate further lateral movement or escalation within corporate networks. The medium severity suggests that while the threat is serious, it may require user interaction or specific infection vectors, limiting its immediate widespread impact. Nonetheless, the financial and regulatory consequences for European entities could be substantial if the malware is not detected and mitigated promptly.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy to mitigate KPOT-related threats. This includes deploying advanced endpoint detection and response (EDR) solutions capable of identifying KPOT malware signatures and anomalous behaviors such as credential harvesting or unusual network connections. Network monitoring should focus on detecting suspicious outbound traffic indicative of data exfiltration. Regular phishing awareness training is critical to reduce the risk of initial infection via social engineering. Organizations should enforce strict application whitelisting and least privilege principles to limit malware execution. Patch management must be rigorous to close vulnerabilities that could be exploited to deliver KPOT. Additionally, implementing multi-factor authentication (MFA) can reduce the impact of stolen credentials. For e-commerce platforms, continuous monitoring for Magecart-style skimming scripts and integrity checks of web assets are recommended. Incident response plans should be updated to include KPOT-specific detection and containment procedures. Collaboration with threat intelligence providers can enhance early warning and contextual understanding of emerging Magecart campaigns.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://mp.weixin.qq.com/s/zgBxZUaY48mEPKTSqvfr8A"]
- Adversary
- Magecart
- Pulse Id
- 5d8dcf197ec3aea4d3e338df
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://setseta.com/ | — | |
urlhttp://setseta.com//set.exe | — | |
urlhttp://setseta.com//taskis.exe | — | |
urlhttp://setseta.com/set.exe | — | |
urlhttp://setseta.com/taskis.exe | — | |
urlhttp://setseta.com/tasks1.exe | — | |
urlhttps://setseta.com/ | — | |
urlhttps://setseta.com//set.exe | — | |
urlhttps://setseta.com//taskis.exe | — | |
urlhttp://kaiwachis.ug/ | — | |
urlhttp://kaiwachis.ug/NShnObEA4XwtlDCC/login.php | — | |
urlhttp://kaiwachis.ug/nshnobea4xwtldcc/gate.php | — | |
urlhttp://1stpubs.com/ | — | |
urlhttp://1stpubs.com/cgi-sys/suspendedpage.cgi | — | |
urlhttp://1stpubs.com/taskhs.exe | — | |
urlhttp://1stpubs.com/tasks.exe | — | |
urlhttp://icherryls.com/ | — | |
urlhttp://icherryls.com/exec.exe | — | |
urlhttp://icherryls.com/msa.exe | — | |
urlhttp://icherryls.com/taskid.exe | — | |
urlhttp://www.icherryls.com/ | — | |
urlhttp://www.icherryls.com/1.exe | — | |
urlhttp://3prokladkaeu.com/ | — | |
urlhttp://3prokladkaeu.com/cgi-sys/suspendedpage.cgi | — | |
urlhttp://d3f4.com.hk/ | — | |
urlhttp://d3f4.com.hk/OfJ3qDlVoGBRGjYK/conf.php | — | |
urlhttp://d3f4.com.hk/OfJ3qDlVoGBRGjYK/config.php | — | |
urlhttp://qposhgames.com/ | — | |
urlhttp://qposhgames.com/set1.exe | — | |
urlhttp://qposhgames.com/taskis.exe | — | |
urlhttp://qposhgames.com/tasks.exe | — | |
urlhttp://3eueu.com/ | — | |
urlhttp://2ndpub.com/ | — | |
urlhttp://2ndpub.com/taskid.exe | — | |
urlhttp://2ndpub.com/taskidd.exe | — | |
urlhttp://2ndpub.com/taskis.exe | — | |
urlhttp://2ndpub.com/taskmg.exe | — | |
urlhttps://2ndpub.com/ | — | |
urlhttps://commbank.detailsconfirm.in/ | — | |
urlhttp://j5h4f9b6.com/ | — | |
urlhttp://j5h4f9b6.com/taskid.exe | — | |
urlhttp://inewsmvo.com/ | — | |
urlhttp://inewsmvo.com/X76kw.exe | — | |
urlhttp://inewsmvo.com/set.exe | — | |
urlhttp://inewsmvo.com/taskhs.exe | — | |
urlhttp://k0j8h7f6d5s4.com/ | — | |
urlhttp://k0j8h7f6d5s4.com/set.exe | — | |
urlhttp://k0j8h7f6d5s4.com/taskid.exe | — | |
urlhttp://k0j8h7f6d5s4.com/taskis.exe | — | |
urlhttp://k0j8h7f6d5s4.com/tasks.exe | — | |
urlhttp://3pubss.com/ | — | |
urlhttp://3pubss.com/builds.exe | — | |
urlhttp://3pubss.com/taskhs.exe | — | |
urlhttp://3pubss.com/tasks.exe | — | |
urlhttp://3eueu.com/set.exe | — | |
urlhttp://D3f4.com.hk/OfJ3qDlVoGBRGjYK/conf.php | — | |
urlhttp://Setseta.com/set.exe | — | |
urlhttp://Inewsmvo.com/set.exe | — | |
urlhttp://3prokladkaeu.com/set.exe | — | |
urlhttp://Commbank.detailsconfirm.in/204/js/main2.js | — | |
urlhttp://K0j8h7f6d5s4.com/set.exe | — | |
urlhttp://Kaiwachis.ug/NShnObEA4XwtlDCC/gate.php | — | |
urlhttp://3prokladkaeu.com/taskis.exe | — | |
urlhttp://Qposhgames.com/set.exe | — | |
urlhttp://Maper.info/XGu48 | — | |
urlhttp://2ndpub.com/set.exe | — | |
urlhttp://Icherryls.com/exec.exe | — | |
urlhttp://35.246.189.253/gate/log.php | — | |
urlhttp://1stpubs.com/set.exe | — | |
urlhttp://J5h4f9b6.com/set.exe | — | |
urlhttp://3pubss.com/set.exe | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainwww.icherryls.com | — | |
domaindetailsconfirm.in | — | |
domain1stpubs.com | — | |
domainsetseta.com | — | |
domaink0j8h7f6d5s4.com | — | |
domainicherryls.com | — | |
domainkaiwachis.ug | — | |
domain3prokladkaeu.com | — | |
domaind3f4.com.hk | — | |
domainqposhgames.com | — | |
domain3eueu.com | — | |
domaininewsmvo.com | — | |
domain2ndpub.com | — | |
domain3pubss.com | — | |
domainj5h4f9b6.com | — | |
domaincommbank.detailsconfirm.in | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash316c7341dda84ff946cc0c486b4c2471f48e727bce941c7f3654536e84850be3 | — | |
hashc4999f638d0949f1809ed3fc9ee4f3c9db1b63facc3fc080fae4fd8726e9b803 | — | |
hash0a5507644cea578173cf6dd089b3cf95d239156c872e89c27465cd33a72ba407 | — | |
hash5ea45bdecbeb279a84b84cd152f4feaceafdf71df94a3d8e76c4d7f45183a099 | — | |
hash5dc0e8d8c8760f3dfba0fa544809778e8b4ed3626de77169e86b8c545dc3a020 | — | |
hashc8529146a338fa2482b649992703f2f3f5f67b2ef2130b984b723d6e70dfba9b | — | |
hashe55adc77da695df375ab985469b5e5e4 | — | |
hash852b3467f3a79e805b91d0cac01bd328 | — | |
hashfceac5474b5f4db3508aa2b008e90930 | — | |
hash0e65c933f2e53ecee4c677bad5f84899 | — | |
hashf7219a040364923c858070ebaaaf1ea0 | — | |
hash9d2c60cad96e3c1c6e6fae0faca55cb0 | — |
Threat ID: 6932ccd6f88dbe026ca84070
Added to database: 12/5/2025, 12:15:18 PM
Last enriched: 12/5/2025, 12:30:15 PM
Last updated: 12/6/2025, 4:20:54 AM
Views: 56
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2025-12-05
MediumUS Organizations Warned of Chinese Malware Used for Long-Term Persistence
MediumSSRF Payload Generator for fuzzing PDF Generators etc...
MediumRyuk Ransomware and Associated Threat Activity
MediumThreatFox IOCs for 2025-12-04
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.