SecuritySnack: 18+E-Crime
A financially motivated cybercrime operation has been identified, targeting users with over 80 spoofed domain names and lure websites. The campaign, which began in September 2024, focuses on government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actors use these domains to deliver Android and Windows trojans, likely for credential theft. The operation employs common techniques such as spoofed domains and lure websites, prioritizing scale and conversion rates over technical sophistication. The most common lures exploit curiosity and desire, making victims less likely to report infections. Users are advised to be cautious when encountering unfamiliar links or download prompts.
AI Analysis
Technical Summary
The SecuritySnack: 18+E-Crime campaign is a financially motivated cybercrime operation identified by AlienVault, active since September 2024. It uses a large network of over 80 spoofed domain names and lure websites designed to impersonate legitimate government tax portals, consumer banking platforms, adult social media sites, and Windows assistant applications. The primary objective is to distribute trojans targeting both Android and Windows platforms, with a focus on credential theft. The campaign employs common social engineering techniques, including the use of spoofed domains and lure websites that exploit human curiosity and desire, particularly around adult content and financial services. These tactics prioritize scale and conversion rates over technical complexity, indicating a broad, opportunistic approach rather than targeted, sophisticated attacks. The trojans delivered are likely designed to harvest credentials silently, enabling further financial fraud or identity theft. The campaign does not currently have known exploits in the wild beyond these social engineering vectors. The actors’ use of familiar and trusted brand imitations increases the likelihood of victim engagement, while the nature of the lures reduces reporting rates, complicating detection and response efforts. The campaign is tagged with MITRE ATT&CK techniques such as T1566 (phishing), T1587 (resource development), and T1608 (stage capabilities), highlighting its reliance on social engineering and malware delivery. No specific affected software versions or patches are noted, indicating the threat is primarily delivered via user deception rather than software vulnerabilities.
Potential Impact
For European organizations, the impact of this campaign can be significant, particularly for government agencies managing tax services and financial institutions offering consumer banking. Credential theft can lead to unauthorized access to sensitive financial and personal data, resulting in financial losses, reputational damage, and regulatory penalties under GDPR. The targeting of Windows assistant applications and Android devices broadens the attack surface, potentially affecting both enterprise and consumer users. The use of adult content as a lure may increase infection rates among certain demographics, complicating incident response due to underreporting. The campaign’s scale and use of numerous spoofed domains can overwhelm security monitoring and increase the risk of successful phishing attempts. Additionally, the theft of credentials can facilitate further attacks such as account takeover, fraud, and lateral movement within networks. The campaign’s medium severity reflects moderate technical complexity but high potential for widespread impact due to social engineering effectiveness.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to this campaign’s tactics. Specific recommendations include: 1) Deploy advanced email and web filtering solutions capable of detecting and blocking spoofed domains and phishing URLs, leveraging threat intelligence feeds that include the identified 80+ spoofed domains. 2) Conduct targeted user awareness training focusing on recognizing social engineering tactics related to financial and adult content lures, emphasizing caution with unsolicited links and downloads. 3) Implement endpoint detection and response (EDR) tools with capabilities to detect trojan behaviors on both Windows and Android devices, including monitoring for credential theft indicators. 4) Monitor DNS traffic for suspicious domain queries and employ domain reputation services to identify and block access to known malicious spoofed domains. 5) Enforce strong multi-factor authentication (MFA) on all critical systems, especially government tax and banking portals, to mitigate the impact of credential compromise. 6) Collaborate with domain registrars and law enforcement to take down malicious spoofed domains promptly. 7) Regularly update and patch all systems and applications to reduce the attack surface, even though this campaign primarily exploits social engineering. 8) Establish incident response procedures that include rapid containment and forensic analysis of infections linked to this campaign.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden
Indicators of Compromise
- hash: 3767140145cef85204ddec1285f5dc8544bfcf8ff22318c11073baaa476385fc
- hash: 71cd466073bf23b43111dbc68ccaf1064e737f3f9ffebfec9a6f5146af6a34b9
- hash: a83a442f930fea310d391f852385e3673d8c7128e5bbdc2b68217838c78381fa
- domain: 11windows.pro
- domain: 18pllus-tiktok.pro
- domain: 18tiktok-get.pro
- domain: adac-banklnq-solarlsqroup.com
- domain: admin-octorate.icu
- domain: alphazone.icu
- domain: alveriq.run
- domain: americanfiscalroots.digital
- domain: app-degiro.life
- domain: app-lodgify.today
- domain: app-mews.life
- domain: app-tt-eighteenplus.pro
- domain: arvest-login.icu
- domain: asflinaq-de.com
- domain: assurix.run
- domain: atonovat.run
- domain: atorishation.icu
- domain: atotax.icu
- domain: au-ato.com
- domain: au-ato.info
- domain: au-ato.org
- domain: au-entrance.icu
- domain: auauth.icu
- domain: authcu.icu
- domain: author-glob.icu
- domain: authtax.icu
- domain: avaibook.today
- domain: aviabook.icu
- domain: balancevector.digital
- domain: becu.life
- domain: beginnersguide.digital
- domain: beytra.run
- domain: binance-copytrading.pro
- domain: blueecho.icu
- domain: bookary.digital
- domain: brightfoundations.run
- domain: btexplorer.icu
- domain: capcat.icu
- domain: casualabaya.icu
- domain: center-download.pro
- domain: center-hubs.com
- domain: center-upload.pro
- domain: centerhub.pro
- domain: chromaguide.icu
- domain: civiccore.digital
- domain: clarvexa.icu
- domain: cleareditlab.icu
- domain: clearoak.icu
- domain: cleranta.today
- domain: cloud-m32s-center.pro
- domain: cloudmention.icu
- domain: confirmation-id1174.com
- domain: confirmation-id1175.com
- domain: confirmation-id1176.com
- domain: confirmation-id1177.com
- domain: coremention.icu
- domain: corp-ms32-download.pro
- domain: cozzystaysemarang.com
- domain: credenza.run
- domain: credvoria.today
- domain: cyberpulse.icu
- domain: darkvoid.icu
- domain: datapanel.icu
- domain: datatransit.life
- domain: distan.icu
- domain: dornwell.today
- domain: dovexa.top
- domain: dowloadstake.com
- domain: download-center-io.pro
- domain: downloads-center.pro
- domain: drovenor.today
- domain: droxia.top
- domain: e-access.icu
- domain: e-auth.icu
- domain: economicsinsight.icu
- domain: econviewpoint.digital
- domain: eldenhall.digital
- domain: entcu.icu
- domain: entsolutions.icu
- domain: esl-access.com
- domain: etradeai.icu
- domain: etradeapi.icu
- domain: etradelogistic.icu
- domain: everlynx.icu
- domain: fidelity-entrance.com
- domain: fidelity-log.com
- domain: fidelity-login.com
- domain: fidellity-online.com
- domain: financebasics.digital
- domain: finatracore.today
- domain: finliteracynetwork.world
- domain: finlume.digital
- domain: finolyze.digital
- domain: finostra.digital
- domain: finovexa.digital
- domain: firmara.today
- domain: first-access.icu
- domain: fleetfedx.com
- domain: flexiraq.world
- domain: flrstrade.com
- domain: fnbo-access.icu
- domain: focusinsights.pro
- domain: focusonsystems.run
- domain: freyqa.bet
- domain: g-entrance.icu
- domain: get-centerapp.pro
- domain: get-tt-plus-download.com
- domain: get-upload.pro
- domain: getdownload-hub.com
- domain: getdownload-mscenter.com
- domain: getdownloadhub.com
- domain: gettaxato.icu
- domain: getupload-center.live
- domain: getupload.pro
- domain: getveridian.icu
- domain: glaviso.top
- domain: gov-access.icu
- domain: govaccess.icu
- domain: greythorpe.world
- domain: gridpattern.life
- domain: grotexor.icu
- domain: holven.icu
- domain: hostvista.digital
- domain: huntington-acc.com
- domain: huntington-access.com
- domain: huntington-access.icu
- domain: huntington-entrance.com
- domain: huntington-entrance.icu
- domain: huntington-log.com
- domain: huntington-online.com
- domain: huntington-read.com
- domain: id-centraldispatch.life
- domain: id-mexem.life
- domain: id-onpoint.life
- domain: id-tradestation.life
- domain: inforelic.icu
- domain: interactvebroker.com
- domain: keldra.top
- domain: kenvia.today
- domain: ms32-download.pro
- email: feleko2722@replyloop.com
- email: host_sdji21cxvmj12@dropjar.com
- email: lux_47_jkscnxkjasd@fviainboxes.com
- email: lux_49_kcsdfer321@fviainboxes.com
- email: lux_bl_20_ilskdfgnoi_reg@fviainboxes.com
- email: lux_bl_21_sdfgsun_reg@fviainboxes.com
- email: lux_bl_22_fdjhgza_reg@fviainboxes.com
- email: pq-black234333123@clowmail.com
- email: pq_bl_6_safs_sssw@fviainboxes.com
- email: zapuwo3736@robot-mail.com
SecuritySnack: 18+E-Crime
Description
A financially motivated cybercrime operation has been identified, targeting users with over 80 spoofed domain names and lure websites. The campaign, which began in September 2024, focuses on government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications. The actors use these domains to deliver Android and Windows trojans, likely for credential theft. The operation employs common techniques such as spoofed domains and lure websites, prioritizing scale and conversion rates over technical sophistication. The most common lures exploit curiosity and desire, making victims less likely to report infections. Users are advised to be cautious when encountering unfamiliar links or download prompts.
AI-Powered Analysis
Technical Analysis
The SecuritySnack: 18+E-Crime campaign is a financially motivated cybercrime operation identified by AlienVault, active since September 2024. It uses a large network of over 80 spoofed domain names and lure websites designed to impersonate legitimate government tax portals, consumer banking platforms, adult social media sites, and Windows assistant applications. The primary objective is to distribute trojans targeting both Android and Windows platforms, with a focus on credential theft. The campaign employs common social engineering techniques, including the use of spoofed domains and lure websites that exploit human curiosity and desire, particularly around adult content and financial services. These tactics prioritize scale and conversion rates over technical complexity, indicating a broad, opportunistic approach rather than targeted, sophisticated attacks. The trojans delivered are likely designed to harvest credentials silently, enabling further financial fraud or identity theft. The campaign does not currently have known exploits in the wild beyond these social engineering vectors. The actors’ use of familiar and trusted brand imitations increases the likelihood of victim engagement, while the nature of the lures reduces reporting rates, complicating detection and response efforts. The campaign is tagged with MITRE ATT&CK techniques such as T1566 (phishing), T1587 (resource development), and T1608 (stage capabilities), highlighting its reliance on social engineering and malware delivery. No specific affected software versions or patches are noted, indicating the threat is primarily delivered via user deception rather than software vulnerabilities.
Potential Impact
For European organizations, the impact of this campaign can be significant, particularly for government agencies managing tax services and financial institutions offering consumer banking. Credential theft can lead to unauthorized access to sensitive financial and personal data, resulting in financial losses, reputational damage, and regulatory penalties under GDPR. The targeting of Windows assistant applications and Android devices broadens the attack surface, potentially affecting both enterprise and consumer users. The use of adult content as a lure may increase infection rates among certain demographics, complicating incident response due to underreporting. The campaign’s scale and use of numerous spoofed domains can overwhelm security monitoring and increase the risk of successful phishing attempts. Additionally, the theft of credentials can facilitate further attacks such as account takeover, fraud, and lateral movement within networks. The campaign’s medium severity reflects moderate technical complexity but high potential for widespread impact due to social engineering effectiveness.
Mitigation Recommendations
European organizations should implement multi-layered defenses tailored to this campaign’s tactics. Specific recommendations include: 1) Deploy advanced email and web filtering solutions capable of detecting and blocking spoofed domains and phishing URLs, leveraging threat intelligence feeds that include the identified 80+ spoofed domains. 2) Conduct targeted user awareness training focusing on recognizing social engineering tactics related to financial and adult content lures, emphasizing caution with unsolicited links and downloads. 3) Implement endpoint detection and response (EDR) tools with capabilities to detect trojan behaviors on both Windows and Android devices, including monitoring for credential theft indicators. 4) Monitor DNS traffic for suspicious domain queries and employ domain reputation services to identify and block access to known malicious spoofed domains. 5) Enforce strong multi-factor authentication (MFA) on all critical systems, especially government tax and banking portals, to mitigate the impact of credential compromise. 6) Collaborate with domain registrars and law enforcement to take down malicious spoofed domains promptly. 7) Regularly update and patch all systems and applications to reduce the attack surface, even though this campaign primarily exploits social engineering. 8) Establish incident response procedures that include rapid containment and forensic analysis of infections linked to this campaign.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://dti.domaintools.com/securitysnack-18e-crime/"]
- Adversary
- null
- Pulse Id
- 68e3a2a3b0665d1c9f1fd3be
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash3767140145cef85204ddec1285f5dc8544bfcf8ff22318c11073baaa476385fc | — | |
hash71cd466073bf23b43111dbc68ccaf1064e737f3f9ffebfec9a6f5146af6a34b9 | — | |
hasha83a442f930fea310d391f852385e3673d8c7128e5bbdc2b68217838c78381fa | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain11windows.pro | — | |
domain18pllus-tiktok.pro | — | |
domain18tiktok-get.pro | — | |
domainadac-banklnq-solarlsqroup.com | — | |
domainadmin-octorate.icu | — | |
domainalphazone.icu | — | |
domainalveriq.run | — | |
domainamericanfiscalroots.digital | — | |
domainapp-degiro.life | — | |
domainapp-lodgify.today | — | |
domainapp-mews.life | — | |
domainapp-tt-eighteenplus.pro | — | |
domainarvest-login.icu | — | |
domainasflinaq-de.com | — | |
domainassurix.run | — | |
domainatonovat.run | — | |
domainatorishation.icu | — | |
domainatotax.icu | — | |
domainau-ato.com | — | |
domainau-ato.info | — | |
domainau-ato.org | — | |
domainau-entrance.icu | — | |
domainauauth.icu | — | |
domainauthcu.icu | — | |
domainauthor-glob.icu | — | |
domainauthtax.icu | — | |
domainavaibook.today | — | |
domainaviabook.icu | — | |
domainbalancevector.digital | — | |
domainbecu.life | — | |
domainbeginnersguide.digital | — | |
domainbeytra.run | — | |
domainbinance-copytrading.pro | — | |
domainblueecho.icu | — | |
domainbookary.digital | — | |
domainbrightfoundations.run | — | |
domainbtexplorer.icu | — | |
domaincapcat.icu | — | |
domaincasualabaya.icu | — | |
domaincenter-download.pro | — | |
domaincenter-hubs.com | — | |
domaincenter-upload.pro | — | |
domaincenterhub.pro | — | |
domainchromaguide.icu | — | |
domainciviccore.digital | — | |
domainclarvexa.icu | — | |
domaincleareditlab.icu | — | |
domainclearoak.icu | — | |
domaincleranta.today | — | |
domaincloud-m32s-center.pro | — | |
domaincloudmention.icu | — | |
domainconfirmation-id1174.com | — | |
domainconfirmation-id1175.com | — | |
domainconfirmation-id1176.com | — | |
domainconfirmation-id1177.com | — | |
domaincoremention.icu | — | |
domaincorp-ms32-download.pro | — | |
domaincozzystaysemarang.com | — | |
domaincredenza.run | — | |
domaincredvoria.today | — | |
domaincyberpulse.icu | — | |
domaindarkvoid.icu | — | |
domaindatapanel.icu | — | |
domaindatatransit.life | — | |
domaindistan.icu | — | |
domaindornwell.today | — | |
domaindovexa.top | — | |
domaindowloadstake.com | — | |
domaindownload-center-io.pro | — | |
domaindownloads-center.pro | — | |
domaindrovenor.today | — | |
domaindroxia.top | — | |
domaine-access.icu | — | |
domaine-auth.icu | — | |
domaineconomicsinsight.icu | — | |
domaineconviewpoint.digital | — | |
domaineldenhall.digital | — | |
domainentcu.icu | — | |
domainentsolutions.icu | — | |
domainesl-access.com | — | |
domainetradeai.icu | — | |
domainetradeapi.icu | — | |
domainetradelogistic.icu | — | |
domaineverlynx.icu | — | |
domainfidelity-entrance.com | — | |
domainfidelity-log.com | — | |
domainfidelity-login.com | — | |
domainfidellity-online.com | — | |
domainfinancebasics.digital | — | |
domainfinatracore.today | — | |
domainfinliteracynetwork.world | — | |
domainfinlume.digital | — | |
domainfinolyze.digital | — | |
domainfinostra.digital | — | |
domainfinovexa.digital | — | |
domainfirmara.today | — | |
domainfirst-access.icu | — | |
domainfleetfedx.com | — | |
domainflexiraq.world | — | |
domainflrstrade.com | — | |
domainfnbo-access.icu | — | |
domainfocusinsights.pro | — | |
domainfocusonsystems.run | — | |
domainfreyqa.bet | — | |
domaing-entrance.icu | — | |
domainget-centerapp.pro | — | |
domainget-tt-plus-download.com | — | |
domainget-upload.pro | — | |
domaingetdownload-hub.com | — | |
domaingetdownload-mscenter.com | — | |
domaingetdownloadhub.com | — | |
domaingettaxato.icu | — | |
domaingetupload-center.live | — | |
domaingetupload.pro | — | |
domaingetveridian.icu | — | |
domainglaviso.top | — | |
domaingov-access.icu | — | |
domaingovaccess.icu | — | |
domaingreythorpe.world | — | |
domaingridpattern.life | — | |
domaingrotexor.icu | — | |
domainholven.icu | — | |
domainhostvista.digital | — | |
domainhuntington-acc.com | — | |
domainhuntington-access.com | — | |
domainhuntington-access.icu | — | |
domainhuntington-entrance.com | — | |
domainhuntington-entrance.icu | — | |
domainhuntington-log.com | — | |
domainhuntington-online.com | — | |
domainhuntington-read.com | — | |
domainid-centraldispatch.life | — | |
domainid-mexem.life | — | |
domainid-onpoint.life | — | |
domainid-tradestation.life | — | |
domaininforelic.icu | — | |
domaininteractvebroker.com | — | |
domainkeldra.top | — | |
domainkenvia.today | — | |
domainms32-download.pro | — |
| Value | Description | Copy |
|---|---|---|
emailfeleko2722@replyloop.com | — | |
emailhost_sdji21cxvmj12@dropjar.com | — | |
emaillux_47_jkscnxkjasd@fviainboxes.com | — | |
emaillux_49_kcsdfer321@fviainboxes.com | — | |
emaillux_bl_20_ilskdfgnoi_reg@fviainboxes.com | — | |
emaillux_bl_21_sdfgsun_reg@fviainboxes.com | — | |
emaillux_bl_22_fdjhgza_reg@fviainboxes.com | — | |
emailpq-black234333123@clowmail.com | — | |
emailpq_bl_6_safs_sssw@fviainboxes.com | — | |
emailzapuwo3736@robot-mail.com | — |
Threat ID: 68e3a7d4a74bcb39a887eed9
Added to database: 10/6/2025, 11:28:20 AM
Last enriched: 10/6/2025, 11:28:37 AM
Last updated: 10/7/2025, 12:39:13 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New Mic-E-Mouse Attack Shows Computer Mice Can Capture Conversations
MediumSelf-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend Micro (US)
MediumOperation SouthNet: SideWinder Expands Phishing and Malware Operations in South Asia
MediumWARMCOOKIE One Year Later: New Features and Fresh Insights
MediumContagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.