I am a hobbyist security researcher, filterlist maintainer, and wannabe law nerd. I help maintain the Actually Legitimate URL Shortener Tool. I post about a variety of topics including cybersecurity, content filtering, law, tech, and trans rights. This is also the best place to find updates on my filterlists, as I often post about bugs and improvements to them. I am not an expert; do not take anything I toot as truth. Retoot/like != agreement. Not legal/medical advice. Profile picture: truncated screenshot of a WINE error message. The error message is titled "Download failed". The message reads "Download Failed: Success. Check your connection and click 'Retry' to try downloading the files again, or click 'Next' to continue installing anyway." There is only one button labeled "OK". Header image: A Windows error message against the default Windows wallpaper. The error message reads "Windows cannot find iam-py-test. Make sure you typed the name correctly, and then try again."
I am a hobbyist security researcher, filterlist maintainer, and wannabe law nerd. I help maintain the Actually Legitimate URL Shortener Tool. I post about a variety of topics including cybersecurity, content filtering, law, tech, and trans rights. This is also the best place to find updates on my filterlists, as I often post about bugs and improvements to them. I am not an expert; do not take anything I toot as truth. Retoot/like != agreement. Not legal/medical advice. Profile picture: truncated screenshot of a WINE error message. The error message is titled "Download failed". The message reads "Download Failed: Success. Check your connection and click 'Retry' to try downloading the files again, or click 'Next' to continue installing anyway." There is only one button labeled "OK". Header image: A Windows error message against the default Windows wallpaper. The error message reads "Windows cannot find iam-py-test. Make sure you typed the name correctly, and then try again."
I was searching for information about a domain for Dandelion Sprout's antimalware, and I came across these spammy results.
I think this is the second or third time I have seen this.
"links.hokaoneone.emailpowerreviews.com blocked by Anti ..." is clearly based on the GitHub issue I was researching this for: https://github.com/DandelionSprout/adfilt/issues/1226
Searching for "happy ghast harnesses float under the ghast" turns up a ton more of these websites.
So something is scraping the internet for random keywords in order to fill the search results with malicious websites.
Clicking on one of these domains redirects the user to a fake CAPTCHA asking the user to allow notifications (typical scam); in this case the domain is humanverify.co.in. uBlock Origin's ads list and EasyList both block earlier stages of the redirection. Subliminal messaging to use uBlock Origin.
I noticed the blogspot domain loaded a heavily obfuscated script from kettledroopingcontinuation.com.
Here is the URL: https://kettledroopingcontinuation[.]com/4d/be/e5/4dbee55e59fc95ea4356dbb197f2132c.js
And here is a copy of that script: https://gist.github.com/iam-py-test/375bc55e52d1cde68520fdc9afa85705
Searching for that domain returns a few interesting results:
- This blog post from Cisco, otherwise just bragging about their project, has an offhand mention associating it with ApateWeb: https://blogs.cisco.com/security/securing-dns-black-hat-europe
I had never heard of ApateWeb, but searching for it turns up this report:
Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs) and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions.
https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/
kettledroopingcontinuation isn't mentioned in that report, and I haven't read it in depth, so I do not know if it aligns with what we are seeing here.
- Another interesting search result is this Reddit comment: https://www.reddit.com/r/ShapeScan/comments/1p9am7p/comment/nrb1vbc/
kettledroopingcontinuation.com - Malicious script host
The initial post is promoting shapescan[.]pt, which is supposedly the domain for ShapeScan. However, a lot of people report the domain redirecting them to malicious websites when using a mobile device. While I would not put a ton of faith in whatever "cursor" is, this does support this domain being malicious.