Education-Themed Malicious Domains Exposed as Part of Bulletproof Hosting Network

By /
Education-Themed Malicious Domains Exposed as Part of Bulletproof Hosting Network

Cybersecurity researchers recently dug into a sneaky operation in which fake educational websites lure unsuspecting visitors into phishing traps or malware.

It all started when someone spotted a suspicious JavaScript file at toxicsnake-wifes.com/promise/script.js.

What looked like a single bad site turned out to be part of a larger network, a bunch of throwaway domains hosted on “bulletproof” servers that don’t care much about abuse reports.

These sites pretend to be universities or learning portals to trick people into clicking, then use a traffic distribution system (TDS) to decide which scam or payload to serve them next.

This isn’t some amateur mistake or a hacked legitimate page. By carefully analyzing the code in a safe virtual machine, checking domain records, and cross-referencing public data sources, the picture emerged: a professional cybercrime setup designed to make money at scale.

Attackers bait users with familiar educational themes, quietly load malicious scripts in the background, and route traffic based on details such as location, browser type, and how the victim arrived. It’s efficient, evasive, and built to keep running even if one piece gets taken down.

How the Investigation Unfolded

The first clue was that JavaScript loader. When researchers deobfuscated it, meaning they unraveled the packed code, they found a simple XOR routine hiding the real instructions.

The script checks if you’ve visited before by peeking at your browser’s localStorage. If not, it whips up a short random token, like “bNz1el04”, and quietly fetches the next stage from /promise/db.php with that token tacked on. This prevents it from running endlessly in test environments, a smart move to dodge sandboxes.

Testing it in an isolated VM with developer tools open showed the script working as expected. It fired off a GET request to the backend, but instead of a payload or redirect, it got a 504 Gateway Timeout error.

That means the script tried to phone home to a control server for instructions like “send this user to a fake login page” or “drop malware,” but the upstream server was offline or blocked.

Still, public records from VirusTotal and sandbox sites like Hybrid Analysis prove these domains have delivered real threats in the past, with antivirus engines flagging them multiple times.

From there, the trail led outward. A WHOIS lookup on toxicsnake-wifes.com revealed fake details: a registrant named “Lama” at some made-up address in East Hanover, New Jersey, with a disposable email at oreshnik@mailum.com and a random phone number.

# WHOIS
whois toxicsnake-wifes.com

# curl (with quoted UA + URL)
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -v "hxxps[:]//toxicsnake-wifes[.]com[/]promise[/]db[.]php?bNz1el04"

# CRT.SH JSON
curl "https://crt.sh/?q=toxicsnake-wifes.com&output=json"

# Reverse IP lookups (public services)
curl "hxxps[:]//rapiddns[.]io[/]sameip[/]185.33.84.152?full=1"
curl "hxxps[:]//api[.]hackertarget[.]com/reverseiplookup/?q=185.33.84.152"# ASN lookup via Cymru " -v 185.33.84.152"

# Passive network capture
sudo tcpdump -i eth0 -w toxicsnake_capture.pcap-

# Passive network capture
sudo tcpdump -i eth0 -w toxicsnake_capture.pcap-

The nameservers, all from Regway, like dns1.regway.com, kept popping up. Digging into IP addresses via curl commands pointed to 185.33.84.152 and similar, all within HZ Hosting Ltd’s network (AS202015, specifically the 185.33.84.0/23 block). This hoster is known for disregarding complaints, making it perfect for crooks.

Pivoting on that email and nameserver combo surfaced a family of related domains: pasangiklan.top, asangiklan.top, ourasolid.com, refanprediction. shop, and xelesex. top.

They all share the same tricks, education-style landing pages, identical loader code, and a single IP address per site to keep things quiet. Certificate logs from Let’s Encrypt showed a fresh cert issued December 23, 2025, expiring March 23, 2026, which fits the pattern of automated, short-lived infrastructure.

Breaking Down the Technical Layers

Let’s walk through the code and network side by side step by step, as you’d do in a real triage.

The JavaScript Entry Point

At its core, script.js is a lightweight first-stage loader. Obfuscated strings decode via XOR, revealing paths like “/promise/db.php”. On load:

  • It fingerprints you passively: user-agent, referrer, and geolocation cues from your IP address.
  • Creates a unique token tied to your session.
  • Stores a flag in localStorage (e.g., “lastVisit”) to run only once per browser.
  • Injects the second-stage script dynamically, either via a script tag or fetch/XHR.

This mirrors standard TDS behavior, where the loader acts as a gatekeeper, deciding your fate before handing off to heavier payloads. No hard-coded malware here, just a pointer to the real action.

The Backend Decision Maker

That db.php endpoint is where the smarts live. In a working setup, it would hit a database or C2 server, analyze your profile, and respond with tailored nastiness: a redirect to a scam site, inline JavaScript to steal credentials, or a link to download something worse, like an infostealer or RAT.

The 504 we saw suggests the operators rotate backends frequently, or it was geo-fenced against our test location. Public DNS records and URLScan entries confirm it’s served live redirects before.

Hosting and Evasion Infrastructure

┌────────────────────────────────────────────────────────────┐
│ Domain: toxicsnake-wifes[.]com                             │
│ Role: Initial access + TDS staging                         │
└────────────────────────────────────────────────────────────┘
                │
                ├─ /index.html
                │    Role: Landing page / injection point
                │    Trigger: Direct visit or script injection
                │
                │        loads
                │          ▼
                ├──── /promise/script.js
                │     Role: First-stage obfuscated JS loader
                │     Behavior: Dynamic script injection / fetch
                │
                │            calls
                │              ▼
                ├───── /promise/db.php?<TOKEN>
                │       Role: TDS decision endpoint
                │       Logic: Geo / UA / campaign routing
                │
                │              redirects / serves
                │                      ▼
                └───────── Upstream infrastructure
                           Role: Payload delivery / C2 / redirect farm
                           Status: Currently unreachable (HTTP 504)

Network-wise, everything clusters in HZ Hosting’s range. Curl with a fake user-agent (“Mozilla/5.0 (Windows NT 10.0; Win64; x64)”) resolves the domain and safely probes endpoints.

Reverse lookups on RapidDNS or HackerTarget show that each domain gets its own VPS IP, not noisy shared hosting. Regway’s nameservers and that mailum.com email tie it together, while the Let’s Encrypt cert adds a thin veil of legitimacy.

This setup screams commodity crime: cheap VPS, disposable regs, and templates reused across dozens of domains. Education lures people to work because they trust “university” or “learning” sites, especially when searching for free courses or resources.

VirusTotal has historical hits (e.g., 5/92 detections), and sandboxes link cluster domains to executed samples.

Tactics and Real-World Ties

This aligns with MITRE ATT&CK techniques such as T1059.007 (JavaScript execution), T1071.001 (web protocols for C2), and T1027 (obfuscation).

Attackers start with social engineering via themed lures, evade via tokens and flags, and scale through bulletproof hosting. It’s not advanced persistent threat stuff, just effective, low-cost crime.

The risk is high for end users: a single click could result in stolen logins to banks, streaming services, or crypto wallets. For security teams, hunt for browser traffic to these paths with token queries, or DNS hits in that netblock.

Staying Safe and Taking Action

If you’re a site owner, yank the page offline, scan for injections (grep for “promise/script.js”), restore from backups, and change all passwords.

Report to HZ Hosting at abuse@hostzealot.com, Regway’s abuse desk, or Let’s Encrypt. Share PCAPs and screenshots with VirusTotal or Hybrid Analysis to help the community.

Researchers kept it safe by using VM snapshots, NAT networking, and tools such as tcpdump to capture traffic, without risking the host machine. Commands like whois toxicsnake-wifes.com or curl -v with defanged URLs confirmed it all without live execution.

This farm shows how easy it is for cybercriminals to churn out TDS nodes. Defenses need to focus on blocking, dynamic loaders, and tokenized callbacks, not just static lists. As operators tweak and respin the domain(Source)

Site: cybersecuritypath.com

Related Posts

Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security
Generative Application Firewall
Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings
Malicious Outlook Add-ins Used to Steal Emails Silently
Open Directory Leak Exposes BYOB Framework Across OSes
Threat Actors Abuse Google Ads to Push Fake Mac Cleaners
Hackers Weaponize Open VSX Extension With Sophisticated Malware After 5,066 Downloads
Attackers Abuse Hugging Face to Host Android RAT Payloads

Leave a Comment

Your email address will not be published. Required fields are marked *