Sophisticated Malware Campaign Exploits Fake Education Domains in TOXICSNAKE Operation
Security researchers have exposed a advanced traffic distribution network (TDS) leveraging deceptive education-themed domains to distribute malware and phishing attacks. Dubbed TOXICSNAKE, the operation mimics legitimate university and educational institution branding to exploit user trust, serving as an effective social engineering vector for cybercriminals running malware-as-a-service schemes.
The attack employs a multi-stage delivery mechanism, beginning with fake educational portals that execute obfuscated JavaScript upon user visits. The first-stage loader decodes a remote URL, injects malicious code, and sets a one-time execution flag in browser storage to evade repeated detections. Researchers at Macs-Hit traced the infrastructure after analyzing a JavaScript loader from toxicsnake-wifes[.]com, a TDS node that routes victims to different payloads based on location, device, and browser data.
While second-stage payloads faced HTTP 504 errors during analysis suggesting inactive or blocked upstream infrastructure the campaign appears to be part of a coordinated cluster of domains sharing identical operational patterns. Related domains include pasangiklan[.]top, asangiklan[.]top, ourasolid[.]com, refanprediction[.]shop, and xelesex[.]top, all using education-themed branding and similar infrastructure.
The operation relies on bulletproof hosting from HZ Hosting Ltd (ASN AS202015), known for permissive abuse policies. Domains are registered with disposable WHOIS data and use Regway nameservers, a tactic common among CIS-region cybercriminals. All domains resolve to IPs within the 185.33.84.0/23 netblock, with each assigned a dedicated IP to evade broad blocking.
To further evade detection, attackers use Let’s Encrypt TLS certificates (valid for 90 days) for rapid domain rotation. The obfuscated JavaScript loader also employs tokenization to generate unique session IDs, ensuring security sandboxes receive benign content while real victims are served malicious payloads.
Source: https://cybersecuritynews.com/education-themed-malicious-domains-linked/
Sekoia.io cybersecurity rating report: https://www.rankiteo.com/company/sekoia
Let's Encrypt cybersecurity rating report: https://www.rankiteo.com/company/lets-encrypt
"id": "SEKLET1769769766",
"linkid": "sekoia, lets-encrypt",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'attack_vector': 'Deceptive education-themed domains, obfuscated JavaScript, '
'multi-stage delivery mechanism',
'description': 'Security researchers have exposed an advanced traffic '
'distribution network (TDS) leveraging deceptive '
'education-themed domains to distribute malware and phishing '
'attacks. The operation, dubbed TOXICSNAKE, mimics legitimate '
'university and educational institution branding to exploit '
'user trust, serving as a social engineering vector for '
'cybercriminals running malware-as-a-service schemes.',
'initial_access_broker': {'entry_point': 'Fake education-themed domains'},
'investigation_status': 'Ongoing',
'motivation': 'Malware-as-a-service, financial gain',
'post_incident_analysis': {'root_causes': 'Exploitation of user trust via '
'deceptive domains, obfuscated '
'JavaScript, bulletproof hosting, '
'disposable WHOIS data'},
'references': [{'source': 'Macs-Hit'}],
'title': 'TOXICSNAKE Malware Campaign Exploiting Fake Education Domains',
'type': 'Malware Campaign',
'vulnerability_exploited': 'Social engineering, user trust exploitation'}