Obfuscation in malware delivery has always been an effective trick in a cybercriminal’s toolbox—concealing the true intentions of code so it can slip past detection and remain hidden as long as possible. Recently, our ThreatSTOP Intelligence, Research, and Security (TIS) Team, uncovered a surge of traffic targeting IP 139.45.197.242, which telemetry shows is a primary hosting point for malicious domains serving heavily obfuscated pop-up/pop-under scripts used in phishing campaigns.
What We Found
Upon analyzing the malicious JavaScript, we discovered a large block of code, packed with deceptive function names, scrambled variables, and random string transformations. The purpose? Injecting forced pop-ups, redirects, and overlay ads that lead unsuspecting users to phishing pages or potentially malicious content. This stealthy approach helps attackers hide from conventional detection methods and frustrate would-be debuggers by throwing up multiple layers of obfuscation.
We're not going to include the code directly in the blog post, but we'll post a screenshot of it so you can see, clearly, this is not meant to be figured out easily:
Here’s a high-level look at what this code does:
1. Pop-Up and Redirect Logic
The script secretly rewrites links, hooking into user clicks to open pop-ups or forcibly redirect them to attacker-controlled sites.
2. Session and Click Tracking
The code stores data on how many times it has displayed an ad or forced a redirect, so it can pace itself—thus avoiding immediate suspicion.
3. Anti-Debugging Tactics
By measuring function runtimes and checking for certain DevTools signatures, the script can alter its behavior or shut down if it detects a security analyst’s presence.
4. Persistent Updates
The attacker regularly updates the code or domain endpoints. The IP we identified—139.45.197.242—hosts many of these domains, signaling a persistent campaign that pivots quickly when one host is blocked. We'll include the domains we're seeing our telemetry at the appendix to the blog post.
In the weeds:
In short, it is a pop‑up/pop‑under/redirect “ad loader” script. It has a lot of logic to hook user clicks, bypass pop‐up blockers, track impressions, store information in cookies/localStorage, and optionally detect if developer tools are open. The script is heavily obfuscated so that all of this ad/redirect behavior is hidden under weird variable names and large inline data structures.
High‐Level Behavior
1. Environment & Feature Detection
The script checks many environment details—things like:
• Whether the browser has certain plugins installed
• Whether navigator or document includes certain properties
• Whether the user might be in DevTools
• Whether local or session storage is available
This is done to decide which “pop‑under” or “redirect” technique will work best without being blocked.
2. Setting Event Listeners
It listens for user interactions (like click, mousedown, touchstart, etc.) on the page. Whenever the user first interacts, the script:
• May open pop‐ups/pop‐unders
• May rewrite anchor tags (so a normal link becomes a forced pop‐up)
• Often tries to do it on the “first click” or “first valid click” to get around modern browser restrictions.
3. Pop‑Under and Redirect Logic
There is elaborate logic for:
• Pop‐under vs. pop‐up: picking which window‐opening approach to use
• Interstitial flows: sometimes shows an interstitial ad if you click back or close a tab
• “OnCloseInterstitialUrl” or “smart overlay” references: hooking up overlay ads or full‐page pop‐ups
• Checking if the user has already been shown a pop‐up (tracking via cookie or local storage) so it does not spam too many times.
4. Session/Click Counting
You see code that increments click counts, sets timeouts, or reads/writes “how many times we have shown an ad.” That’s to limit (or sometimes ensure) a certain number of forced ads per session. For example, isImpressionAvailable or shouldImpressionBeCollected methods track the “session counters” or “impression counters.”
5. Prefetching Ad URLs
It will sometimes “prefetch” an ad URL—i.e. it sends a hidden request beforehand—so that when you do click, it can redirect you more reliably. This helps avoid slow ad servers or pop‐up blockers.
6. Obfuscation
• Dozens of single‐letter or two‐letter properties (e.g. V, rK, KK, jK) that map to bizarre string constants
• The script uses a big object/dictionary that re‐maps short keys to strings or regex patterns.
• A function like Pe(...) or p(...) that decodes/munges strings at runtime.
• Large “enums” stored in variables like mr, fr, etc. that stand for different internal codes or status flags.
7. Developer Tools “Anti‐Debug”
There are references to getComputedStyle checks, intervals, or code that times how long a function call took. This is typically used by ad scripts to see if someone has DevTools open (for example, certain properties read slower under breakpoint). If it detects that, it may abort or reduce functionality so the user can’t easily debug or tamper with the script.
8. Final Payload
The very last line is a monstrous gibberish invocation:("c.#i6M.#.J.#.4.4Z#llBWi5oo6#i.)=ow.4.n65.Ge.x=K.x.T&M.Xo.|3.QW....")
That’s basically a giant obfuscated string the script decodes or interprets to get its final config (domains, zone IDs, tracking parameters, etc.). The code near the top,(function(lczxsusin) { ...})("c.#i6M.#.J.#.4.4Z#llBWi5oo6#i...)"
simply calls the whole “engine” with that big scrambled argument, so the script can set up its ad logic.
What It’s Actually Doing (In Plain Terms)
• Primary Goal: Force the user’s browser to open ads—pop‐ups, pop‐unders, or forced redirects—on the user’s first click or on subsequent clicks.
• Avoid Blockers & Quotas: Hides inside normal click handlers, tries multiple fallback methods, and uses localStorage/cookies to see if it’s already shown an ad.
• Hide & Confuse: The script is stuffed with random variables and references (like V.e, V.x, V.L, etc.) to break up the real logic flow. This is standard “adware obfuscation.”
Key Points in the Code
• function ve(t,e,r) – Hooks up events to the document or window, such as onclick, mousedown, etc., to trigger the ad opening.
• function Ft(t,e) – One of the “open pop‐up/pop‐under” routines, deciding how to open a new window or rewrite a link if you click an anchor.
• function Lt(t,e,r,n) – Overlays or “smart overlay” logic; also controlling advanced “interstitial” or “overlay” ads.
• function br() – In some code, you see references to br() or “cookie sync.” This is so the script can keep track of user data across domains or iframes.
• function Pt() / function Nt() / function Bt() – Variation of the same “open a new window or rewrite the anchor tag, then call track/ log.”
• Lots of setInterval, setTimeout, watchers that keep rechecking whether the user’s environment changed—dev tools open, or new clicks, etc.
Bottom Line
This is a pop‐up/pop‐under ad script with all the usual trimmings:
• Hooks user clicks
• Does forced opens/redirects
• Tracks usage, impressions, concurrency
• Obfuscated with big dictionaries and weird variable references
• Optionally tries to detect dev tools or debugging
All of that is typical for “forced redirect” or “pop‐under ad” providers that want to avoid easy detection or blocking.
Why It’s Dangerous
This obfuscated JavaScript is more than mere nuisance pop-up spam. At scale, such code often funnels users to phishing pages crafted to steal credentials or payment information. In some of my past work at previous companies, I would see javascript like this inside of exploit kits It may also redirect victims to exploit kits delivering malware that can compromise their entire system. The layering of obfuscation indicates that threat actors are actively investing in advanced evasion techniques, making it critical to have proactive protections in place.
How ThreatSTOP’s Proactive Protections Help
1. DNS Defense Cloud
Protect endpoints wherever they roam by pointing them to ThreatSTOP’s cloud-based DNS service. This instantly blocks lookups to malicious domains—including those behind suspicious pop-up code—based on ThreatSTOP intelligence.
2. DNS Defense
For organizations that run their own DNS resolvers on-premises, ThreatSTOP integrates directly into your existing servers. This offers the same robust intelligence enforcement as our cloud service, proactively blocking malicious endpoints before they can impact users.
Together, DNS Defense Cloud and DNS Defense form our Protective DNS suite, designed to filter out threats in real time.
3. IP Defense
Malicious code often relies on rogue IP addresses. With IP Defense, you can proactively manage a block list across routers, firewalls, IPS devices, AWS WAF, and more—ensuring that threat actors can’t establish inbound or outbound communication with your network.
ThreatSTOP Intelligence, Research, and Security (TIS) Team
The malicious domains behind IP 139.45.197.242 showcase how attackers can quickly pivot their hosting infrastructure. The ThreatSTOP TIS Team continuously tracks threats like command and control activity, invalid traffic, peer-to-peer connections, data exfiltration, phishing, spam, and DDoS endpoints. As new campaigns emerge, they create updated protections that are automatically delivered to our customers’ environments—providing round-the-clock coverage against a wide range of malicious activity. This IP and the domains associated with it have been blocked in our product line.
Connect with Customers, Disconnect from Risks
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!
IOCs:
139.45.197.242
gloolsukre[.]com
shagrixove[.]com
choomopteet[.]com
neechaipoad[.]com
oartoopesti[.]com
ptirsuckais[.]com
thumumoucku[.]com
faphomtotapt[.]com
greewoabaikr[.]com
jozekupteesh[.]com
oalseessonoo[.]com
oargusongous[.]com
woawewostoas[.]com
zidreersatsy[.]com
aughoomsoushy[.]com
fagloafexeele[.]com
phopaushoutch[.]com
pseexauboorsu[.]com
thautsooladsu[.]com
bijophomsorsig[.]com
chossoovauthuh[.]com
gorgadricmitsu[.]com
taiteemozathou[.]com
ekoortouksalert[.]com
glaigaunsoroogh[.]com
ofobsilreehoukr[.]com
pokastaiptoalto[.]com
raicaustenuphoo[.]com
caihaujeer[.]net
chetsoamta[.]net
dolsukophe[.]net
geeburouje[.]net
mufackoopt[.]net
numaigluwo[.]net
oofegleemy[.]net
pashulroak[.]net
piwhourumt[.]net
stouksomsi[.]net
behaiptoube[.]net
dauzaiwhaig[.]net
shedroobsoa[.]net
shuwoockoun[.]net
uhartomoaks[.]net
vodsoamsoun[.]net
apauzauxauls[.]net
chirsaidsoun[.]net
foupeestokiy[.]net
glabsuckoupy[.]net
grikooghoakr[.]net
halraingitsy[.]net
nauthaugroce[.]net
oaweekoorsew[.]net
sodreegrocee[.]net
southeestais[.]net
staimpaissoy[.]net
steetsoftehy[.]net
veewheephime[.]net
voptosteejee[.]net
whailacelump[.]net
bimaissebsiph[.]net
laushosoujedu[.]net
masouckomirtu[.]net
moaloamoaruno[.]net
naumezeephovy[.]net
oackaudrikrul[.]net
oastoarsewaip[.]net
shisheghustou[.]net
vouphoanooque[.]net
widrelroalrie[.]net
woojouthoowoa[.]net
boazeerizeepsi[.]net
jimtighoafoorg[.]net
oamoacirdaures[.]net
pauleeroupsacu[.]net
ptaujursissain[.]net
sorsoazucmumso[.]net
steemozoomeepi[.]net
suchizainsairg[.]net
tudroutchaigne[.]net
edoxoonsackefte[.]net
gouloaroustalun[.]net
ivaursersaipaul[.]net
ounoaksivoutsim[.]net
phoukriphoossid[.]net
soglaiksouphube[.]net
terumoumsaibsoa[.]net
toatobaijauvoly[.]net
whidsugnoackili[.]net
woakathugraimoh[.]net
woathaphachainy[.]net
wugoughurtaitsu[.]net
zoogoucaitakast[.]net
ocheejacheb[.]xyz
sterteeraisti[.]xyz
fauseepetoozuk[.]xyz
koomoaboatapoa[.]xyz
rilseessinipto[.]xyz
cugaksoogleptix[.]xyz
dooptoupouwhuwu[.]xyz
chirsaidsoun[.]net
numaigluwo[.]net
choomopteet[.]com
oofegleemy[.]net
toatobaijauvoly[.]net
tudroutchaigne[.]net
phopaushoutch[.]com
oargusongous[.]com
dolsukophe[.]net
oartoopesti[.]com
ofobsilreehoukr[.]com
ptaujursissain[.]net
zoogoucaitakast[.]net
whailacelump[.]net
halraingitsy[.]net
mufackoopt[.]net
gorgadricmitsu[.]com
shisheghustou[.]net
boazeerizeepsi[.]net
chossoovauthuh[.]com
thumumoucku[.]com
thautsooladsu[.]com