HUMAN’s Satori Threat Intelligence and Research Team exposed “Pushpaganda,” a campaign that used Google Discovery feeds, SEO manipulation, and AI-generated content to deliver scareware, fake legal threats, and financial scams to Android and Chrome users. The investigation also uncovered 90 domain IoCs and extensive related infrastructure, including malicious IPs, email-connected domains, and typosquatted look-alike domains. #Pushpaganda #HUMAN #GoogleDiscoveryFeeds #Android #Chrome
Keypoints
- HUMAN named the threat campaign “Pushpaganda,” describing it as a blend of ad fraud, social engineering, and scareware.
- Attackers abused Google’s Discovery feeds to inject deceptive news into personalized content streams for Android and Chrome users.
- The campaign used advanced SEO techniques and AI-generated content to attract victims and present alarming messages.
- Victims were pushed toward scareware pages, fake legal threats, and financial scam lures after enabling push notifications.
- The analysis published 113 domain IoCs, though 90 were retained for deeper investigation after excluding some legitimate domains.
- Researchers found 162 IP addresses, 101 confirmed malicious, along with 1,055 email-connected domains and 858 string-connected domains.
- Typosquatting and historical DNS/WHOIS data showed suspicious registration patterns and long-lived infrastructure tied to the campaign.
MITRE Techniques
- [T1068 ] Exploitation for Privilege Escalation – Not directly used; no explicit privilege escalation was described in the article.
- [T1189 ] Drive-by Compromise – Users were funneled from Discovery feeds to deceptive content and scareware pages by clicking or interacting with manipulated online content (‘abused Google’s Discovery feeds’ and ‘users were served scareware messages’).
- [T1598 ] Phishing for Information – The campaign used alarming messages and fake legal threats to manipulate users into taking unsafe actions (‘fake legal threats’ and ‘tricked users into enabling push notifications’).
- [T1204 ] User Execution – Victims had to enable push notifications or engage with content to continue the attack flow (‘tricked users into enabling push notifications’).
- [T1036 ] Masquerading – Deceptive news and look-alike domains were used to appear legitimate (‘inject deceptive news’ and ‘triplek[.]co[.]za was bulk-registered with two look-alikes’).
- [T1583.001 ] Acquire Infrastructure: Domains – The actors registered and used many domains as campaign infrastructure (‘113 domain IoCs’ and ‘1,055 unique email-connected domains’).
- [T1583.008 ] Acquire Infrastructure: Malvertising – The campaign leveraged ad-like Discovery feed distribution to deliver harmful content (‘campaign abused Google’s Discovery feeds’).
- [T1566 ] Phishing – Social engineering messages were used to lure users into scams (‘fake legal threats’ and ‘financial scams’).
- [T1593 ] Search Engine Optimization Poisoning – Advanced SEO techniques were used to surface deceptive content in personalized feeds (‘use advanced SEO techniques’).
Indicators of Compromise
- [Domains] Malicious and suspicious campaign infrastructure – triplek[.]co[.]za, triplex[.]industries, and triplea[.]pl
- [Domains] Example domain IoCs used in the campaign – harvardglobalcollege[.]co[.]za, alakamahabidyalaya[.]org, and 2 more domains
- [IP addresses] Systems communicating with the domains – 5 unique client IP addresses, 162 unique IP addresses
- [Email addresses] Historical WHOIS contacts linked to related domains – 125 unique email addresses, 38 public email addresses
- [Email-connected domains] Domains registered using shared public email addresses – 1,055 unique email-connected domains
- [DNS resolutions] Historical domain-to-IP resolution records – thrillscranton[.]com (1,952 resolutions), publishedreporter[.]com (1,799 resolutions), and other 19,878 resolutions across additional domains
- [DNS queries] Network activity observed in sample traffic – 1,795 DNS queries between 16 February and 16 April 2026
Read more: https://circleid.com/posts/dns-deep-dive-pushpaganda-network-iocs