ApateWeb: An Evasive Large-Scale Scareware and PUP Delivery Campaign

Researchers uncovered the ApateWeb campaign: a multilayered redirection infrastructure using over 130,000 domains to deliver scareware, PUPs (adware, rogue browsers, and extensions) and monetized adware redirects. The campaign tracks visitors via a centralized UUID system, uses embedded JavaScript and evasive tactics (cloaking, wildcard DNS, bot detection) to avoid defenders. #ApateWeb #Artificius

Keypoints

ApateWeb uses a three-layer redirection chain: Layer 1 (entry point with URL parameters and tracking), Layer 2 (intermediate redirects to adware or anti-bot checks), and Layer 3 (final PUP/scareware payload delivery).
Entry URLs require specific parameters (e.g., key, submetrics); missing or altered parameters yield error/benign pages instead of malicious content.
Initial payloads contact centralized tracking domains to assign a UUID to each visitor and auto-submit a hidden form (/api/users/) with device/tab info to determine next redirection.
Evasion includes serving benign pages to crawlers, showing custom error pages to bots (user-agent checks), abusing wildcard DNS to generate many subdomains, and resolving most domains to a small set of IPs.
Layer 2 redirects can forward traffic to adware (parameters like COST_CPM, CAMPAIGN_ID, BROWSER_NAME) or present anti-bot CAPTCHAs; Layer 3 hosts PUPs such as Artificius browser and intrusive extensions (Browse Keeper, Go Blocker).
Distribution methods include embedded malicious JavaScript placed on other websites (creating overlays/redirects) and deceptive emails with crafted subject lines linking to entry URLs.
Campaign infrastructure is concentrated (few IPs and WHOIS/registrar patterns), enabling defenders to block known hostnames/IPs; telemetry showed millions of monthly hits globally.

MITRE Techniques

[T1566] Phishing – Used deceptive emails to lure victims to campaign URLs (‘Attackers craft deceptive emails to lure victims into clicking on their campaign URLs’).
[T1189] Drive-by Compromise – Malicious JavaScript embedded on third-party webpages forwards visitors to entry URLs and starts redirection chains (’embedded JavaScript into website pages that redirect traffic to their content’).
[T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript snippets track visitors, set UUIDs in cookies and auto-submit hidden forms to /api/users/ (‘script that uses a centralized infrastructure to track victims’ / ‘sets UUID in the form that is auto-submitted’).
[T1176] Browser Extensions – Attackers deliver intrusive browser extensions and rogue browser executables as final payloads (e.g., ‘unwanted browser extensions like Browse Keeper and Go Blocker, or rogue browser executables like Artificus Browser’).
[T1027] Obfuscated Files or Information – Cloaking and benign responses to defenders/bots (user-agent checks and error pages) to hide malicious behavior (‘displaying error pages to bots/crawlers’ / ‘the domain either redirects to a popular search engine or an empty page’).

Indicators of Compromise

[Domain] entry point / campaign examples – featuresscanner[.]com, hoanoola[.]net
[Domain] centralized tracking servers – professionalswebcheck[.]com, hightrafficcounter[.]com (and other rotated tracking domains)
[IP Address] Layer 1 hosting – 192[.]243[.]59[.]20, 173[.]233[.]139[.]164 (and 8 more related IPs)
[Domain] adware/redirect destinations – tracker-tds[.]info, jpadsnow[.]com (ad-blocking24[.]net, Myqenad24[.]com also observed)
[File hash / download] PUP example – bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99 (Artificius browser executable)
[Domain] PUP / final payload host – artificius[.]com, (other Layer 3 hosting typically on public cloud providers)

ApateWeb’s technical workflow centers on a parameterized entry URL that only serves malicious content when required query parameters are present; otherwise the domain returns benign content or an error to avoid detection. When a victim follows an entry URL, embedded JavaScript performs two main actions: it contacts centralized tracking domains to obtain a UUID for the visit (stored in cookies) and then auto-submits a hidden HTML form (HTTP GET to an /api/users/ path) including the UUID and metadata such as whether the browser tab is incognito. The server-side use of those fields determines the next redirection target.

Layer 1 uses evasive measures—user-agent inspection to show custom error pages to crawlers, redirecting direct visitors to popular search engines or empty pages, and extensive wildcard DNS to spawn many randomized subdomains—while most domains resolve to a small set of IPs, indicating centralized control. After Layer 1, Layer 2 introduces variable intermediate redirects: either forwarding to adware monetization endpoints (URLs containing parameters like COST_CPM, CAMPAIGN_ID, BROWSER_NAME, USER_OS) or presenting anti-bot human-verification (CAPTCHA) that, once solved, continues the chain; Layer 2 behavior can differ between visits for the same entry URL.

Layer 3 hosts the final payloads—PUP installers, rogue browsers, intrusive extensions, or scareware pages—typically on public cloud or ISP/data-center infrastructure. Distribution is amplified by malicious JavaScript embedded on >34,000 websites (overlay/redirect scripts) and by phishing emails with tailored subject lines. Defenders can focus on blocking known entry hostnames/IPs, the centralized tracking domains, and observed adware destinations, and on detecting the specific embedded JavaScript patterns and parameterized entry URLs.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print