Keitaro is widely abused as an all‑in‑one adtech tracker, cloaker, and TDS by diverse threat actors to scale scams, phishing, malvertising, and malware distribution while outsourcing targeting and routing. The report highlights large‑scale abuse examples including DonutLoader/StealC‑based malware delivery, extensive spam-to-phish wallet‑drainer campaigns, and high‑volume cloaked ad fraud. #Keitaro #DonutLoader
Keypoints
- Keitaro’s bundled tracker, cloaker, and TDS features lower operational friction, enabling many actors to rapidly scale malicious campaigns without building bespoke distribution stacks.
- Over 20% of actors tracked by Confiant used Keitaro during the study period, with some campaigns reaching tens of millions of impressions and high domain churn.
- Spam remains a primary vector: ~96% of spam emails linking to Keitaro led victims to cryptocurrency wallet drainers in hybrid phishing/drainer flows.
- JA4+ fingerprinting uncovered Keitaro admin consoles and over 100 IPs linked to malware distribution, notably an AS (AS214351 / FEMO IT SOLUTIONS LIMITED) hosting DonutLoader and other payloads.
- Actors use Keitaro for diverse abuse: info‑stealers and loaders (DonutLoader, StealC v2, RustyStealer), RMM/ScreenConnect deployments, lookalike domain phishing, PII harvesting (TilapiaParabens), and geo‑gated gambling funnels.
- Technical evasion techniques observed include cloaking via Keitaro, hash‑busting in phishing emails to evade spam filters, and exploitation of DNS lame delegation (Sitting Ducks) to hijack domains.
- Despite responsive abuse reporting from Keitaro’s owner (Apliteni), stolen licenses and the high volume of disposable domains hinder large‑scale takedowns and attribution.
MITRE Techniques
- [T1566] Phishing – Keitaro gated spam campaigns routed victims to phishing pages and wallet‑drainers: ‘96% of spam campaigns that included links to Keitaro instances led to cryptocurrency wallet drainers in a hybrid scam and phishing attack’
- [T1071.001] Application Layer Protocol: Web Protocols – Malware C2 and exfiltration used HTTP(S) endpoints: ‘StealC sends stolen data to hXXp[:]//62[.]60[.]178[.]163/ce369e7324834845[.]php.’
- [T1105] Ingress Tool Transfer – Keitaro‑hosted sites served malware and installers (loaders, RMM agents): ’62[.]60[.]226[.]248 hosted the DonutLoader malware payload (SHA256: b98b53ca…)’
- [T1219] Remote Access Software – Adversaries deployed ScreenConnect/ConnectWise Control to auto‑enroll victims into attacker-controlled RMM: ‘ScreenConnect that auto-enrolled victims into the actor-controlled network relays.’
- [T1564] Hide Artifacts (Cloaking) – Keitaro and cloaking kits were used to conditionally serve malicious landing pages and evade platform defenses: ‘Keitaro for cloaking or traffic distribution’ and ‘These kits cloak landing pages…’
Indicators of Compromise
- [IP address ] malware hosting / Keitaro admin portals – 62[.]60[.]226[.]248 (DonutLoader/Keitaro admin exposed), 158[.]94[.]209[.]29 (mail server tied to localized spam; previously linked to Remcos RAT C2)
- [Domain ] scam, phishing, and Keitaro instances – honknft[.]com (wallet‑drainer redirect / Phantom impersonation), investarmco[.]com (HircusPircus investment scam), and 40+ other malicious or lookalike domains
- [File hash ] malware payload – SHA256: b98b53ca03e3e9009b31bcc37b90b206064b25effce449dde63c51cef6a47470 (DonutLoader)
- [URL ] C2 and redirect targets – hXXp[:]//62[.]60[.]178[.]163/ce369e7324834845[.]php (StealC v2 C2), hXXps[:]//honknft[.]com/connect/rh7_1a7r72zi-kk4k4z?b=1 (wallet drainer connect redirect)
- [Email address ] spoofed sender used in spam campaigns – hello[@]phantom[.]com (Phantom giveaway spam used to lure victims)
- [Malware / Tool names ] examples observed – DonutLoader, StealC v2, RustyStealer, ScreenConnect (ConnectWise Control)