This report analyzes large-scale abuse of the Keitaro tracking platform across spam, malvertising, and traffic-distribution ecosystems, documenting bulk domain registrations, conditional redirects, cloaking, and cookie-based correlations used by threat actors. Researchers found widespread use of cracked/stolen Keitaro licenses tied to malicious campaigns (including activity attributed to TA2726), confirmed Keitaro’s responsiveness to abuse reports, and published domains, IPs, and cookie signatures to aid detection. #Keitaro #TA2726
Keypoints
- Infoblox and Confiant combined DNS, email, and ad-impression telemetry (Oct 1, 2025–Jan 31, 2026) to analyze Keitaro abuse at scale, recording ~226,000 DNS queries for ~13,500 domains and attributing over 8,000 new domain registrations to threat actors using Keitaro.
- Threat actors used Keitaro campaigns and flows to implement fine-grained conditional redirects and audience fingerprinting (geo, device, OS, browser), enabling simultaneous delivery of multiple fraud types (e.g., gambling, crypto wallet drainers, fake updates).
- Keitaro-linked spam was prolific: ~96% of Keitaro-linked spam promoted cryptocurrency wallet‑drainer schemes (AURA, SOL, Phantom, Jupiter), plus other lures like job fraud and subscription phishing across language-targeted campaigns.
- Cloaking was implemented via Keitaro flows, custom PHP filters, and third‑party cloaker integrations (e.g., HideClick, Adspect), allowing benign content for bots/reviewers while serving malicious payloads to targeted users.
- Cookie collisions and cracked/stolen Keitaro licenses complicate attribution: identical Keitaro cookie values were observed across unrelated malicious and affiliate operations, and nulled versions (v7–v9) are widely distributed on forums.
- Keitaro’s Trust & Safety team proved responsive: after reporting, researchers saw cancellations of malicious instances and ongoing engagement, though the ecosystem’s scale and use of bulletproof registrars limit takedown effectiveness.
MITRE Techniques
- [T1566 ] Phishing – Keitaro-linked spam delivered malicious links and lures (cryptocurrency airdrops, wallet drainers) via email campaigns. (‘approximately 96% of Keitaro‑linked spam traffic promoted cryptocurrency wallet‑drainer schemes’)
- [T1583 ] Acquire Infrastructure – Bulk domain registration and use of multiple registrars to provision domains for campaigns and TDS operations. (‘we attributed over 8,000 new domain registrations to threat actors using Keitaro’)
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Client-side JavaScript (KClient JS) was used to call Keitaro campaigns and swap page content without visible redirects. (‘KClient JS is Keitaro’s JavaScript-based campaign integration method’)
- [T1078 ] Valid Accounts – Use of cracked/”nulled” Keitaro licenses (pre-activated/stolen) to run malicious instances and bypass legitimate license validation. (‘cracked or “nulled” Keitaro versions … come “pre-activated,” allowing threat actors to bypass the step of license validation’)
- [T1027 ] Obfuscated Files or Information (Defense Evasion) – Cloaking techniques and third-party cloaker integrations were used to show benign pages to bots and reviewers while serving malicious content to targets. (‘show benign pages to bots or ad reviewers, cloaking the malicious pages reserved for the users targeted by the campaign’)
Indicators of Compromise
- [Domain ] Keitaro‑linked campaign and malicious landing domains – tds11111[.]com, apiexplorerzone[.]com, and other domains such as fetchapiutility[.]com, rapiddevapi[.]com (and many more listed in the report/GitHub).
- [Domain ] Scam and lure domains referenced in campaigns – sunpetalra[.]com (Russian social dividend scam), ryptosell[.]shop (crypto scam).
- [IP Address ] Malicious and hosting IPs observed in campaigns – 185[.]184.123.58 (dedicated TA2726 IP, inactive), 62[.]60.246.29 (hosted crypto scams); additional IPs include Cloudflare addresses 104[.]21.9.36 and 172[.]67.141.109.
- [Cookie ] Keitaro tracking cookies and signatures used for correlation and fingerprinting – legacy five-character cookie examples (e.g., ‘3mt5l’ style), and tracker cookies like _token and _subid.
- [Software/License ] Keitaro versions and cracked licenses tied to abuse – outdated/cracked versions 7.x–9.x (examples: domains running version 9 linked to cracked licenses) and reported use of stolen/cracked version 11 licenses by malware actors.
- [Registrar ] Domain acquisition patterns and registrars used for bulk registration – Dynadot, Namecheap, Public Domain Registry (registrations clustered during promotions and sales events).