1. Executive Summary
Augur Security has identified a sophisticated malvertising campaign that is actively reaching users across multiple organizations, with 708,215 allowed outgoing connections observed to campaign infrastructure.
The campaign originates from IP 188.40.16[.]220 and delivers obfuscated JavaScript payloads via a multi-hop redirect chain that leverages the MGID native ad network. The fast-flux TDS network spans 18 IPs across six /24 subnets and hosts 300 or more auto-generated compound-word domains rotating continuously. The Energy and Utilities, Banking, and Government sectors have the highest exposure by volume, with a heavy concentration among MENA-region clients (78.4% of connections) compared with North America (21.6% of connections).
The risk profile extends beyond ad fraud: data analysis of the delivery infrastructure reveals co-occurrence with confirmed infostealer and RAT deployments, including CryptBot, IcedID, NjRAT, and Ryuk, materially elevating the severity assessment for affected clients.
Attribution analysis links the campaign operator to developzilla[.]com, a professional software development organization whose infrastructure migrated to Aeza International (AS210644) in January 2026. Aeza is a U.S. Government-sanctioned bulletproof hosting (BPH) provider that was sanctioned on July 1st, 2025, due to its role in facilitating global cybercriminal activity. Those activities include hosting infrastructure for ransomware attacks, malware distribution, and darknet marketplaces targeting U.S. businesses and technology companies. They were also documented by Infoblox in February 2026 as operating a shadow DNS network and HTTP-based TDS capable of router compromise, DNS hijacking, and adversary-in-the-middle operations. The threat actor is assessed as financially motivated and has been operating in the affiliate marketing space since at least mid-2022.
The Augur Advantage
This research was performed using our Augur Black platform. Augur predicted the CIDR 188.40.16.220/32 as a malware-associated host with an importance score of 80 before any client exposure was observed. From that single IP address, Augur's BGP-derived infrastructure intelligence and threat-hunting capabilities enabled our research team to map the full 18-node fast-flux pool, trace the operator's infrastructure to the Aeza bulletproof hosting network, and quantify 708,215 connections across affected organizations. That level of coverage is not achievable through endpoint, DNS, or signature-based detection alone.
2. Campaign Infrastructure Analysis
2.1 Entry Point and Delivery Chain
The malvertising chain initiates from IP 188.40.16[.]220 (Eskimi DSP / MGID inventory), which serves the entry-point HTML payload (SHA256: 9F2D6CA55916107386039941665397006E015BD870 4EFFD8F 19CF941DE474BA9). The payload is an obfuscated page hosted on clipzag[.]com that presents esports video content (Hungrybox vs. Leffen Smash Bros. rivalry) to deceive users and evade manual review.
The page loads invoke.js from agitatechampionship[.]com (resolved to 172.240.108[.]76), a TDS node flagged for Fast Flux DNS activity as of January 6, 2025. URLscan pivot analysis confirms the domain has resolved to at least 10 distinct IPs, confirming active infrastructure rotation. The loader implements window.LieDetector, a browser fingerprinting engine that filters sandboxes, headless browsers, and security crawlers. Only qualifying real-user traffic proceeds through the redirect chain.
2.2 Back-Button Hijack and Redirect Chain
Qualifying traffic is subjected to a back-button hijack via Object.defineProperty on window. location, intercepting popstate events to prevent users from navigating away. The redirect chain traverses sourshaped[.]com, skinnycrawlinglax[.]com, and professionaltrafficmonitor[.]com, terminating at the MGID native ad network backend. The campaign publisher token 71b88c4ea340cafbeb941dc395dc3b83 is hardcoded across all payload files and ties all activity to the clipzag[.]com lure placement.
2.3 Payload Analysis: Social Bar Framework
Payload JS files retrieved from skinnycrawlinglax[.]com and sourshaped[.]com implements a full Social Bar ad framework. The framework mounts a fixed-position iframe overlay on the victim page, implements frequency capping via cookies, and performs a back-button hijack using the same UUID cookie key, dom3ic8zudi28v8lr6fgphwffqoz0j6c, observed in invoke.js. Two distinct campaign variants were identified, each with separate placement keys and publisher session IDs (psids).
The complete set of data collected from each qualifying visitor includes:
- Navigator.userAgent (full browser/OS fingerprint)
- Window.location.href and window.location.hostname (current page URL and domain)
- Screen dimensions and viewport size (window.innerWidth/innerHeight)
- Browser type and version (Chrome, Safari, Firefox, Edge, Opera, Yandex, UC Browser)
- OS (Windows, Android, iOS, Linux, Mac, Windows Phone)
- Device type (Mobile, Tablet, Desktop)
- Navigator.maxTouchPoints (touch capability fingerprinting) navigator.userAgentData.getHighEntropyValues() including architecture, bitness, brands, platform, platformVersion, model, and fullVersionList
- Timezone offset
- Persistent UUID via the dom3ic8zudi28v8lr6fgphwffqoz0j6c cookie
- Document.referrer; ancestorOrigins (iframe chain)
- Page load and network request timing via performance.getEntriesByType(’resource’)
This data is transmitted to operator-controlled infrastructure across multiple endpoints:
No credential theft was observed. The collection constitutes a persistent cross-site behavioral profile of each visitor and likely violates GDPR for affected EU/GCC-regulated organizations.
2.4 Fast-Flux TDS Network
URLscan and VT pivot analysis confirmed a fast-flux IP pool of 18 IPs across six /24 subnets. The primary TDS domains agitatechampionship[.]com, g9qnk89pd5ic[.]com, humpdecompose[.]com, and dissolvedbrevityclog[.]com collectively resolve to these IPs, with each IP hosting 17 to 124 additional compound-word TDS domains.
Passive DNS for 170.23.224[.]167 and 170.23.224[.]169, the two most recently active fast-flux IPs (resolved as of March 27, 2026), reveals a parallel layer of named redirect and delivery domains operating on the same infrastructure today, including realizationnewestfangs[.]com, franzredheadline[.]com, amuletshaped[.]com, boringegotistical[.]com, crownzodiac[.]com, inopportunefable[.]com, and spellingdelicatessenremove[.]com among others, all returning live 200 responses in the March 25 to 27, 2026 window.
The CPM network backend is larger than initially documented and includes highperformancecpmgate[.]com, highrevenuenetwork[.]com, variouscreativeformats[.]com, and topdisplaynetwork[.]com in addition to the previously identified CPM domains. The sbar.json query parameters observed in live URLscan captures expose the publisher placements being abused: manga and anime piracy sites (mangafire[.]to), video streaming platforms, and adult content sites, with campaign key b96781136f41f8fb859b888f711cae45 active across multiple placements. The CPM backend infrastructure was independently confirmed by Infoblox research, which identified effectivegatecpm[.]com as the final ad delivery endpoint in the same redirect chain.
3. Attribution: developzilla[.]com and Aeza BPH Network
3.1 Operator Infrastructure Identification
The Sentry DSN is hardcoded across all analyzed payload files (https://18eb246192ea9ed123b97c23c9107596@sentry.developzilla[.]com/12), exposing the operator's error-tracking infrastructure. Passive DNS analysis of developzilla[.]com reveals a professional software development organization with infrastructure dating to 2014, running JetBrains Hub, YouTrack project management, Artifactory build systems, and Sentry. Internal subdomains identify at least four first names used: Ilia (ilia-local.developzilla[.]com, 192.168.118[.]36), Artem (exchange.artem.developzilla[.]com), Kate (kate-local.developzilla[.]com, 93.187.188[.]98), and Kirill (kirill-local.developzilla[.]com, 192.168.118[.]105). The presence of hub.developzilla[.]com (JetBrains Hub), tc.developzilla[.]com (TeamCity at 198.134.112[.]245), repo.developzilla[.]com (Artifactory), and sentry.developzilla[.]com confirms a full professional software development operation. Passive DNS for the operator’s historical IP 209.200.42[.]204 (Webair, 2018) reveals co-hosting with adsterratech[.]com, an Adsterra ad network infrastructure domain, indicating the operator’s involvement in ad tech infrastructure dates back to 2018.
The domain operated on legitimate hosting infrastructure (Servers[.]com, Webair) from 2014 through 2024. On January 7, 2026, the SOA record for developzilla[.]com resolved to 147.45.69[.]3, an IP in the 147.45.69[.]0/24 CIDR flagged by Augur with an importance score of 80 for malware, DNS hijacking, dnschanger, and TDS activity, predicted January 2024 and still valid. The nameserver cluster ns1-4.awsnameservers[.]com (legitimate AWS infrastructure) has served developzilla[.]com since March 2022 and through at least March 2026, and warrants further pivot analysis for additional campaign domains.
3.2 Aeza International BPH Connection
The 147.45.69[.]0/24 CIDR is hosted within Aeza International (AS210644), a bulletproof hosting provider sanctioned by the U.S. Government in July 2025. On February 3, 2026, Infoblox published research documenting Aeza as the host of a shadow DNS network and an HTTP-based TDS, both operational since mid-2022, operated by a financially motivated actor in the affiliate marketing space. The Infoblox report directly identified effectivegatecpm[.]com as a final ad delivery endpoint in the same redirect chain observed in this campaign, providing independent corroboration of the IOC set.
The Aeza TDS operates by compromising routers and changing DNS settings to route traffic to shadow resolvers hosted within Aeza's infrastructure. These resolvers selectively alter DNS responses, directing users to malicious content while evading detection via an EDNS0 restriction that causes queries from most security tools to return malformed responses. The system has been documented, altering DNS responses for high-value domains including shopify[.]com and okta[.]com.
3.3 Malware Co-delivery
Analysis of communicating files for sourshaped[.]com and skinnycrawlinglax[.]com reveals that the same infrastructure hosting this campaign’s Social Bar payloads is in active contact with confirmed malware samples. The named families represent CryptBot (credential and cookie stealer), IcedID (banking trojan and loader), NjRAT (remote access trojan), and Ryuk (ransomware). This infrastructure overlap does not confirm that campaign visitors were served these payloads, but it indicates the operator or their infrastructure is shared with actors deploying multi-stage malware. Organizations with high connection volumes to campaign IPs should treat this as an indicator warranting endpoint investigation, rather than solely a network-layer ad-fraud event.
3.4 Potential AiTM Exposure
The organization's exposure data observed by Augur reflects direct browser-initiated connections to the campaign infrastructure, consistent with users visiting lure sites such as clipzag[.]com, which loaded the malicious ad payload in their browsers. This is distinct from the router compromise vector documented by Infoblox in their February 3, 2026, research on the same Aeza-hosted TDS infrastructure.
The Infoblox report documents the same financially motivated operator and the same CPM backend (effectivegatecpm[.]com) as part of a separate but parallel campaign that compromises vulnerable SOHO and SMB routers, changes their DNS settings to Aeza-hosted shadow resolvers, and silently redirects all devices behind that router through the same TDS. That campaign has been active since mid-2022 and has been documented altering DNS responses for high-value domains, including shopify[.]com and okta[.]com.
The practical implication for organizations is twofold. First, the browser-delivered malvertising campaign documented here is the confirmed exposure vector for all the affected organizations. Second, organizations operating older router hardware at sites where high connection volumes to campaign IPs were observed should additionally verify their router DNS settings are not configured to use Aeza-hosted resolvers. If DNS resolver IPs in the 147.45.69.0/24 range are found on any edge device, that represents a separate router compromise incident requiring a distinct incident response track, as the threat actor in that scenario can alter DNS resolution for any domain on that network, not just deliver ads.
4. Organization’s Exposure
Augur observed connections to campaign infrastructure across multiple organizations, sectors, and regions, totaling 708,215 allowed outgoing connections across the full fast-flux IP pool. The figures below reflect the complete infrastructure set, including both primary entry-point IPs and the 16-node fast-flux pool. Campaign activity was first recorded in August 2023 and continued through March 27, 2026. The most affected sectors are Energy and Utilities and Banking and Government, while the MENA region accounts for 78.4% of total allowed outgoing connections.
4.1 Sectors
4.2 By Region
5. Indicators of Compromise
5.1 IP Addresses
5.2 TDS Domains
5.3 Delivery and Payload Domains
5.4 Tracker and Analytics Domains
5.5 CPM Network Domains
5.6 Operator Infrastructure
5.7 Publisher Lure Sites
5.8 File Hashes and Campaign Tokens
5.9 Observed URLs
6. Recommendations
6. 1 Immediate Blocking
- Block 188.40.16[.]220 and 172.240.108[.]76 at perimeter firewall. Note: 188.40.16[.]220 is part of the shared Eskimi DSP ad tech infrastructure; blocking it may affect legitimate ad network traffic.
- Block the full fast-flux IP pool at perimeter: 172.240.108[.]68/84/92, 172.240.127[.]234/242/243/244, 172.240.253[.]132, 192.243.59[.]12/13/20, 192.243.61[.]225/227, 170.23.224[.]167/169.
- Block 147.45.69[.]0/24 (Aeza BPH TDS network, sanctioned entity, confirmed malware/dns_hijacking/tds).
- Add all IOC domains to DNS blocklists, with priority on: agitatechampionship[.]com, sourshaped[.]com, skinnycrawlinglax[.]com, effectivegatecpm[.]com, developzilla[.]com, sentry.developzilla[.]com.
6.2 Priority Investigation: Router Compromise
- For organizations with high connection volumes to campaign IPs, initiate router integrity checks to rule out Aeza-linked DNS hijacking. Verify DNS resolver settings on all edge devices and check for unauthorized resolver IPs in 147.45.69[.]0/24.
- Query for DNS lookups to the Aeza shadow resolver range from client network logs. Use dig +noedns to test resolvers if a live investigation is required.
- For any organizations where DNS resolver tampering is confirmed, escalate from ad fraud to AiTM incident response protocol, as the threat actor is documented to alter DNS for okta[.]com, shopify[.]com, and similar critical services.
6.3 Abuse Reporting and CPM Network
- Report MGID publisher token 71b88c4ea340cafbeb941dc395dc3b83 to MGID Trust and Safety.
- Report inexorablefowlsexperimental[.]com to registrar for takedown, as this domain functions as a dedicated publisher placement domain for the campaign.
6.4 Ongoing Monitoring
- Fast-flux TDS infrastructure requires periodic IP blocklist refresh. Recommend monitoring agitatechampionship[.]com, g9qnk89pd5ic[.]com, & sourshaped[.]com for new resolution IPs weekly.
- Monitor awsnameservers[.]com for additional domains hosted on that nameserver cluster, as it likely serves additional campaign infrastructure beyond developzilla[.]com.
- Pivot on Sentry DSN project ID 12 at sentry.developzilla[.]com if access to related infrastructure becomes available, as it may reveal additional campaign projects.
For questions or additional analysis, contact: research@augursecurity.com
