Broad Keitaro TDS abuse across more than 120 campaigns

Target Trend

First reported

27.04.2026 09:33

Last updated

27.04.2026 09:33

Happening score

H score 39

1 unique sources, 1 articles

Summary

Hide ▲

Keitaro TDS was abused by more than 120 distinct campaigns between October 2025 and January 2026, showing a broad recurring pattern of malicious link delivery and spam. Telemetry tied the activity to about 226,000 DNS queries across 13,500 domains, underscoring its scale. The abuse matters because threat actors are turning a legitimate routing and cloaking platform into infrastructure for evasion and mass distribution.

Related Happenings

PurpleBravo Contagious Interview campaign

Campaign

First: 21.01.2026 19:17 Last: 21.01.2026 19:17 Sources 1

About this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...

Latest development: 22.04.2026 17:48

North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.

Open Happening

Parked and typosquatting domains now redirect most visitors to scams and malware

Target Trend

First: 16.12.2025 16:14 Last: 16.12.2025 16:14 Sources 1

About this happening: Large-scale experiments found **parked domains** and **typosquatting domains** now commonly send visitors to **scams**, **scareware**, or **malware**, turning routine mistyped nav...

Open Happening

Cloudflare Radar Top Domains list redacts and hides Aisuru domains

Security Tool/Service

First: 06.11.2025 04:04 Last: 06.11.2025 04:04 Sources 1

About this happening: **Cloudflare** redacted **Aisuru** domains from its **Top Domains** rankings after the botnet started gaming the public list and distorting trust signals. The update reduces the v...

Open Happening

DeceptionAds ClickFix social-engineering campaign

Campaign

First: 25.09.2025 20:22 Last: 25.09.2025 20:22 Sources 1

About this happening: The **DeceptionAds** operation used **Vane Viper's malicious ad network** to deliver **ClickFix-style social engineering**, expanding deceptive user reach through malvertising inf...

Open Happening

Timeline

27.04.2026 09:33 2 articles · 1mo ago

Broad Keitaro TDS abuse across more than 120 campaigns

Initial Disclosure
Early telemetry showed **Keitaro Tracker** being repurposed as a cloaking and delivery layer for spam across many domains. The observed surge clustered in a **four-month window** ending in **January 2026**.
Show sources

Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud — thehackernews.com — 27.04.2026 09:33

Fake CAPTCHA IRSF Scam and 120 Keitaro Campaigns Drive Global SMS, Crypto Fraud — thehackernews.com — 27.04.2026 09:33
Open in new tab