It started with a magazine article.
Someone received a link, an online article the kind of thing that gets forwarded without a second thought. Interesting read, pass it along. A few colleagues got the email. They clicked the link.
Three managed devices were wiped before the week was out.
The Delivery Chain
The site was legitimate. The article was real. What was not legitimate was the ad network serving content in the background. Malicious ads injected into an otherwise clean page are effective precisely because the page itself gives you no reason to be suspicious. The exploit kit running in the background fingerprinted each visiting browser, identified vulnerabilities, and selected the appropriate exploit. Silent, automatic, no user interaction beyond the initial click.
The infrastructure behind it was layered:
rueckec[.]lol was the exploit kit host. When a browser loaded the page, a background request fired here. The kit did its fingerprinting and handed off to the next stage.
confirmyouarehuman[.]top was the initial payload host. The domain name is deliberate misdirection. If anyone noticed it in a proxy log or browser history it reads like a CAPTCHA challenge. Nothing to see here.
tiixeira[.]lol was the secondary payload host, likely delivering the XorBee RAT or establishing persistence. By the time traffic reached this domain, the device was already compromised.
191.44.109.233:4444 was the command and control listener. Port 4444 is Metasploit’s default. Infected devices called home here, exchanging XOR-encrypted check-in packets. 98 sessions in under an hour on one device alone.
The .lol and .top TLDs are a tell. Cheap, fast to register, disposable. Purpose-built for campaigns where infrastructure gets burned and replaced on a short cycle.
What XorBee Looks Like in a Firewall Log
The firewall logged insufficient-data on every session to port 4444. It could not identify the application because XorBee’s traffic is XOR-encrypted, deliberately designed to look like noise to a protocol analyzer. Without the Security Onion signature match on the specific encryption pattern, this traffic blends into a busy workday.
The behavioral data told a different story. Bytes sent clustering at 307 bytes across 42 sessions. Bytes received clustering at 186 bytes across 40 sessions. Fixed-size check-in, fixed-size response, 98 rounds. The implant asking the same question over and over: do you have tasking for me?
The client was resetting 76 of 98 connections itself. Not the server dropping them. The implant cycling through check-ins deliberately, establishing a session, exchanging its encrypted payload, tearing it down. Disciplined. Purposeful.
Why Three Devices
One email. One forward.
The original recipient clicked the link. The device got compromised. Then, before anyone knew anything was wrong, the email got forwarded to colleagues. They clicked the same link. Same exploit kit, same delivery chain, same result.
The forwarding is what turned a single infection into an incident. The original sender did not know. The forwarder did not know. Everyone was sharing an interesting article.
This is the human layer. Not carelessness. The attack was specifically designed to look like something worth sharing, and it did.
Managed Devices, Limited Blast Radius
All three infected devices were managed machines, domain-joined Windows workstations with endpoint protection running. That matters for two reasons.
First, visibility. Firewall logs, Kerberos and LDAP traffic, Security Onion signatures, endpoint telemetry. Managed devices leave a trail. The investigation had something to work with. A BYOD infection in the same scenario would have ended at the firewall log with “unknown dwell time” and a wipe recommendation.
Second, a defined remediation path. Wipe, reimage, restore from backup, rotate credentials, verify. Three devices, same playbook, executed in parallel. The users who touched those devices during the infection window had their passwords scrambled before the end of the day.
The containment was clean. Three managed devices still got wiped because someone forwarded an email.
IOCs
| Indicator | Type | Role |
|---|---|---|
rueckec[.]lol | Domain | Exploit kit host |
confirmyouarehuman[.]top | Domain | Initial payload host |
tiixeira[.]lol | Domain | Secondary payload host |
191.44.109.233 | IP | XorBee C2, port 4444 |
103.169.142.20 | IP | Malicious infrastructure (VT confirmed) |
103.169.142.21 | IP | Malicious infrastructure (VT confirmed) |
Port 4444 | Port | Metasploit default listener |
| XorBee RAT | Malware | Remote access trojan, XOR-encrypted C2 |
Internal infrastructure details and identifying information have been omitted. IOCs are published to support the broader security community. Malvertising delivery vector is based on available evidence from the investigation.