{"id":43568,"date":"2015-05-29T11:28:10","date_gmt":"2015-05-29T18:28:10","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=43568"},"modified":"2025-06-08T19:50:44","modified_gmt":"2025-06-09T02:50:44","slug":"when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/","title":{"rendered":"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign"},"content":{"rendered":"

Selling stolen data is an easy way for cybercriminals to make some quick money on cyber black markets.<\/p>\n

The Flowchart<\/h2>\n

The following flowchart shows a generic credential-stealing campaign in action. In the last step, the flow is bidirectional. The malware makes a two-way authentication-free connection between the victim and the attacker.<\/p>\n

\"q1\"<\/a><\/p>\n

\u00a0<\/a><\/p>\n

This two way connection not only seamlessly delivers the stolen data to malware servers, but it also makes sure the malware can communicate with the infected system and remotely execute commands. However, one major flaw with this approach is that in addition to the malware author reaching the victim, an aware “victim”–such as a honeypot or a malware researcher–can make use of this connection to access and hack the malware author’s server.<\/p>\n

Let’s look at a similar case: McAfee Labs found a bunch of malware samples connecting to a site hosted on third-party domain provider \u201cz********.esy.es.\u201d Some of the hashes had a fresh compilation timestamp, suggesting that the malware samples were created very recently. The following picture shows one of the recent compile dates:<\/p>\n

\"q2\"<\/a><\/p>\n

The malware author uses fancy encryption schemes to conceal the control server that holds the stolen data. Here is a section of the decryption loop module:<\/p>\n

\"q3\"<\/a><\/p>\n

After reversing the binary, we found that the malware uses the following function F(x) to conceal the domain:<\/p>\n

F(x) = A(key1[i]) XOR B(A(key2[i])) > B(A(key2[i-1])) ? A(key1[i]) XOR B(A(key2[i])) – B(A(key2[i-1])) : (A(key1[i]) XOR B(A(key2[i])) + 0xff) – B(A(key2[i-1]))<\/em><\/p>\n

In which A(x) is a function to remove zeroes from unicode, B(x) is a function to convert hex data to a string by clubbing two numbers to form a byte, Key1[] and Key2[] are two buffers of hardcoded keys, and \u201ci\u201d is a counter that starts from 1 and increments with each iteration.<\/p>\n

To illustrate, let’s decrypt \u201c3\u201d of the address from the key values, assuming the loop has already run I times.<\/p>\n

Key1[] = 42 00 56 00<\/em><\/p>\n

\u00a0\"q4\"<\/a><\/em><\/p>\n

 <\/p>\n

A(Key1[]) = 42 56 ( Unicode removed )<\/em><\/p>\n

So A[Key1[i]) = 42<\/em><\/p>\n

A(Key2[]) = 44 30 34 36 ( Unicode removed )<\/em><\/p>\n

B(A[Key2[]) = D046 i.e. D0 46 ( String conversion followed by hex)<\/em><\/p>\n

B(A[Key2[i-1] = D0<\/em><\/p>\n

B(A[Key2[i] = 46<\/em><\/p>\n

\u00a0<\/em><\/p>\n

(key1[i]) XOR B(A(key2[i])) = 42 xor 46 = 04<\/em><\/p>\n

B(A(key2[i-1])) = D0<\/em><\/p>\n

\u00a0<\/em>04 > D0 is False, so output will be second condition.<\/em><\/p>\n

So f(x) = (04 + ff )- d0 = 33 .<\/em><\/p>\n

0x33 = \u201c3\u201d i.e., the 3 of <\/em>\u201cz********.esy.es\u201d<\/p>\n

The preceding calculations illustrate one iteration, by looping the functions over and over, we come across the whole decrypted url: z********.esy.es.<\/p>\n

This looks a good effort from the malware author to conceal the attack from static analysis, but when we take the behavioral approach we can see that all hashes are continuously connecting to the malware-specific site. The connection shows the malware was hosted on the third-party domain Hostinger. Using a third-party site is convenient for malware authors, who can periodically change the domain names and remain concealed. The following is an overview of the domain, hosting, and ASN information:<\/p>\n

\"q5-1024x645\"<\/a><\/p>\n

 <\/p>\n

When we connected to the control server, we were surprised to see a number of dumped logs, each representing a compromised user:<\/p>\n

\"q6\"<\/a><\/p>\n

Each log gives a list of credentials of various accounts. Most victims have opened sites related to Brazil and the malware author uses Portuguese on his server.<\/p>\n

\"q7\"<\/a><\/p>\n

Following is a snippet of leaked account data:<\/p>\n

\"q8\"<\/a><\/p>\n

 <\/p>\n

Here is a YARA rule to identify this campaign:<\/p>\n

\u00a0<\/em>rule CredStealESY : For CredStealer<\/em><\/p>\n

{<\/em><\/p>\n

\u00a0<\/em>meta:<\/em><\/p>\n

description = “Generic Rule to detect the CredStealer Malware”<\/em><\/p>\n

author = “IsecG \u2013 McAfee Labs”<\/em><\/p>\n

date = “2015\/05\/08”<\/em><\/p>\n

strings:<\/em><\/p>\n

$my_hex_string = “CurrentControlSet\\\\Control\\\\Keyboard Layouts\\\\” wide \/\/malware trying to get keyboard layout<\/em><\/p>\n

$my_hex_string2 = {89 45 E8 3B 7D E8 7C 0F 8B 45 E8 05 FF 00 00 00 2B C7 89 45 E8} \/\/specific decryption module<\/em><\/p>\n

\u00a0<\/em>condition:<\/em><\/p>\n

$my_hex_string and $my_hex_string2<\/em><\/p>\n

}<\/p>\n

McAfee Labs has contacted the authorities to take action against this website and its author.<\/p>\n

McAfee customers are already protected from this threat via DAT signature CredSteal-ESY!<\/p>\n

McAfee website reputation software flags this site and raises a trigger to make sure customers do not land on this page.<\/p>\n

\"q9\"<\/a><\/p>\n

Special thanks to my colleague Christiaan Beek for his invaluable input.<\/p>\n","protected":false},"excerpt":{"rendered":"

Selling stolen data is an easy way for cybercriminals to make some quick money on cyber black markets. The Flowchart…<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,32,180],"coauthors":[4136],"class_list":["post-43568","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-data-protection","tag-malware"],"acf":[],"yoast_head":"\nWhen Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Selling stolen data is an easy way for cybercriminals to make money. One typical campaign makes a two-way connection between the victim and the attacker.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Selling stolen data is an easy way for cybercriminals to make money. One typical campaign makes a two-way connection between the victim and the attacker.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-05-29T18:28:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-09T02:50:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/q1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"662\" \/>\n\t<meta property=\"og:image:height\" content=\"199\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign\",\"datePublished\":\"2015-05-29T18:28:10+00:00\",\"dateModified\":\"2025-06-09T02:50:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/\"},\"wordCount\":712,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"data protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/\",\"name\":\"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png\",\"datePublished\":\"2015-05-29T18:28:10+00:00\",\"dateModified\":\"2025-06-09T02:50:44+00:00\",\"description\":\"Selling stolen data is an easy way for cybercriminals to make money. One typical campaign makes a two-way connection between the victim and the attacker.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign | McAfee Blog","description":"Selling stolen data is an easy way for cybercriminals to make money. One typical campaign makes a two-way connection between the victim and the attacker.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign | McAfee Blog","og_description":"Selling stolen data is an easy way for cybercriminals to make money. One typical campaign makes a two-way connection between the victim and the attacker.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-05-29T18:28:10+00:00","article_modified_time":"2025-06-09T02:50:44+00:00","og_image":[{"width":662,"height":199,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/q1.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign","datePublished":"2015-05-29T18:28:10+00:00","dateModified":"2025-06-09T02:50:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/"},"wordCount":712,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png","keywords":["computer security","cybercrime","data protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/","name":"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png","datePublished":"2015-05-29T18:28:10+00:00","dateModified":"2025-06-09T02:50:44+00:00","description":"Selling stolen data is an easy way for cybercriminals to make money. One typical campaign makes a two-way connection between the victim and the attacker.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/q1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"When Hackers Get Hacked: the Malware Servers of a Data-Stealing Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/43568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=43568"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/43568\/revisions"}],"predecessor-version":[{"id":215290,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/43568\/revisions\/215290"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=43568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=43568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=43568"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=43568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}