Shortly after, the campaign changed the domain names used in its scripts. Now it mainly uses hotopponents[.]site and learningtoolkit[.]club.
At the time of this writing, PublicWWW finds the most common patterns of this malware on thousands of sites:
- “var _0xfcc4=” – 8501 sites
- “hotopponents.site/site.js” – 3636 sites
Multiple variations of the injected scripts have been found.