Watering‑Hole Campaign Plants ScanBox Keylogger on Target Sites

APT group TA423 is leveraging compromised legitimate websites as watering‑hole vectors. When a user visits an infected page, the site silently redirects the browser to a malicious JavaScript payload that injects the ScanBox keylogger. The script records keystrokes in real time and forwards the captured data to the attackers’ command‑and‑control infrastructure without any visible prompts.

The compromise enables credential theft, session hijacking, and potential lateral movement within victim networks, especially if high‑privilege accounts are targeted. Defenders should prioritize monitoring for unexpected script redirects, employ web‑application firewalls to block unknown JavaScript, enforce strict CSP policies, and integrate threat‑intel feeds that flag ScanBox indicators. Early detection of anomalous browser behavior and rapid containment of compromised web assets are critical to prevent data exfiltration.

Categories: Threat Intelligence, Data Breaches, AI Security & Threats

Source: Read original article