{"id":19577,"date":"2026-03-26T10:32:47","date_gmt":"2026-03-26T10:32:47","guid":{"rendered":"\/cybersecurity-blog\/?p=19577"},"modified":"2026-03-26T13:01:06","modified_gmt":"2026-03-26T13:01:06","slug":"banks-magecart-campaign","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/","title":{"rendered":"Active Magecart\u00a0Campaign\u00a0Targets Spain, Steals Card Data via\u00a0Hijacked eStores for Bank Fraud\u00a0"},"content":{"rendered":"\n<p>A large-scale magecart operation remained active for over 24 months, leveraging an infrastructure of 100+ domains. While the targeted victims are e-commerce websites, the actual pressure falls on <a href=\"https:\/\/any.run\/by-industry\/finance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktofinancelanding\" target=\"_blank\" rel=\"noreferrer noopener\">banks and payment systems<\/a>.<\/p>\n\n\n\n<p>As&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s&nbsp;analysis&nbsp;shows, threat actors applied multi-step checkout hijacking, payment&nbsp;page&nbsp;mimicry,&nbsp;and&nbsp;WebSocket-based&nbsp;exfiltration of card data.&nbsp;<\/p>\n\n\n\n<p>This report provides both&nbsp;executive-level insights&nbsp;and&nbsp;technical&nbsp;analysis&nbsp;of the campaign.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The campaign&nbsp;demonstrates&nbsp;<strong>long-term persistence <\/strong>(24+&nbsp;months)&nbsp;supported by highly resilient infrastructure.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Banks<\/strong> (not merchants) <strong>bear the primary impact<\/strong>, as stolen card data leads to fraud losses&nbsp;and&nbsp;reputational risk.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Payment system mimicry (notably&nbsp;Redsys)<strong>&nbsp;significantly increases attack success<\/strong> by embedding fraud into trusted user flows.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use of&nbsp;<strong>WebSocket exfiltration&nbsp;<\/strong>reduces visibility in traditional security&nbsp;monitoring tools.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-stage,&nbsp;dynamically delivered payloads&nbsp;allow attackers to <strong>adapt quickly&nbsp;<\/strong>and&nbsp;evade disruption.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The campaign is&nbsp;global but <strong>regionally tailored<\/strong>,&nbsp;leveraging&nbsp;localized payment ecosystems to enhance credibility.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Campaign Overview&nbsp;<\/h2>\n\n\n\n<p>A large-scale&nbsp;magecart&nbsp;operation has been&nbsp;identified,&nbsp;active for at least&nbsp;24&nbsp;months&nbsp;and&nbsp;supported by&nbsp;over 100 domains.&nbsp;In observed cases, threat actors deployed a&nbsp;multi-stage checkout hijacking framework, incorporating:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Payment step substitution&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WebSocket-based exfiltration of payment card data&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Payment page mimicry, including infrastructure-level impersonation of legitimate providers (notably Redsys)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dynamic frontend adaptation of payment interfaces matching different storefronts and scenarios<\/li>\n<\/ul>\n\n\n\n<p>A total of&nbsp;17 WooCommerce websites&nbsp;were infected between February 2024&nbsp;and&nbsp;April 2025&nbsp;and&nbsp;are&nbsp;likely linked&nbsp;to this campaign, reflecting its&nbsp;longevity&nbsp;and&nbsp;operational stability.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Industrial&nbsp;and&nbsp;Regional&nbsp;Context&nbsp;Behind Global Impact&nbsp;<\/h2>\n\n\n\n<p>The geographic&nbsp;scope is&nbsp;of the campaign is global. Among the victims are organizations from at least 12 countries,&nbsp;including&nbsp;the&nbsp;United&nbsp;Kingdom&nbsp;and&nbsp;Denmark. However,&nbsp;there\u2019s&nbsp;a notable concentration of&nbsp;such&nbsp;incidents in Spain, France,&nbsp;and&nbsp;United States.&nbsp;<\/p>\n\n\n\n<p>Some cases are confirmed directly via telemetry&nbsp;and&nbsp;network&nbsp;traffic,&nbsp;while&nbsp;others are&nbsp;identified&nbsp;via&nbsp;infrastructural&nbsp;correlation.&nbsp;<\/p>\n\n\n\n<p>From&nbsp;an&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/industry-geo-threat-landscape\/\" target=\"_blank\" rel=\"noreferrer noopener\">industry<\/a>&nbsp;perspective,&nbsp;mostly retail e-commerce&nbsp;companies&nbsp;were&nbsp;targeted, although&nbsp;in some cases,&nbsp;non-commercial&nbsp;organizations&nbsp;have&nbsp;been affected, too.&nbsp;<\/p>\n\n\n\n<p>However, the&nbsp;primary&nbsp;pressure here falls on&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-threat-intelligence-for-finance\/\" target=\"_blank\" rel=\"noreferrer noopener\">banks<\/a>, as cardholders faced&nbsp;financial exposure&nbsp;and&nbsp;their trust in payment systems suffered.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nProtect your company with  <span class=\"highlight\">early visibility<\/span><br>To reduce dwell time, pressure,\u00a0and\u00a0losses \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=banks-magecart-campaign&#038;utm_term=260326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate\u00a0ANY.RUN in your SOC\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Why&nbsp;Redsys&nbsp;and&nbsp;Spanish Payment Context Stand&nbsp;Out&nbsp;<\/h2>\n\n\n\n<p>Despite the global impact,&nbsp;the&nbsp;ties&nbsp;to Spain&nbsp;and&nbsp;its payment ecosystem&nbsp;in particular are&nbsp;obvious in&nbsp;this&nbsp;magecart&nbsp;campaign.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Mimicry of&nbsp;RedSys, a payment system used in Spain, lies in the foundation of the attacks. The campaign infrastructure features domains&nbsp;and&nbsp;visual artifacts&nbsp;designed to fit Spanish payment context. In some cases, user payment flows included&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">legitimate<\/a>&nbsp;Redsys&nbsp;domain sis.redsys.es for added credibility.&nbsp;<\/p>\n\n\n\n<p>The approach made the malicious activity of&nbsp;the campaign&nbsp;convincing within Spanish payment context.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What&nbsp;Makes This Campaign Durable&nbsp;<\/h2>\n\n\n\n<p><strong>Payment Mimicry&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<p>A significant portion&nbsp;of the infrastructure is registered via&nbsp;NICENIC INTERNATIONAL GROUP&nbsp;and&nbsp;disguised as&nbsp;legitimate web services, including&nbsp;analytics platforms, CDN resources, jQuery libraries,&nbsp;andpayment&nbsp;services. If you&nbsp;access them directly,&nbsp;they\u2019ll&nbsp;act as technical&nbsp;placeholders&nbsp;or will simulate&nbsp;legitimate redirects. This complicates attribution.&nbsp;<\/p>\n\n\n\n<p><strong>Multi-Stage Delivery Architecture<\/strong>&nbsp;<\/p>\n\n\n\n<p>The injected JavaScript&nbsp;contains&nbsp;only a minor loader that&nbsp;connects&nbsp;to external infrastructure, receives configuration data,&nbsp;and&nbsp;loads&nbsp;the next stage. The loader uses the fallback mechanism: it iterates through backup domains until a&nbsp;valid&nbsp;response is&nbsp;received. This allows the campaign to go on even if some&nbsp;components of the infrastructure get blocked.&nbsp;<\/p>\n\n\n\n<p><strong>Dynamic Payload Delivery<\/strong>&nbsp;<\/p>\n\n\n\n<p>The next stage&nbsp;isn\u2019t&nbsp;openly stored inside&nbsp;an&nbsp;infected file.&nbsp;It\u2019s&nbsp;delivered dynamically via a staging response. Thanks to this, the operators&nbsp;modify&nbsp;delivery domains, payload paths,&nbsp;and&nbsp;control&nbsp;infrastructurewithout infecting the website again.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Different domains&nbsp;aren\u2019t&nbsp;necessarily&nbsp;serve&nbsp;different campaigns. Instead, they have&nbsp;different roles: staging&nbsp;responses,&nbsp;payload delivery,&nbsp;or for&nbsp;WebSocket\/C2&nbsp;and&nbsp;command&nbsp;handlers.&nbsp;<\/p>\n\n\n\n<p><strong>Other Factors<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>State persistence in&nbsp;localStorage&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Masquerading as&nbsp;legitimate external dependencies&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>WebSocket usage as a channel for control&nbsp;and&nbsp;exfiltration&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>As a result, the&nbsp;compromised&nbsp;website becomes only&nbsp;an&nbsp;initial&nbsp;access point.&nbsp;Subsequent&nbsp;payload delivery&nbsp;and&nbsp;data exfiltration can&nbsp;be flexibly&nbsp;modified&nbsp;inside the external infrastructure.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Technical&nbsp;analysis&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Initial Loader Delivery&nbsp;and&nbsp;Execution&nbsp;<\/h3>\n\n\n\n<p>Following the compromise of a website, attackers&nbsp;modify&nbsp;one of the site\u2019s embedded JavaScript files with a&nbsp;small, obfuscated&nbsp;loader.&nbsp;It&nbsp;doesn\u2019t&nbsp;feature&nbsp;the main card-stealing logic but acts as&nbsp;an&nbsp;initialdelivery tool. It&nbsp;executes in&nbsp;the victim\u2019s browser&nbsp;and&nbsp;receives parameters for the next stage&nbsp;from&nbsp;external infrastructure.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"876\" height=\"71\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1.png\" alt=\"\" class=\"wp-image-19584\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1.png 876w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1-300x24.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1-768x62.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1-370x30.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1-270x22.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1-740x60.png 740w\" sizes=\"(max-width: 876px) 100vw, 876px\" \/><figcaption class=\"wp-element-caption\"><em>Injected&nbsp;JavaScipt&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Next, the&nbsp;obfuscated&nbsp;part of the loader refers to one of the pre-determined&nbsp;domains from the fallback infrastructure list. It returns a JSON configuration featuring the next&nbsp;stage\u2019s&nbsp;address,&nbsp;WebSocket\/C2 server address,&nbsp;and&nbsp;an&nbsp;extra HTTP handler for auxiliary communication.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"365\" height=\"167\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-2.png\" alt=\"\" class=\"wp-image-19585\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-2.png 365w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-2-300x137.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-2-270x124.png 270w\" sizes=\"(max-width: 365px) 100vw, 365px\" \/><figcaption class=\"wp-element-caption\"><em>Domain examples&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>These values are delivered as encoded arrays of&nbsp;numeric&nbsp;character codes, which are then&nbsp;decrypted&nbsp;in the victim\u2019s browser.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"716\" height=\"228\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-2.png\" alt=\"\" class=\"wp-image-19586\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-2.png 716w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-2-300x96.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-2-370x118.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image8-2-270x86.png 270w\" sizes=\"(max-width: 716px) 100vw, 716px\" \/><figcaption class=\"wp-element-caption\"><em>An&nbsp;example of JSON configuration.&nbsp;ANY.RUN Interactive Sandbox&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In case no response was received or the JSON was invalid, the loader automatically switches to the next domain from the list.&nbsp;<strong>This mechanism ensures continued operation even in the presence of partial infrastructure disruption or blocking.<\/strong>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 1:&nbsp;Malicious Payload&nbsp;Delivery&nbsp;and&nbsp;Execution&nbsp;<\/h3>\n\n\n\n<p>After receiving a&nbsp;valid&nbsp;staging response, the loader takes the URL of the next JavaScript&nbsp;and&nbsp;dynamically adds it to the&nbsp;DOM via a new &lt;script&nbsp;src=&#8230;&gt;&nbsp;element.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"615\" height=\"354\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-2.png\" alt=\"\" class=\"wp-image-19631 size-full\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-2.png 615w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-2-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-2-370x213.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image9-2-270x155.png 270w\" sizes=\"(max-width: 615px) 100vw, 615px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><em>Code fragment responsible for the execution of the malicious activity&nbsp;<\/em><\/p>\n<\/div><\/div>\n\n\n\n<p>At this point, the&nbsp;primary malicious payload&nbsp;is loaded into the page. Notably, this payload may be delivered from different domains, such as:&nbsp;<\/p>\n\n\n\n<p>jquerybootstrap[.]com&nbsp;<\/p>\n\n\n\n<p>newassetspro[.]com&nbsp;<\/p>\n\n\n\n<p>assetsbundle[.]com&nbsp;<\/p>\n\n\n\n<p>bundlefeedback[.]com&nbsp;<\/p>\n\n\n\n<p>and&nbsp;others.&nbsp;<\/p>\n\n\n\n<p>In&nbsp;any case, the delivery stage is the same. The operators <strong>rotate payload sources<\/strong> to increase the infrastructure\u2019s durability.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Get started with\u00a0ANY.RUN<\/span><br>Catch emerging threats in\u00a0under a minute early visibility\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=banks-magecart-campaign&#038;utm_term=260326&#038;utm_content=linktoregister#register\" rel=\"noopener\" target=\"_blank\">\nGet started\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Stage 2:&nbsp;Payment Step Activation&nbsp;<\/h3>\n\n\n\n<p>After loading, the main payload begins executing within the context of the store\u2019s webpage&nbsp;and&nbsp;waits for the checkout\/payment DOM to appear.&nbsp;<\/p>\n\n\n\n<p>At this stage, it:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>monitors the opening of the payment step;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>interacts with checkout elements;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>replaces or overlays the&nbsp;legitimate payment interface;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>injects its own elements, including&nbsp;iframes&nbsp;and&nbsp;custom buttons;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hides the real payment confirmation elements.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Once checkout is loaded, payment hijacking begins.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Observed Code Patterns Indicative of Payment Hijacking&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-1024x1024.png\" alt=\"\" class=\"wp-image-19590\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1e-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Delayed activation&nbsp;ensures&nbsp;the user follows through until they reach the required payment step&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-1024x1024.png\" alt=\"\" class=\"wp-image-19591\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1f-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Attackers conceal the&nbsp;legitimate payment button&nbsp;and&nbsp;replace it with a fake one<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-1024x1024.png\" alt=\"\" class=\"wp-image-19593\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image20-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The script not only runs in the background but fully overlays\/replaces the interface&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-1024x1024.png\" alt=\"\" class=\"wp-image-19594\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image21-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The form&nbsp;isn\u2019t&nbsp;static but&nbsp;controlled&nbsp;and&nbsp;manageable&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In some&nbsp;cases,&nbsp;the mimicry is built around a payment scenario that is visually&nbsp;and&nbsp;logically close to a&nbsp;legitimate PSP flow. In cases related to Spain&nbsp;Redsys&nbsp;mimicry is especially notable, but&nbsp;payment overall can&nbsp;a<strong>dapt to storefronts, countries,&nbsp;and&nbsp;local PSPs.<\/strong>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Script&nbsp;Deobfuscation&nbsp;<\/h3>\n\n\n\n<p>The core payload waits for the checkout form to appear&nbsp;and&nbsp;is responsible for&nbsp;the reception, validation,&nbsp;and&nbsp;sending&nbsp;payment data from the fake payment form.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Notable Code Features&nbsp;Inside the Script<\/strong>&nbsp;<\/h3>\n\n\n\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"411\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image22.png\" alt=\"\" class=\"wp-image-19595 size-full\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image22.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image22-300x198.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image22-370x244.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image22-270x178.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><em>The payload adapts to user&nbsp;environments with frontend localization capabilities&nbsp;and supports multiple languages: English, Spanish, Arabic, French.&nbsp;&nbsp;&nbsp;<\/em><\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"439\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image23.png\" alt=\"\" class=\"wp-image-19597 size-full\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image23.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image23-300x211.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image23-370x260.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image23-270x190.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><em>There\u2019s&nbsp;a state machine with the following states:&nbsp;init, return, confirm, alert,&nbsp;getData, allowing for controlled progression through the attack lifecycle.&nbsp;<\/em><\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"536\" height=\"504\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image24.png\" alt=\"\" class=\"wp-image-19598 size-full\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image24.png 536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image24-300x282.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image24-370x348.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image24-270x254.png 270w\" sizes=\"(max-width: 536px) 100vw, 536px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><em>Code for handling WebSocket connections to the C2 server for&nbsp;the&nbsp;control&nbsp;of the attack flow.&nbsp;&nbsp;Part 1.<\/em><\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-media-text alignwide is-stacked-on-mobile\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"624\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image25-1.png\" alt=\"\" class=\"wp-image-19599 size-full\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image25-1.png 582w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image25-1-280x300.png 280w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image25-1-370x397.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image25-1-270x289.png 270w\" sizes=\"(max-width: 582px) 100vw, 582px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p><em>Code for handling WebSocket connections to the C2 server. Part 2<\/em><\/p>\n<\/div><\/div>\n\n\n\n<p>An example of the final result of the mimicry can be seen below:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"217\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image26-3.png\" alt=\"\" class=\"wp-image-19623\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image26-3.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image26-3-300x104.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image26-3-370x129.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image26-3-270x94.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\"><em>Base64-encoded HTML page&nbsp;is responsible for&nbsp;displaying a fake payment interface<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"449\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image27-1.png\" alt=\"\" class=\"wp-image-19624\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image27-1.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image27-1-300x216.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image27-1-370x266.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image27-1-270x194.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\"><em>&nbsp;PayPlug&nbsp;SAS payment window imitation<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>There\u2019s&nbsp;a heavily obfuscated JavaScript inside the HTML page. It uses techniques like that to avoid detection:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Anti-tampering<\/strong>:&nbsp;code integrity is verified via function serialization, as well as bitwise &amp; arithmetical operations.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"314\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image28.png\" alt=\"\" class=\"wp-image-19606\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image28.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image28-300x151.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image28-370x186.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image28-270x136.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\"><em>Code fragment confirming&nbsp;anti-tampering<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Virtualization<\/strong>: Custom VM\u2019s opcodes,&nbsp;symbolic&nbsp;execution, code strings executed via eval call.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"175\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image29.png\" alt=\"\" class=\"wp-image-19607\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image29.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image29-300x84.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image29-370x104.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image29-270x76.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\">A fragment of the raw load&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"485\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image-8.png\" alt=\"\" class=\"wp-image-19579\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image-8.png 241w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image-8-149x300.png 149w\" sizes=\"(max-width: 241px) 100vw, 241px\" \/><figcaption class=\"wp-element-caption\">VM\u2019s opcode description fragment&nbsp;&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The strings that are stored in&nbsp;an&nbsp;obfuscated form are decrypted using&nbsp;the VM:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"94\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2b.png\" alt=\"\" class=\"wp-image-19608\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2b.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2b-300x45.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2b-370x56.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2b-270x41.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\"><em>Raw obfuscated strings&nbsp;&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"479\" height=\"624\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2c.png\" alt=\"\" class=\"wp-image-19609\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2c.png 479w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2c-230x300.png 230w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2c-370x482.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2c-270x352.png 270w\" sizes=\"(max-width: 479px) 100vw, 479px\" \/><figcaption class=\"wp-element-caption\"><em>Deobfuscated&nbsp;strings&nbsp;&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The payload&nbsp;is responsible for&nbsp;the formatting&nbsp;and&nbsp;validation of Visa\/Mastercard payment data that are entered into the fake form, as well as UI state modification,&nbsp;and&nbsp;event or data delivery via&nbsp;postMessagemethod:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"624\" height=\"424\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2d.png\" alt=\"\" class=\"wp-image-19610\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2d.png 624w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2d-300x204.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2d-370x251.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2d-270x183.png 270w\" sizes=\"(max-width: 624px) 100vw, 624px\" \/><figcaption class=\"wp-element-caption\"><em>PostMessage method for data delivery<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Stage 3: Connecting to Control Infrastructure&nbsp;<\/h3>\n\n\n\n<p>After activation, the malicious payload&nbsp;establishes&nbsp;a connection to the control infrastructure, e.g., via WebSocket.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-1024x1024.png\" alt=\"\" class=\"wp-image-19611\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2e-1-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">W<em>ebSocket exfiltration code<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This channel is used for:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>transmitting service events;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>sending BIN (Bank Identification Number) data;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>transmitting full payment card details;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>receiving&nbsp;additional&nbsp;commands to control the replaced payment flow.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In one of the&nbsp;analyzed cases, WebSocket was used as the primary channel for card data exfiltration, while the C2 server was disguised as a&nbsp;Redsys&nbsp;domain (redsysgate[.]com).&nbsp;<\/p>\n\n\n\n<p>During the skimmer\u2019s operation, it retrieves malicious&nbsp;JavaScripts&nbsp;from URLs&nbsp;that look&nbsp;like so:&nbsp;<br>hxxps:\/\/&lt;c2_domain&gt;\/&lt;base64_text&gt;.js?_=&lt;digits&gt;&nbsp;<\/p>\n\n\n\n<p>Then, WebSocket connections are used for control&nbsp;and&nbsp;data transmission at:&nbsp;<br>wss:\/\/&lt;c2_domain&gt;\/?token=&lt;base64_data&gt;&nbsp;<\/p>\n\n\n\n<p>When the user enters their data,&nbsp;an&nbsp;event is sent&nbsp;containing&nbsp;the exfiltrated information. In response, the server provides instructions on what to do next&nbsp;and&nbsp;what content to display, such as the logo of the payment system associated with the entered card (Visa\/MasterCard).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"921\" height=\"156\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1d.png\" alt=\"\" class=\"wp-image-19612\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1d.png 921w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1d-300x51.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1d-768x130.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1d-370x63.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1d-270x46.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image1d-740x125.png 740w\" sizes=\"(max-width: 921px) 100vw, 921px\" \/><figcaption class=\"wp-element-caption\"><em>Card data (random numbers used&nbsp;an&nbsp;example) in&nbsp;a code fragment&nbsp;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This is important for the understanding of the campaign: attackers are not simply stealing card&nbsp;data,&nbsp;they <strong>embed exfiltration<\/strong> into a&nbsp;seemingly&nbsp;legitimate&nbsp;payment context.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Stage 4:&nbsp;Interception&nbsp;and&nbsp;Transmission of Payment Data&nbsp;<\/h3>\n\n\n\n<p>When a user enters their card details into the spoofed payment interface, the payload takes them to the attackers\u2019 external infrastructure.&nbsp;<\/p>\n\n\n\n<p>The following data was&nbsp;being transmitted in network traffic:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>BIN&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>full card number&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>expiration&nbsp;date&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CVV&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The transmission does not occur via a standard&nbsp;form&nbsp;POST request, but instead through a separate WebSocket channel, making detection via conventional HTTP logs more difficult.&nbsp;<\/p>\n\n\n\n<p>Importantly, within the same cluster,&nbsp;<strong>the visual scenario of the attack may vary<\/strong>. In some cases,&nbsp;Redsys-themed mimicry is&nbsp;observed; in others,&nbsp;PayPlug-like or generic card form scenarios are used.&nbsp;<\/p>\n\n\n\n<p>This does not necessarily&nbsp;indicate&nbsp;different campaigns: within a single malware family, the same loader, staging infrastructure,&nbsp;and&nbsp;exfiltration mechanism may be reused while applying different front-end disguises.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Additional Vector: Distribution of&nbsp;Android APK via the Same Inject&nbsp;<\/h3>\n\n\n\n<p>In addition to manipulating the payment step&nbsp;and&nbsp;stealing card data, the same malicious payload was also used as a platform to push the installation of&nbsp;an&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/android-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Android<\/a>&nbsp;application in APK format.&nbsp;<\/p>\n\n\n\n<p>The script checked the user\u2019s environment&nbsp;and, if certain conditions were met, displayed a separate mobile scenario offering the user to download&nbsp;an&nbsp;app. This included promises of discounts or bonuses, along with instructions on how to enable installation from \u201cUnknown Sources.\u201d&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nReduce <span class=\"highlight\">breach risks<\/span> with\u00a0ANY.RUN<br>Android, macOS, Windows,\u00a0and\u00a0Linux\u00a0analysis support\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=banks-magecart-campaign&#038;utm_term=260326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nRequest for your SOC\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Based on the contents of the payloads, this scenario was localized into at least several languages, including English, Spanish, Arabic,&nbsp;and&nbsp;French. This&nbsp;indicates&nbsp;that the campaign was targeting a broad international audience&nbsp;and&nbsp;relied on a prepared, rather than&nbsp;ad hoc, infrastructure.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-1024x1024.png\" alt=\"\" class=\"wp-image-19614\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2f-1-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Code fragment for Android-specific flow<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This scenario had several localization options, including English, Spanish, Arabian,&nbsp;and&nbsp;French,&nbsp;indicating&nbsp;the campaign\u2019s global focus&nbsp;targeting particular, not&nbsp;random infrastructures.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>This&nbsp;magecart&nbsp;campaign reflects a shift from opportunistic skimming toward&nbsp;structured, infrastructure-driven payment attacks. By combining&nbsp;checkout hijacking, high-fidelity payment mimicry,&nbsp;and&nbsp;real-time exfiltration, attackers embed malicious activity directly into&nbsp;legitimate transaction flows. This not only increases effectiveness but also complicates detection&nbsp;and&nbsp;response.&nbsp;<\/p>\n\n\n\n<p>Deep visibility into active attacks and continuous <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-monitoring-ti-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">threat monitoring<\/a> are required for efficient detection and prevention of such breachers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About&nbsp;ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;delivers interactive malware&nbsp;analysis&nbsp;and&nbsp;actionable threat intelligence, enabling security teams to investigate threats more efficiently, gain clearer visibility into attacker behavior,&nbsp;and&nbsp;respond with greater confidence.&nbsp;<\/p>\n\n\n\n<p>We focus on:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintaining&nbsp;<a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktocompliance\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II certification<\/a>&nbsp;and&nbsp;a strong commitment to safeguarding customer data&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Continuously enhancing our&nbsp;Interactive Sandbox,&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>,&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Feeds<\/a>&nbsp;to&nbsp;support&nbsp;monitoring, triage,&nbsp;and&nbsp;incident response workflows&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enabling SOC&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/mssp\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktomssp\" target=\"_blank\" rel=\"noreferrer noopener\">MSSP<\/a>&nbsp;teams to accelerate&nbsp;analysis, improve investigative context,&nbsp;and&nbsp;detect emerging threats at&nbsp;early stages&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Analysis&nbsp;and&nbsp;Investigation Data&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Link&nbsp;to&nbsp;TI Lookup query&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktoenterprise#{%22query%22:%22url:%5C%22https:\/\/*\/*=.js?_=%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">Browse TI Lookup for related threats<\/a>\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Links to sandbox&nbsp;analyses&nbsp;<\/h3>\n\n\n\n<p><strong>Case 1:&nbsp;<\/strong>Confirmed&nbsp;checkout&nbsp;hijacking&nbsp;and&nbsp;WebSocket exfiltration of BIN, PAN, expiry date,&nbsp;and&nbsp;CVV.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/7e66942b-82f5-4dc7-9be3-b73ac0600fb1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View&nbsp;analysis<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Case 2:&nbsp;<\/strong>The same loader cluster&nbsp;and&nbsp;staging infrastructure but without confirmed card exfiltration (possibly due to&nbsp;redirection to a&nbsp;legitimate external payment flow)&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/bdc77604-95af-45e5-9c83-392db57199e7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View&nbsp;analysis<\/a><strong><\/strong>&nbsp;<br><strong>Case 3:&nbsp;<\/strong>Confirmed use of the same loader cluster&nbsp;and&nbsp;staging infrastructure.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/32a9a843-450c-442d-85ad-9c5000d6950a\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=banks-magecart-campaign&amp;utm_term=260326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View&nbsp;analysis<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Indicators&nbsp;of&nbsp;Compromise&nbsp;(IOCs)<\/h3>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-768x1024.png\" alt=\"\" class=\"wp-image-19615\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-768x1024.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-225x300.png 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-1152x1536.png 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-1536x2048.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-370x493.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-270x360.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image30-740x987.png 740w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p>Payload URL:&nbsp;hxxps[:]\/\/&lt;c2_domain&gt;\/&lt;base64_text&gt;.js?_=&lt;digits&gt;&nbsp;&nbsp;<\/p>\n\n\n\n<p>C2 WebSocket URL:&nbsp;wss[:]\/\/&lt;c2_domain&gt;\/?token=&lt;base64_data&gt;&nbsp;&nbsp;<\/p>\n\n\n\n<p>bundle-feedback[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>doubleclickcache[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>analyticsgctm[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>hotjarcdn[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>firefoxcaptcha[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>solutionjquery[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>jquerybootstrap[.]com&nbsp;<\/p>\n\n\n\n<p>assetsbundle[.]com&nbsp;<\/p>\n\n\n\n<p>bundle-referrer[.]com&nbsp;<\/p>\n\n\n\n<p>categorywishlist[.]com&nbsp;<\/p>\n\n\n\n<p>cachesecure[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>securedata-ns[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>analysiscache[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>newassetspro[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>explorerpros[.]com&nbsp;&nbsp;<\/p>\n\n\n\n<p>redsysgate[.]com&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A large-scale magecart operation remained active for over 24 months, leveraging an infrastructure of 100+ domains. While the targeted victims are e-commerce websites, the actual pressure falls on banks and payment systems. As&nbsp;ANY.RUN\u2019s&nbsp;analysis&nbsp;shows, threat actors applied multi-step checkout hijacking, payment&nbsp;page&nbsp;mimicry,&nbsp;and&nbsp;WebSocket-based&nbsp;exfiltration of card data.&nbsp; This report provides both&nbsp;executive-level insights&nbsp;and&nbsp;technical&nbsp;analysis&nbsp;of the campaign.&nbsp; Key Takeaways&nbsp; Campaign Overview&nbsp; A [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":19619,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-19577","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Global Magecart Campaign Puts Banks Under Pressure<\/title>\n<meta name=\"description\" content=\"Read ANY.RUN report featuring both executive-level insights and technical analysis of the campaign.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"khr0x and raptur3\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/\"},\"author\":{\"name\":\"khr0x and raptur3\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Active Magecart\u00a0Campaign\u00a0Targets Spain, Steals Card Data via\u00a0Hijacked eStores for Bank Fraud\u00a0\",\"datePublished\":\"2026-03-26T10:32:47+00:00\",\"dateModified\":\"2026-03-26T13:01:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/\"},\"wordCount\":2788,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/\",\"name\":\"Global Magecart Campaign Puts Banks Under Pressure\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-03-26T10:32:47+00:00\",\"dateModified\":\"2026-03-26T13:01:06+00:00\",\"description\":\"Read ANY.RUN report featuring both executive-level insights and technical analysis of the campaign.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Active Magecart\u00a0Campaign\u00a0Targets Spain, Steals Card Data via\u00a0Hijacked eStores for Bank Fraud\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg\",\"caption\":\"khr0x\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"raptur3\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3-150x150.png\",\"caption\":\"raptur3\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Global Magecart Campaign Puts Banks Under Pressure","description":"Read ANY.RUN report featuring both executive-level insights and technical analysis of the campaign.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/","twitter_misc":{"Written by":"khr0x and raptur3","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/"},"author":{"name":"khr0x and raptur3","@id":"https:\/\/any.run\/"},"headline":"Active Magecart\u00a0Campaign\u00a0Targets Spain, Steals Card Data via\u00a0Hijacked eStores for Bank Fraud\u00a0","datePublished":"2026-03-26T10:32:47+00:00","dateModified":"2026-03-26T13:01:06+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/"},"wordCount":2788,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/","url":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/","name":"Global Magecart Campaign Puts Banks Under Pressure","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-03-26T10:32:47+00:00","dateModified":"2026-03-26T13:01:06+00:00","description":"Read ANY.RUN report featuring both executive-level insights and technical analysis of the campaign.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/banks-magecart-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Active Magecart\u00a0Campaign\u00a0Targets Spain, Steals Card Data via\u00a0Hijacked eStores for Bank Fraud\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg","caption":"khr0x"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"raptur3","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/rapture3-150x150.png","caption":"raptur3"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19577"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=19577"}],"version-history":[{"count":20,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19577\/revisions"}],"predecessor-version":[{"id":19641,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19577\/revisions\/19641"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/19619"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=19577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=19577"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=19577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}