EITest is a campaign initially discovered in 2014 by Malwarebytes. It distributes malware (that uses iframes) through a flash file on a compromised site, followed by exploitation through an Exploit Kit. In the past, this campaign was used to distribute malware including Cerber, CryptoMix, CryptoShield, Gootkit and the Chthonic banking Trojan, all using various types of Exploit Kits.

Even though this campaign seems to be broad, not all visitors of compromised domains are infected, according to brillantit. The host is examined before any payload is sent: Infection is only attempted for those using Google Chrome, IE and Mozilla Firefox. If the victim’s IP or HTTP host is not specified, if the User agent is not defined, or if it is related to a known Crawler (e.g. Google), the payload will not pass to the host, avoiding detection.


One of the most recent revelations of this campaign, as reported by researcher Kafeine, is a method that infects users of Google’s Chrome browser. It uses social engineering to find relevant users by displaying the popup message: “The HoeflerText font wasn’t found.” This includes a link to download the "unfound" object, aka the payload. This technique gives more precision to the infection attempts.


Both ThreatSTOP IP Firewall Service and DNS Firewall Service customers are protected from the Recent Activity of EITest Campaign if they enable the TSCritical targets in their policies.


The ThreatSTOP security team will continue monitoring this campaign and keep the protections updated. Come back to the blog to see new developments on EITest!