Krampus-3PC: Persistent Malware Using Multiple Techniques Hits Online Readers in Time for the Holidays


The Media Trust’s Digital Security & Operations team discovered a new malicious campaign affecting iPhone users of over 100 publisher websites, many of which were UK online newspapers and international weekly news magazines. Named Krampus-3PC1 by the DSO, this unique malware delivered the payload using a multi-stage redirect mechanism and two obfuscation methods to evade conventional scanning and blocking tools. While most malicious campaigns use one method of redirection, Krampus-3PC employed a backup method to ensure users were redirected to the fraudulent popup masquerading as a global grocery store reward ad. Moreover, the malware hoovered up user session information, including cookies from a widely used adtech vendor, enabling attackers to log into users’ various online accounts.

Private Data for Illicit Profit

Krampus-3PC’s’ campaign ramped up at the start of the year’s busiest shopping season. The malware authors had sought to amass as much user data as they could through the device itself and adtech provider Adtechstack2. Mobile devices account for roughly 50% of internet traffic and accompany most users wherever they go, so they offer a trove of consumer data not found in desktops, such as geolocation, call records, the majority of their internet searches, and online purchases, among others. The authors had also designed the campaign to make use of Adtechstack’s campaign tag codes to gather the session information (see Figure 1):

  • Cookie ID
  • Country
  • Click tag
  • Webpage’s local storage data
  • Sandbox presence
  • Adtechstack banner data

This information was then sent to the malware’s command and control (C&C) domain to signal that the user’s device had passed all the checks for redirection.