Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

D-Shortiez

Also known asd_shortiez

D-Shortiez is a malvertising threat actor tracked by Confiant since 2022. The group runs forced-redirect campaigns that push victims through malicious click-chains to scam pages. Reported scam themes include Google gift card scams, Amazon giveaway scams, and Microsoft Windows-branded tech support scams. Confiant attributed the reward-scam and tech-support-scam activity to the same operator based on shared domains, identical document locations, and shared tooling, including use of the Binom traffic distribution system (TDS). Windows users were reportedly served tech support scams, while mobile users were served reward scams. The actor’s redirect payload was described as containing fingerprinting and tracking functions plus nested try/catch redirect logic designed to maximize cross-browser forced redirection. A notable technique was browser history manipulation using window.top.history.pushState and a window.top.onpopstate handler to hijack the back button and keep victims trapped on scam pages. Testing found Safari, particularly on iOS, was especially affected by this behavior. The technique was compared to browlock-style trapping. Apple was reportedly notified and later addressed the Safari issue in security update HT213600. The activity has operated at scale. Content states D-Shortiez served more than 300 million malicious ad impressions over a six-month period, primarily targeting the United States, with additional victims in Canada and Europe. Separate reporting in the provided content states the actor served 59 million malicious ad impressions in 2025, with more than 95% targeting the United States. Campaign activity was described as persistent, with bursts of aggressive delivery separated by pauses. iOS was identified as the predominant target platform in the forced-redirect campaigns. Confiant reported discovering exposed internal testing and administrative pages used by D-Shortiez in 2025, which revealed newly staged domains, campaign-management details, ad tags, and infrastructure patterns. The content notes Chinese-language comments in the test page, credentials referencing the Chinese-only Baota/Pagoda panel (bt.cn), and an update schedule consistent with Chinese-speaking operators. This is described as consistency evidence only; the content does not state a nation-state attribution. Known alias in the provided content: d_shortiez.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
  • 🇨🇦 Canada
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics11 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1566
Phishing
T1566.002
Spearphishing Link
TA0002
Execution
1 technique
T1204
User Execution
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
2 techniques
T1078
Valid Accounts
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
IOCS

Observables

99 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

99 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyber security newsNews
Mar 3, 2026
Malvertising Threat Actor ‘D‑Shortiez’ Abuses WebKit Back‑Button Hijack in Forced‑Redirect Browser Campaign

Runs a persistent malvertising/forced-redirect campaign primarily targeting iOS Safari users. Uses a WebKit/Safari-specific back-button hijack via the popstate event and history.pushState() to trap users on scam pages, delivered at large scale through malicious ad impressions and click-chains.

Read more
confiant blogNews
Mar 2, 2026
Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign

Malvertising/forced-redirect operator running large-scale malicious ad impression campaigns that push victims through click-chains to scams, using browser history manipulation (pushState/onpopstate) for back-button hijacking; primarily targets iOS/Safari users.

Read more
risky biz rssNews
Feb 27, 2026
Russian man investigated for extorting Conti ransomware group

Malvertising group operating a test platform used to stage/preview malicious ad campaigns; associated with large-scale malicious ad delivery activity.

Read more
confiant blogNews
Feb 24, 2026
Disrupting 59M Malicious Impressions: Inside D-Shortiez Testing Infrastructure and Campaign Management

Malvertising actor operating large-scale forced-redirect ad campaigns that route victims to scam landing pages. In 2025 they ran both fake reward/giveaway scams (Google-branded survey/affiliate funnels; Amazon-branded fake prize checkout collecting card data) and Microsoft Windows-branded tech support scams impersonating Windows Defender. They used Binom TDS to segment payload/scam type by device (Windows to tech-support scams; mobile to reward scams) and relied on Cloudflare to mask origin infrastructure; operational security failures exposed internal test pages and an admin panel used to manage campaigns.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables99

Domains, IPs, and hashes tied to this actor, refreshed continuously.