YoSec
YoSec is a malvertising threat actor tracked by Confiant. The group is described as based in Eastern Europe and as a consistent operator of large-scale, high-impact malvertising campaigns throughout 2020, remaining active through 2021 at steadier but lower volumes. Confiant identifies YoSec as serving redirects to malware pages and as a major distribution source for the Shlayer trojan. The actor operates in the online advertising ecosystem, abusing ad-tech infrastructure and malicious or benign-looking display ads to deliver redirect payloads and malicious applications, primarily against desktop operating systems. Reported tradecraft includes forceful redirects, cloaking, persistence in ad platforms, use of actor-controlled infrastructure to serve malicious creatives, and browser exploitation. Confiant reported that a major YoSec campaign detected on November 3, 2020 impacted an estimated 100 million ad events in a single day and used a redirect payload that bypassed iframe sandboxing in WebKit- and Chromium-based browsers. Confiant notified Apple and Google on November 4, 2020; the related issues were later patched as CVE-2021-1765 in WebKit and CVE-2021-30533 in Chrome. Known alias in the provided content: Yosec / YoSec.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Jan. 22, 2021 — Apple issues Webkit fix, CVE-2021–1765 is assigned.
Mar. 1, 2021 — Patched in Chrome. May 24, 2021 — Chrome CVE-2021–30533 assigned.
Observables
18 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malvertising threat actor tied to activity clusters in ad networks, using common malvertising TTPs (redirects, cloaking, malicious landing pages).
Malvertising/redirect operator distributing macOS malware, notably acting as a major distribution source for Shlayer via redirects.
Malvertising threat actor identified by Confiant and tracked via the Malvertising Attack Matrix; associated with malicious advertising activity.
Malvertising group conducting large-scale ad tech campaigns, using redirect tactics and cloaked payload delivery to push malicious applications, primarily targeting desktop users.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.