SCUF Gaming Magecart Loader

Just a quick post on a digital skimmer loader that is somewhat unique. The threat actor used a script tag with a base64 encoded payload.

When run, that will decode to:

Which does a GET to that endpoint and executes the returned code with new Function(data).call(this).

URLScan of the loader:

BleepingComputer’s article on this skimmer:

A modified version of this was originally posted on Twitter:

This entry was posted in Infosec, Magecart and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *