Millions at Risk As Parrot Web Server Compromises Take Flight

The cyberattackers behind the traffic redirection system (TDS) inject websites with malicious scripts, have control over thousands of servers worldwide, and have ramped up efforts to avoid detection.

Threat actors behind a
traffic redirect system
(TDS) thats been active since October 2021 have ramped up efforts to elude detection and can potentially reach millions of people with malicious scripts hidden in thousands of compromised websites.
Researchers from Unit 42 have been tracking
Parrot TDS
since they investigated a notification concerning a compromised website based in Brazil in early September, they revealed in a
recent blog post
. An investigation found that the website served pages with injected JavaScript identified as part of the Parrot TDS system, which controls thousands of compromised servers around the world delivering numerous variations of malicious JavaScript snippets. In a previous
investigation in 2022 from Sucuri
and Avast, for example, researchers observed websites that had been compromised with Parrot TDS delivering the
FakeUpdates downloader
(aka
SocGholish
) to unsuspecting visitors.
Parrot TDS is part of an ongoing campaign targeting victims across the globe, Unit 42 researchers wrote in the post. We see landing script or payload script samples daily from a variety of websites compromised through this campaign.
Parrot
injects malicious scripts
into existing JavaScript code hosted on the server, which first profile the victim to see if certain conditions are met, and then serve up a payload script that can direct the victims browser to a malicious location or piece of content. The campaign is agnostic in terms of nationality, geography, and industry, with scripts appearing on scores of sites across the globe, the researchers said.
While campaigns involving malicious or
injected JavaScript code
are fairly common, Parrot TDS is notable due to its wide scope and ability to threaten millions of potential victims, the researchers wrote.
The attackers behind the system also have bolstered efforts to evade detection and analysis by security researchers, including a technique that uses multiple lines of injected JavaScript code rather than a single line of code, which is harder to spot in a script file, the researchers said.
Attackers likely use automatic tools to exploit
known vulnerabilities
to take over servers to deliver Parrot TDS scripts, the researchers said.
The majority of the compromised servers use
WordPress
, Joomla or other content management systems (CMS) to host a website, they explained in the post. Even websites without CMS could be compromised through this campaign, since server-side vulnerabilities are not limited to CMS.
Parrot TDS scripts come in two forms — a landing script, which conducts environment checks as a way to avoid detection to see if the victim is a viable candidate to deliver a follow-up payload script, which redirects to malicious content.
There are about nine versions of Parrot TDS payload scripts, which use an ndsx keyword and thus make them relatively easy to identify. All of the scripts are malicious except for V1, which only sets a cookie value for the victim and is otherwise benign, the researchers said.
V2 is the most common payload script, representing more than 70% of the samples that the researchers identified. Without any obfuscation, it creates a new script tag to load JavaScript from a malicious URL.
Parrot TDS payload script V3 contains obfuscation and only targets victims running Microsoft Windows to then act similarly to V2, loading an additional script from a malicious URL.
V4 and V5 payload scripts also are similar, with the former being essentially a V1 payload script plus additional malicious code, while V5 is effectively a V2 payload script plus additional code. In both cases, the additional code appears before the original V1 or V2 functions, the researchers said.
The core function of this extra payload script code is to hook all clickable links in the landing page, they explained. Whenever a visitor to the webpage clicks a link, the script will create a new image object and load from a specific URL.
V6 through V9 of the payload script include more obfuscation as well, but the researchers rarely saw them being used in the wild, they said.
The researchers included a list of indicators of compromise (IoCs) in their blog post that can alert website administrators if Parrot TDS has compromised their sites. They include a list of SHA256 hashes for 100 examples of JavaScript files with injected landing script code for Parrot TDS, files that the researchers also have submitted to VirusTotal.
Administrators also can search files hosted on the associated Web server for keywords associated with the campaign, including ndsj, ndsw, and ndsx, as well as conduct an audit to discover any extra .php files on a Web server to discover malicious scripts associated with Parrot TDS.
Next-generation
firewall
technology and advanced URL filtering also can help block malicious traffic and identified IoCs associated with the campaign, the researchers said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Millions at Risk As Parrot Web Server Compromises Take Flight