Sign in

ETPRO TROJAN Obfuscated Phishing Landing Feb 25

 IP AddressPortHostname
Source (United States) http (80)
Destination (local) 52526



  • This rule detects a specific sequence of java-script that is designed to obfuscate the content it displays. 
  • It is not unheard of, but rare that there are legitimate reasons to do this.


Is this a False Positive:

  • NO
  • URL leading to this landing page (this is a sketchy advertising network, try it a bunch of times and it will eventually land on the below content):
  • This is a valid detection. See below for the page that is rendered



  • Alarm on phish attempt.
  • Verify no additional IDS, Netflow, Log entries related on same asset.  If there are, additional investigation required.





Powered by Zendesk