ThreatFox IOC Database

You are viewing the ThreatFox database entry for url https://get.whitelllshop.icu.

Database Entry


IOC ID:1843591
IOC: https://get.whitelllshop.icu
IOC Type :url
Threat Type :botnet_cc
Malware: Unknown malware
Confidence Level : Confidence level is high (100%)
Is compromised? : True
ASN:AS13335 CLOUDFLARENET
Country:- US
First seen:2026-07-03 06:32:06 UTC
Last seen:never
UUID:db140a21-762b-11f1-97fa-42010aa4000a
Reporter sudocentral
Reward 5 credits from ThreatFox
Tags:Avada js-injector Redirect sign1 WordPress

Avatar
sudocentral
C2 endpoint for a Sign1-style JavaScript injection campaign targeting compromised
WordPress sites running the Avada theme (consistent with Avada/Fusion Builder vulns
patched in 3.15.3-3.15.4, e.g. CVE-2026-6279). The injected script eval()s an obfuscated
String.fromCharCode payload, does an XHR GET to this host, parses codewords from the
response, assembles a rotating .icu domain, and injects a remote <script> that redirects
visitors to scam/ad landers. Skips logged-in WordPress users (checks document.cookie for
"logged-in"). Second-stage redirect pattern: /click?key=419c824f869942869e021194d8f7a1f1.

On-site detection signature (found in theme options / page source):
String.fromCharCode(102,117,110,99,116,105,111,110,32,95,48,120 -> "function _0x"

Base domain registered 2026-05-29. Observed live 2026-07-02