ThreatFox IOC Database
You are viewing the ThreatFox database entry for url https://get.whitelllshop.icu.
Database Entry
| IOC ID: | 1843591 |
|---|---|
| IOC: | https://get.whitelllshop.icu |
| IOC Type : | url |
| Threat Type : | botnet_cc |
| Malware: | Unknown malware |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | True |
| ASN: | AS13335 CLOUDFLARENET |
| Country: | US |
| First seen: | 2026-07-03 06:32:06 UTC |
| Last seen: | never |
| UUID: | db140a21-762b-11f1-97fa-42010aa4000a |
| Reporter | |
| Reward | 5 credits from ThreatFox |
| Tags: | Avada js-injector Redirect sign1 WordPress |
sudocentral
C2 endpoint for a Sign1-style JavaScript injection campaign targeting compromisedWordPress sites running the Avada theme (consistent with Avada/Fusion Builder vulns
patched in 3.15.3-3.15.4, e.g. CVE-2026-6279). The injected script eval()s an obfuscated
String.fromCharCode payload, does an XHR GET to this host, parses codewords from the
response, assembles a rotating .icu domain, and injects a remote <script> that redirects
visitors to scam/ad landers. Skips logged-in WordPress users (checks document.cookie for
"logged-in"). Second-stage redirect pattern: /click?key=419c824f869942869e021194d8f7a1f1.
On-site detection signature (found in theme options / page source):
String.fromCharCode(102,117,110,99,116,105,111,110,32,95,48,120 -> "function _0x"
Base domain registered 2026-05-29. Observed live 2026-07-02
US