Malware

ATMZOW

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

Hackers like Google Tag Manager... they can inject custom scripts and HTML code via a script from the highly trusted domain googletagmanager.com.

Execution

1 technique

T1059.007JavaScriptEvidence1

By injecting custom scripts and HTML code onto a website, hackers can harvest valuable data, including user credit card details.

Stealth

1 technique

T1027Obfuscated Files or InformationEvidence1

After removing the first layer of obfuscation, we got the familiar ATMZOW style of code... Unlike previous variants, however, the obfuscation used in this recently discovered GTM-TVKQ79ZS container uses extra complexity to hide all the domains and activation conditions.

Collection

1 technique

T1005Data from Local SystemEvidence1

By injecting custom scripts and HTML code onto a website, hackers can harvest valuable data, including user credit card details.

Command and Control

2 techniques

T1568Dynamic ResolutionEvidence1

To further evade detection, the malicious code randomly selects two of those “cdn.*” domains from the list above and then injects two external scripts from the selected domains.

T1665Hide InfrastructureEvidence1

In an effort to prevent detection of domains and suspicious traffic through their IP addresses, attackers strategically hid these domains behind a CloudFlare firewall.

Impact

1 technique

T1565Data ManipulationEvidence1

Moreover, these two domain names are saved in local storage so on subsequent loads in the same browser you will get the same pair of domains.

INDICATORS OF COMPROMISE

IOCs tracked for this family

50 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

50 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

sucuri blogNews

Dec 7, 2023

40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager

A credit card skimmer used in ecommerce website compromises, particularly via malicious Google Tag Manager containers. It injects additional external scripts, uses multilayer obfuscation, rotates among many attacker-controlled domains, and is linked to long-running Magento-focused skimming activity.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching50

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.