The RevSlider SoakSoak malware campaign started with the soaksoak.ru domain (hence the name). However, since thelast 2 weeks, it has mutated and used different domains as the initial malware intermediary.
This is the full list so far:
- soaksoak.ru: First one in the list. We identified more than 100,000 sites redirecting to it.
- 188.8.131.52: Started just after soaksoak, leveraging the /collect.js redirection. Almost 10,000 were blacklisted and compromised with it.
- wpcache-blogger.com: Second biggest campaign after soaksoak. More than 50,000 sites compromised and still going.
- phoenix-credit.com: Current one active. Also leverages the /collect.js redirection and has compromised more than 11,000 different sites.
We will keep updating this list as the domains change and the attacks mutate.