APT TA423 deployed watering hole attacks to distribute ScanBox, a JavaScript-based reconnaissance tool that functions as a keylogger. Researchers identified the campaign targeting vulnerable websites to redirect traffic toward malicious infrastructure. The attacker injected ScanBox code into legitimate sites, enabling credential theft and system reconnaissance when victims accessed compromised pages.
ScanBox operates entirely in the browser, avoiding disk-based detection signatures. The malware captures keystroke data, harvests cookies, and fingerprints victim systems before exfiltrating collected intelligence to command-and-control servers. TA423 historically targets government and diplomatic entities across Asia, with this campaign continuing that pattern.
Defenders should monitor for anomalous JavaScript execution in browser consoles and network traffic to unfamiliar domains originating from trusted sites. Web application firewalls require tuning to detect injected scripts on legitimate domains. Organizations hosting public-facing websites need integrity monitoring to identify unauthorized code injection. Browser isolation technologies block ScanBox execution at the perimeter.
No CVE identifier was assigned to ScanBox itself, as it exploits compromised web infrastructure rather than specific software vulnerabilities. The attack chain depends entirely on initial compromise of legitimate sites and user visits to those poisoned pages. Patching web servers and implementing Web Application Firewalls provides essential defense layers.