VDB
GCVE-110-OSM-2026-5897
GCVE-110-OSM-2026-5897
Advisory PublishedCVSS 9.6/10
This package implements a full Adspect ad-cloaking/traffic-direction system — a known black-hat affiliate fraud and malvertising tool. The code POSTs browser fingerprint data (user-agent, referrer, URL, language) to a C2 proxy at `https://protectionupdated.xyz/adspect-proxy.php` (.xyz TLD, attacker-controlled), then executes server-directed actions including arbitrary JavaScript via `eval(atob(target))` (base64-decoded remote code execution), forced redirects to 'black sites', iframe injection, and form-based redirects. The attacker model is ad fraud / malvertising cloaking: legitimate visitors see safe content while targeted victims are silently redirected to malicious or affiliate-fraud destinations. The publisher account (dino22, ~202 hours old) published four near-identical packages in rapid succession, all named `brightlineelectr*`, consistent with a throwaway distribution account.
ENTRY
brightlineelectr.js (main: brightlineelectr.js)
DESTINATION
- custom-c2: https://rpc.adspect.net/v2/ (primary, deobfuscated) in brightlineelectr.js
- custom-c2: https://protectionupdated.xyz/adspect-proxy.php (deobfuscated) in brightlineelectr.js
- custom-c2: rpc.adspect.net (deobfuscated) in brightlineelectr.js
- custom-c2: protectionupdated.xyz (deobfuscated) in brightlineelectr.js
- custom-c2: api.allorigins.win (deobfuscated) in brightlineelectr.js
EXFIL
- Data Encoding for Exfiltration in brightlineelectr.js: "encodeURIComponent(url"
OBFUSCATION
- IOCs Found in Deobfuscated Code in brightlineelectr.js
- Dynamic Base64 Decoding in brightlineelectr.js: "atob(target)"
- recovered 2 urls, 3 domains, 3 _domainCandidates from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Dynamic Code Execution in brightlineelectr.js: "eval(script)"
- Suspicious TLD Domain in brightlineelectr.js: "https://protectionupdated.xyz"
- Rapid Version Publishing
PAYLOAD FILES
brightlineelectr.js
INDICATORS (IOCs)
- payloadFileHash: ffc70ebc381e43c92673a188611a8cb3b066b49b980a9bbed070ad9028f26353
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | brightlineelectr | all (affected) | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.