VDB

GCVE-110-OSM-2026-5897

GCVE-110-OSM-2026-5897
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package implements a full Adspect ad-cloaking/traffic-direction system — a known black-hat affiliate fraud and malvertising tool. The code POSTs browser fingerprint data (user-agent, referrer, URL, language) to a C2 proxy at `https://protectionupdated.xyz/adspect-proxy.php` (.xyz TLD, attacker-controlled), then executes server-directed actions including arbitrary JavaScript via `eval(atob(target))` (base64-decoded remote code execution), forced redirects to 'black sites', iframe injection, and form-based redirects. The attacker model is ad fraud / malvertising cloaking: legitimate visitors see safe content while targeted victims are silently redirected to malicious or affiliate-fraud destinations. The publisher account (dino22, ~202 hours old) published four near-identical packages in rapid succession, all named `brightlineelectr*`, consistent with a throwaway distribution account. ENTRY brightlineelectr.js (main: brightlineelectr.js) DESTINATION - custom-c2: https://rpc.adspect.net/v2/ (primary, deobfuscated) in brightlineelectr.js - custom-c2: https://protectionupdated.xyz/adspect-proxy.php (deobfuscated) in brightlineelectr.js - custom-c2: rpc.adspect.net (deobfuscated) in brightlineelectr.js - custom-c2: protectionupdated.xyz (deobfuscated) in brightlineelectr.js - custom-c2: api.allorigins.win (deobfuscated) in brightlineelectr.js EXFIL - Data Encoding for Exfiltration in brightlineelectr.js: "encodeURIComponent(url" OBFUSCATION - IOCs Found in Deobfuscated Code in brightlineelectr.js - Dynamic Base64 Decoding in brightlineelectr.js: "atob(target)" - recovered 2 urls, 3 domains, 3 _domainCandidates from decoded/deobfuscated content ADDITIONAL FINDINGS - Dynamic Code Execution in brightlineelectr.js: "eval(script)" - Suspicious TLD Domain in brightlineelectr.js: "https://protectionupdated.xyz" - Rapid Version Publishing PAYLOAD FILES brightlineelectr.js INDICATORS (IOCs) - payloadFileHash: ffc70ebc381e43c92673a188611a8cb3b066b49b980a9bbed070ad9028f26353

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownbrightlineelectrall (affected)

References

vendor

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›