Web compromises in the Middle East with a pinch of Candiru
medica-tradefair[.]co is the outlier in this list, as it was not compromised but was operated by the attackers themselves.
It was hosted at ServerAstra, as were all the other C&C servers used in 2020. It mimics the legitimate website medica-tradefair.com, which is the website of the World Forum for Medicine’s MEDICA Trade Fair held in Düsseldorf (Germany) each year.
The operators simply cloned the original website and added a small piece of JavaScript code. The content doesn’t seem to have been modified.
It is likely that attackers were not able to compromise the legitimate website and had to set up a fake one in order to inject their malicious code. It is interesting to note that the malicious domains mimic genuine web analytics, URL shortener or content delivery network domains and URLs.
This is a characteristic of this threat actor.
Featured Resources
blog
CISA Alert – Is Your Organization Exposed?
Cybersecurity is no longer a luxury, it’s a necessity with new threats emerging every day. Every day the Cybersecurity and
blog
2025 Predictions: Finally Solving Fatigue in Security and Operations
Fatigue in security and operations is not just about tired employees, but rather it’s analysts and operations staff that are
blog
How cybersecurity leaders are optimizing their budgets in 2025
2024 was a year that saw some of the biggest and most damaging data breaches in recent history, according to
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe