Sunday, 6 May 2012

PaySitesClub affiliate recycle malware domains ?

PaySitesClub is a private adult affiliate program, the domains used to send the traffics are:

Problem... the design of these sites was stolen  and served as winlock drop zone.
cf jsunpack:

Even in one of my old 2011 post, here is a screenshots of a domain with the template of SexDerevo.

Malware domains are sometime recycled in porn and months later, exploits and fake scanners are back.
recycling domains is not a new method, example here:
Blackhole, Winlock, 0Access, PWS... you have the choice.

PaySitesClub Advert:

Edit 12 June 2012:
After a discution with the owner of PaySitesClub on ICQ, it's appear that they are not involved into these waves of malwares.
PaySiteClub is a legit service, my appologies.

Lord-Freeman showed me some proof that they was not involved but i was a little septic, after some searchs and checks i must admit that i've do a terrible mistake on this affiliate.
Malicious domains used the templates of the PaySitesClub affiliate that a fact.
Criminal used site like and to do malvertising and also one TDS (as far as i remember)
But after a period, the same malicious banners leaded to clean urls of this affiliate (7xtube, SexDerevo)
Now the question is why they used templates of PaySitesClub and why the malicious banners redirected later on original site of the affiliate...

Edit 16 June 2012:

Everything is now more clear, removed screeenshots and links related to the affiliate.


  1. Je connais quelqu'un qui a du s'amuser à la rédac de l'article :>

  2. Снова опустили Касперов?
    И это радует ;)

  3. i don't understand why these files are coming up on my computer