Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

National Journal Site Found Serving ZeroAccess Rootkit

Researchers at Invincea say they spotted National Journal still serving malware today, marking the second time in less than a month the news site was used to infect users.

Researchers at Invincea say they spotted National Journal still serving malware today, marking the second time in less than a month the news site was used to infect users.

The site is no longer serving malware at this moment. However, according to Invincea, the site was observed using a Java exploit to deliver a variant of the ZeroAccess rootkit and fake antivirus.

According to a report by, the initial compromise was detected Feb. 28, and is believed to have affected people who visited the site via major search engines between Feb. 18 and March 1. 

“What we found…was somewhat surprising given the disclosure by The National Journal…that they were aware of this happening previously/had hired a third party to investigate and remediate,” blogged Anup Ghosh, CEO of Invincea.

A redirect was added to the top of the main index page that created an iframe pointing to an exploit pack landing page, he continued. After de-obfuscating the JavaScript, an iframe was revealed leading to an exploit pack. The exploit pack was the NeoSploit pack.

 The Java exploit served via malicious archive (.jar) file.  During their analysis, the company noticed that the landing page redirected users with a more recent version of Java to a serialized Java object hosted at koxhrcnr[.]myvnc[.]com. Java object serialization is implemented to bypass the interactive user access control implemented in Java 7 Update 11.

“Is The National Journal on an island in terms of being the only legitimate website to push malware? Hardly – NBC.ComThe Council on Foreign all were used previously…and the list continues to grow,” blogged Ghosh. “What this tells us (as if we didn’t already know) is that the bad guys are increasingly going to the watering hole to attack their targets.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.