
One instance of a URL that the blog redirects to, upon visiting the link | Source: Validin
Security researcher Aaron Meese, in collaboration with Validin, has uncovered an ongoing malicious campaign exploiting Blogspot redirectors to facilitate the distribution of phishing pages, malware, and other nefarious activities. This campaign, identified as part of the larger “ApateWeb” operation, utilizes Blogspot’s high-reputation platform and redirects unsuspecting users to harmful sites.
The campaign begins with seemingly innocuous Blogspot links shared on platforms like Twitter/X. As Meese explains, “These [links] have been weaponized to cater to the audience of specific posts, showing a preview that is usually related to the topic at hand, then redirecting to a plethora of different sites.” These links leverage social media meta tags to appear legitimate, fooling users who may not suspect Blogspot as a threat vector.
Using tools like Proton VPN, WhereGoes, and wget, Meese traced one such Blogspot link to a phishing page hosted on Azure blob storage. The attackers exploit Microsoft’s platform to bypass spam filters, taking advantage of Azure’s reputation. The phishing site employs basic JavaScript to tailor the content to the victim’s operating system, enhancing the campaign’s effectiveness.
One of the scripts identified checks the user’s device and redirects to a spoofed page matching the detected operating system. “If you are on an iPhone and saw a Windows Support page saying you’ve been hacked, even the least technically literate individuals will likely be suspicious,” Meese notes.
Further investigation linked this activity to the ApateWeb operation, a large-scale campaign employing over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs), and other malicious payloads. One domain tied to the campaign, altitudehighjackhonorary[.]com, uses Base64 encoding to obscure URLs and dynamically redirects users based on UUIDs fetched from a central server.

The attackers have implemented advanced techniques, including proxy detection and rapid rotation of virtual phone numbers, to evade detection and extend the campaign’s reach.
Meese’s report provides actionable steps for security professionals:
- Identify Suspicious Links: Use tools like WhereGoes to trace URL redirects.
- Analyze Logs: Employ audit tools to uncover redirection patterns and block related domains.
- Educate Users: Raise awareness about the deceptive appearance of Blogspot links, encouraging skepticism toward unfamiliar URLs.