The site they trust most was waiting for them.

The scenario:

Every morning, the accounts team checked the same industry news site. It was bookmarked. It was routine. It was compromised. 

The attacker didn’t need to phish anyone. They knew the target organisation visited this site daily. They compromised the site and injected code that only executed for visitors from the target’s IP range. Everyone else saw a normal website. The target got malware. 

The attack:

STAGE 1: TARGET IDENTIFICATION

Attacker identifies a niche industry website frequently visited by the target organisation.

The site is a small publisher with limited security resources.

Attacker compromises the site via an unpatched CMS vulnerability.

STAGE 2: SELECTIVE PAYLOAD DELIVERY

Injects JavaScript that checks the visitor’s IP address against a target list.

Only visitors from the target organisation’s IP range receive the payload.

All other visitors see the normal website (evading security researcher detection).

Payload exploits a browser vulnerability to download a second-stage loader.

STAGE 3: INITIAL COMPROMISE

Loader establishes a reverse shell to the attacker’s command and control server.

Runs in memory only. No file written to disk. No antivirus detection.

3 employees from the accounts team are compromised on the same morning.

Attacker has access to 3 workstations with access to financial systems.

STAGE 4: LATERAL MOVEMENT

Uses stolen credentials from browser password stores to access internal systems.

Moves laterally to the finance server using harvested credentials.

Installs a persistent backdoor on the server.

Monitors financial transactions for 4 weeks before executing a fraudulent transfer.

What stopped it:

A DNS filtering solution flagged the command and control domain as suspicious. The SOC investigated the outbound connection and identified the compromised workstations.