Parrot Traffic Direction System

Parrot Traffic Direction System (TDS) is a sophisticated and persistent cybercrime infrastructure used to hijack web traffic from compromised websites and redirect selected visitors to malicious destinations. Active since at least 2019 and publicly reported since October 2021, Parrot TDS has infected tens of thousands of websites worldwide, including those belonging to educational institutions, government agencies, and adult content platforms.

How Does Parrot TDS Work?

Website Compromise and Script Injection

• Attackers gain unauthorized access to legitimate servers—often exploiting weak login credentials or vulnerable plugins in content management systems like WordPress or Joomla.
• Malicious JavaScript code is injected into existing scripts on the compromised server, often using keywords such as ndsj, ndsw, and ndsx to identify different stages of the attack.

Two-Stage Attack Structure

• Landing Script:
The first injected script, known as the “landing script,” profiles each website visitor by collecting information such as IP address, browser details, referrer, and cookies. This profiling helps the TDS filter out bots, security researchers, or unwanted traffic, and identify suitable targets for further exploitation.
• Payload Script:
If the visitor matches the attacker’s criteria, the browser is instructed to fetch a second script—the “payload script.” This script redirects the visitor to a malicious site, phishing page, or initiates a malware download. The payload script is typically identified by the keyword ndsx.

Dynamic and Evasive Operations

• Parrot TDS uses various obfuscation techniques to hide its code and make detection difficult. The scripts often appear well-formatted to avoid suspicion.
• The system dynamically decides which payload to deliver based on the visitor’s profile, making attacks highly targeted and harder to detect.

Campaigns and Impact

• Parrot TDS acts as a gateway for other malicious campaigns, such as FakeUpdate (SocGholish), which may present fake browser update prompts to trick users into downloading remote access tools or other malware.
• The scale is significant: by 2022, over 16,500 websites were infected, and millions of potential victims were at risk.

Synonyms:

PTDS

New supply chain attack targets widely trusted jQuery Migrate library.
A new and sophisticated supply chain attack has emerged, targeting the widely trusted jQuery Migrate library—a tool commonly used to ensure compatibility between different versions of jQuery. This attack leverages the trust in the library to stealthily deliver malware to unsuspecting users and organizations.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

How Does Parrot TDS Work?

Website Compromise and Script Injection

Two-Stage Attack Structure

Dynamic and Evasive Operations

Campaigns and Impact

Related