Silent Push Exposes Magecart Network Operating Since Early 2022
Silent Push, a provider of a cyber intelligence platform, today disclosed the discovery of another network making use of web skimmers known as Magecart to target online shoppers using major credit cards issued by American Express, Diners Club, Discover and Mastercard.
Zach Edwards, a senior threat researcher for Silent Push, said this specific Magecart network was discovered after researchers began investigating indicators of compromise, starting with a cdn-cookie[.]com sites that pointed to an IP address on ASN 209847, which is operated by PQ.Hosting/Stark Industries, also known asTHE.Hosting/WorkTitans B.V.
Silent Push researchers, using a HYAS platform the company acquired late in 2025 to investigate IT infrastructure, subsequently determined that this domain was hosting several URLs that loaded highly obfuscated scripts. Further analysis of the scripts and related domains revealed a long-term web-skimming campaign with several infections dating back to approximately January 2022.
According to Silent Push researchers, the network has enabled cybercriminals to employ scripts to embed malicious code in legitimate e-commerce sites to steal credit card data from at least six major payment network providers.
Given the sophistication of the code created, the cybercriminals that have been running this Magecart network are fairly advanced, said Edwards. In addition to being highly obfuscated, the code employs several techniques, including string concatenation, array-based string storage, self-executing anonymous functions, and other encodings. Deobfuscation of the code revealed approximately 600 lines of JavaScript code implementing the credit card skimmer. The code is then split into several functions, each with functionality related to a larger attack.
In general, these types of cyberattacks are difficult to detect because the JavaScript code runs on the client devices rather than on the website running the e-commerce application. The Silent Push platform is designed to create a digital fingerprint of that JavaScript code that can then be used to thwart similar attacks.
Silent Push also recommends organizations implement a content security policy (CSP) to restrict the loading of external resources, particularly JavaScript, to reduce the risk of malicious code injection. Additionally, organizations should comply with Payment Card Industry Data Security Standard (PCI DSS) requirements to ensure secure storage, processing, and transmission of cardholder and authentication data.
Finally, Website administrators should periodically review their sites using either their browser’s incognito/private mode or after clearing the browser cache and history. That simple maintenance activity is essential because many web injection-based threats employ detection mechanisms that identify administrative users through cookies and deliberately avoid executing malicious code in their presence.
There is little doubt that cybercriminals have become very adept at exploiting e-commerce sites to gain access to credit card data that is then used to purchase any number of goods and services. While many credit card issuers recognize that theft of that data is part of the cost of doing online business, the fact remains that eternal vigilance is required to thwart fraudulent activities that all too often can be traced back to the simple theft of a credit card number.
