Magecart Veteran ATMZOW Explores New Domains in Google Tag Manager: A Detailed Analysis

In a recent revelation, Magecart Veteran ATMZOW has unearthed 40 new domains within the realms of Google Tag Manager (GTM), shedding light on the evolving tactics employed by cybercriminals. This development has raised concerns within the cybersecurity community, given the widespread usage of GTM and its potential as a gateway for hackers to infiltrate websites with malicious code. In this article, we delve into the significance of GTM for hackers, analyze the novel obfuscation methods employed by the malicious code, examine the usage of GTM containers in e-commerce malware, track the development of the notorious ATMZOW skimmer, discuss the increased complexity in obfuscation techniques, review the list of newly registered domains, explore the technique used to extend the campaign’s duration, and highlight the creation of new containers and subsequent reinfection of compromised websites.

Importance of Google Tag Manager for Hackers

Google Tag Manager has become an attractive target for cybercriminals due to its extensive usage across millions of websites. Its integration enables hackers to insert HTML code and custom scripts through a script derived from the reputable domain, googletagmanager[.]com. This, in turn, grants them unauthorized access, putting the security of countless websites at risk.

Analysis of New Obfuscation Methods

Researchers at Sucuri have closely analyzed the evolving obfuscation methods employed by the malicious code injected via GTM. By employing newer techniques of obfuscation, hackers strive to mask their activities and evade detection by security mechanisms. The comprehensive examination of these methods serves as a key component in understanding and combating such attacks.

Examination of GTM Containers in E-commerce Malware

The potential use of GTM containers in e-commerce malware has sparked concerns within the cybersecurity landscape. By leveraging the trusted framework of GTM, cybercriminals can compromise payment gateways and siphon sensitive financial data. Understanding this modus operandi is crucial in strengthening the security measures employed by online retailers and safeguarding consumer information.

Tracking the Development of ATMZOW Skimmer

The notorious ATMZOW skimmer, responsible for several Magento website infections since 2015, has been an ongoing concern for businesses operating in the e-commerce space. The skimmer, intricately linked to Magecart campaigns, has constantly evolved and adapted over the years, highlighting the importance of tracking its development to stay one step ahead of cyber adversaries.

Increased Complexity in Obfuscation Techniques

The newly discovered GTM-TVKQ79ZS container has introduced additional layers of complexity to its obfuscation techniques. This heightened sophistication enables the concealment of all associated domains and activation conditions, making it increasingly challenging for security analysts to identify and mitigate the threat effectively. Emphasizing the need for robust security measures, this development compels cybersecurity professionals to stay attuned to the evolving tactics of cybercriminals.

List of 40 Newly Registered Domains

As part of their strategy to fly under the radar, the hacker behind the ATMZOW skimmer has meticulously registered 40 new domains. These domains serve as an additional layer in their skimming process, exploiting the unsuspecting nature of users and extending the duration of their malicious campaign. By utilizing a combination of three English words with specific patterns, the attacker successfully evades rapid identification and blockage of each individual domain.

Technique to Extend Campaign Duration

By employing the aforementioned pattern-based domain names, the hacker inadvertently extends the campaign’s duration. The deliberate avoidance of predictable domain patterns not only hampers the ability to swiftly block all malicious domains but also increases the chances of a prolonged compromise. This technique frustrates efforts to disrupt the attacker’s activities and underscores the need to remain vigilant in the ever-changing threat landscape.

Creation of New Containers and Reinfection

The threat actor responsible for the ATMZOW skimmer continues to refine their approach. This time, they have created two new containers – GTM-NTV2JTB4 and GTM-MX7L8F2M – embedding the same malicious script. With these containers, the attacker aims to reinfect compromised websites, further amplifying the potential damage caused by their skimming operation. This cycle of reinfection poses significant challenges to the victims, necessitating swift remediation and heightened security measures.

The discovery of 40 new domains within Google Tag Manager by Magecart Veteran ATMZOW raises concerns about the ever-evolving techniques employed by cybercriminals. The usage of GTM as a means to inject malicious code and scripts highlights the need for increased vigilance and robust security measures. With an in-depth analysis of obfuscation methods, examination of GTM containers in e-commerce malware, tracking of the ATMZOW skimmer’s development, and exploration of various tactics employed by the hacker, businesses and individuals can better equip themselves to mitigate the risks and protect their online assets. As cyber threats continue to evolve, it is imperative to stay informed and proactive in countering these malicious activities.

Explore more

Can a Unified ERP System Future-Proof Levi Strauss?

Establishing a seamless digital environment for a brand that spans over a hundred nations is a monumental undertaking that requires more than just standard software updates. Currently, Levi Strauss & Co. is navigating a profound transformation of its digital infrastructure, aiming for a mid-2027 completion of a fully integrated global enterprise resource planning system. This strategic overhaul is not merely

Ethereum Faces $10 Billion Liquidation Risk Near $2,000

The current trajectory of Ethereum suggests a massive collision between aggressive retail speculation and sophisticated institutional sell-side pressure as the asset hovers near the $2,000 psychological threshold. This specific price point has historically served as a pivot for broader market sentiment, influencing the behavior of various decentralized finance protocols and secondary layer-two scaling solutions. Currently, the market exhibits a state

ClickLock Malware Coerces macOS Users to Surrender Passwords

Traditional macOS security architectures have long been celebrated for their robust sandboxing and gated execution, yet a new strain of malware is proving that the human element remains the most vulnerable entry point in any digital ecosystem. This threat, known as ClickLock, has emerged as a particularly aggressive evolution in the macOS threat landscape by prioritizing psychological pressure and social

Stalled Windows 11 Migration Poses Growing Security Risks

The global landscape of enterprise computing is currently grappling with a persistent digital divide as a significant segment of users continues to rely on Windows 10 despite the availability of more secure alternatives. The current ecosystem of digital infrastructure remains tethered to legacy architecture, with recent telemetry indicating that approximately one in six workstations worldwide continues to operate on Windows

How Is OpenAI Redefining AI With Precision Engineering?

The shift from experimental conversationalists to precise engineering tools has fundamentally altered the landscape of digital productivity and high-performance computing in 2026. This transition is marked by a move away from the early excitement surrounding generative models toward a rigorous framework centered on deep optimization and granular control. OpenAI has spearheaded this movement with the introduction of the GPT-5.6 Sol