# Threat Analysis: Investigating Suspicious Outbound Connections to cdn.jsdelivrs[.]com (Adware or Supply Chain Foothold?)

# Alert Overview

On May 8, 2025, analysts at the FPT SOC identified a cluster of outbound HTTP requests from several internal endpoints targeting the domain `cdn.jsdelivrs[.]com`. This domain, which resolves to IP `91.195.240.12`, is registered under AS47846 (SEDO GmbH, Germany). Although seemingly benign at first glance, the domain closely resembles the legitimate jsDelivr CDN (`cdn.jsdelivr.net`) and triggered concern due to its typosquatted naming and non-standard usage patterns.

Initial review of DNS and proxy logs revealed browser-driven connections without any indication of direct user interaction with the domain itself, suggesting script-initiated activity embedded within a third-party webpage.

# Investigation Details

### **1\. Initial Analysis**

Firstly, we found that all the affected hosts that accessed the same URL accessed the website `sports[.]ltn[.]com[.]tw`, a Taiwanese sports news website.

![](https://attachments.office.net/owa/GiangPT14%40fpt.com/service.svc/s/GetAttachmentThumbnail?id=AAMkAGI4NTliNTlkLWY5Y2UtNGM5NC04NjU2LTM5NjgyYTE3YmI5OABGAAAAAACofAiImfLJRo2nlMIs0dyoBwDe2w%2BmGYhpTau00hrHikhSAAIdOpNjAADe2w%2BmGYhpTau00hrHikhSAAOdpUVOAAABEgAQAMg3oG1V7VlJm4rmOqbTa5o%3D&thumbnailType=2&token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjFFd3hWN25JVjcvbmhhaUNsc2k3dUpjdlFkZz0iLCJ4NXQiOiIxRXd4VjduSVY3L25oYWlDbHNpN3VKY3ZRZGc9Iiwibm9uY2UiOiJITjAtM0ptVXBiUUpmMFJIOTAxUVFFUFpaN2t5emVlampmVzk4WVlvVjRGYk5sRWRxSXVXc1lsWUx4QW1IN0tBdjJ3Q0wxYVdLVENTVWJBdkZ2Unh6cFlOd2hhZ2xHWDR3WW9GRUVPUF84SmRXWW14V1phQnpvZkFhZGpJOXVoMFNOR1U3aEstdEFWbXg4SXYyWUUxVUQ0eklGbGJMd2d0bkJSUHl1NGhWT2ciLCJpc3Nsb2MiOiJUWVVQUjA2TUI2MDUwIiwic3JzbiI6NjM4ODI3NDc5ODA0ODY4MDczfQ.eyJzYXAtdmVyc2lvbiI6IjMyIiwiYXBwaWQiOiJhZjNlYmJiYS1jMjNmLTQ5MmEtYWE5My04MzQyMTY5NmVjNGIiLCJpc3NyaW5nIjoiV1ciLCJhcHBpZGFjciI6IjIiLCJhcHBfZGlzcGxheW5hbWUiOiIiLCJ1dGkiOiIyNDhlODgwOC0zMDVkLTRiYmUtOGJhYS1mMjc0MmNjNWM5ZGEiLCJpYXQiOjE3NDczMzEwNjgsInZlciI6IlNUSS5Vc2VyLkNhbGxiYWNrVG9rZW4uVjEiLCJ0aWQiOiJmMDFlOTMwYWI1MmU0MmIxYjcwZmE4ODgyYjVkMDQzYiIsInRydXN0ZWRmb3JkZWxlZ2F0aW9uIjoiZmFsc2UiLCJ0b3BvbG9neSI6IntcIlR5cGVcIjpcIk1hY2hpbmVcIixcIlZhbHVlXCI6XCJUWVVQUjA2TUI2MDUwLmFwY3ByZDA2LnByb2Qub3V0bG9vay5jb21cIn0iLCJyZXF1ZXN0b3JfYXBwaWQiOiIxNTdjZGZiZi03Mzk4LTRhNTYtOTZjMy1lOTNlOWFiMzA5YjUiLCJyZXF1ZXN0b3JfYXBwX2Rpc3BsYXluYW1lIjoiT2ZmaWNlIDM2NSBFeGNoYW5nZSBNaWNyb3NlcnZpY2UiLCJzY3AiOiJPd2FBdHRhY2htZW50cy5SZWFkIiwib2lkIjoiMGY5MTMzODctYjlhMi00NGU1LTgzZDItNjgxNzQwODgyZjY0IiwicHVpZCI6IjEwMDMyMDAxNUMyQzQ3NDYiLCJzbXRwIjoiR2lhbmdQVDE0QGZwdC5jb20iLCJ1cG4iOiJHaWFuZ1BUMTRAZnB0LmNvbSIsInVzZXJjYWxsYmFja3VzZXJjb250ZXh0aWQiOiIzMWY5MGY3NGJiODc0NTUwYTUxZjgwY2VlNzIyNmY5NSIsInNpZ25pbl9zdGF0ZSI6Imttc2kiLCJlcGsiOiJ7XCJrdHlcIjpcIlJTQVwiLFwiblwiOlwiMktmLUE5VDZRaUMxQXFyVGJnLXFOYjZhdjVodzJHRU1NZHJFTE94dExjc1VKV19KWDV3VDVxNU1URzE5Ul9uczZtZHRJdzdqR1kyYTEzNUhyTHlCQUJod2N5VXBBYUlkSzRyTFBuV0lBYXpJYUNDM3pqd3VtZmgtWUtjU01nSUJ0dVRQQUtTMHg3R2w5aVhWdGpKeHAyN3pvQ3hBYXlFWEdwN19Ua2ppTEpCNGVRTzlQb2M3NmJXSXJqcmZ3WHdObjBObEFwXzRfTXV3ZHJPcTFSbXFpRUlMNjdWSGhlSWFyZDNFSzlPZ3dyNFc1WC1rcVJENGhZV1Y2LXRaVzFSbHY4TFhaWF9wWmRQSUhKbWRIdEVNZGNiUzNBYWE0dXhSY3czWWIzUGtWUy04MGI2bDh0M2FPMTZrVmhBWDkyaDRUNkd0UnRCcVNSbUZBYklSc09YOFVRXCIsXCJlXCI6XCJBUUFCXCIsXCJhbGdcIjpcIlJTMjU2XCIsXCJleHBcIjpcIjE3NDc0MjAzNTFcIixcImV4cF9kaWZmXCI6XCI4NjQwMFwiLFwia2lkXCI6XCJYWEFjUnJSa1h0cXBycXNCbFF4Yl9FWHNGdzBcIn0ud0dkSTEvVUt0OGliWjNUOHRmNVFLWmVqV0NOaWpFKys4T0VzVTRoL3g0Wkg1dTlZR0l5YWcrSmVoci9FcnZCNitmRlVCY3o1S1BETVl0ZGZVS205R1pLMkRHYWhYVGQ3RVBzQUs4ZEJ5Z25JRW1wVWRtc2RUWHg0dURIZnVXaTgwZzRMRW1YWTNmTDhhWDFPT1p5T1JXa1R6R0NWdnBXUWdCc2xuVy9OMzVhUUFiRlFGRmdMYzFjaUZhcUFHc3ZqOGc0YmZYekJya2d5QnlrbWJMRkVkdnNVbDBJa1NiL25QRWFtMk5CajZyQ0dMeVMrMUpDbFptZ1JobXN3dWlmYndOcHZBaUUvaE91LzZOcnR5RTNtOVVodzhOekY1VXNLR004RFBVazk4bGlEb29NdDBjMG8wR3ZFVzJubGhZcTRhL2lwOGJ6U1NDbHVzczJoQ2xXTjV3PT0iLCJuYmYiOjE3NDczMzEwNjgsImV4cCI6MTc0NzMzMTM2OCwiaXNzIjoiaHR0cHM6Ly9zdWJzdHJhdGUub2ZmaWNlLmNvbS9zdHMvIiwiYXVkIjoiaHR0cHM6Ly9vdXRsb29rLm9mZmljZS5jb20iLCJzc2VjIjoiRTdIUUdBYVNHZHFCeTNLbCJ9.QGvxWiwS0e3wKovtKJI0tK7vXUKNX0gpeyTJ2rtaCoPrSavqCqG39gllUuHeZ34O4Rx5-gQzLOgMWqT631gpAEDhgWef3OwHM1wq5OuNiWLWZic502L3Mo-OHylLtFYEn-Uy3VPa81nGX029PdS8BELf53cfEIl9DdwVBhxCP24xG0KlVKM8rSQVUIFONR2Z2NtHCrrM4d8VXHxxxYgW1wW0yqetzqPS96psVktzoe4ZqvhPYKVXMSnYtZfX2n_qDGhG00R9NrrGrvTFhSu3YlEWtPZJP-Angx8Et2ytoN6OcxGKSjLI2IvjCF5QwgPB91VQRKAo9z91-dKhUiuuwQ&X-OWA-CANARY=wTQ4TS1nXJsAAAAAAAAAADDBVHtRjN0Y42F5h1crn9cOl7L9bDHGazYUXz0vjUfqxqG9QryeArw.&owa=outlook.office.com&scriptVer=20250502003.08&clientId=1329EA541D4C471796EA2AD631882BD3&animation=true align="left")

After checking the embedded JavaScript within the page invoked pop-up ads, one of which triggered the suspicious request to `cdn.jsdelivrs[.]com`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747331888202/fef39b0c-d9fb-4e54-abc7-cca7a7ed97d5.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747331709127/155258de-cab9-4b3f-9219-9fe2759d3bbe.png align="center")

App AnyRun Sandbox Result: [https://app.any.run/tasks/90532748-66f1-4d09-a90e-d1ca27bd3f35](https://app.any.run/tasks/90532748-66f1-4d09-a90e-d1ca27bd3f35)

The flow appeared entirely browser-driven, with the endpoint process tree linking to `chrome.exe`, no CLI usage observed.

## 2\. Domain Intelligence (WHOIS + Passive DNS)

| Attribute | Value |
| --- | --- |
| Queried Domain | cdn.jsdelivrs\[.\]com |
| IP Address | 91.195.240.12 |
| ASN / Org | AS47846 / SEDO GmbH |
| Passive DNS | \&gt;120 subdomain queries in past 180 days |
| WHOIS Created | 2017, tagged as monetized/parked domain |
| SSL Certificate | Self-signed, non-validating |

The domain is a **typosquatted clone** with no legitimate CDN functions. Historical associations tie it to ad redirect platforms, SEO manipulation, and domain parking infrastructure.

## 3\. Payload Characteristics

* HTTP GET requests to `cdn.jsdelivrs[.]com` returned either empty responses or HTML with redirect scripts.
    
* Redirection targets included `sedoparking.com` and similar monetization services.
    
* No evidence of JavaScript obfuscation, encoded payloads, or exploit delivery.
    
* DPI (where available) confirmed redirection to external parked domains, ~200 byte HTML responses, consistent with advertising scripts.
    

## 4\. Correlation with jsDelivr Abuse Campaigns

While this specific domain was not directly tied to past phishing infrastructure, its pattern strongly resembles the attack flow documented in the 2023 Check Point report:

* * Malicious npm package (`reactenz`) was used to dynamically load an encoded HTML phishing page hosted on jsDelivr’s CDN.
        
    * jsDelivr retained the payload even after the source package (`standforusz`) was taken down from npm due to permanent caching policies.
        
    * The phishing flow was only visible at runtime due to obfuscation and dynamic DOM injection.
        

**Assessment:** In our case, no phishing payloads or encoded HTML were observed. However, the infrastructure setup (typosquatted domain, parked redirection) could be reused or repurposed with little effort by a motivated actor.

## 5\. Traffic Flow Visualization

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1747333050882/35367f24-ad02-4ddf-83fb-9b3b5ee1ad33.png align="center")

The diagram above outlines the interaction chain: a user visits a legitimate website, embedded JavaScript spawns an ad popup that connects to a typosquatted CDN-like domain, returning redirector content. A hypothetical branch illustrates the abuse pathway seen in phishing kits using similar delivery infrastructure.

# Actions & Mitigations

| Mitigation Step | Detail |
| --- | --- |
| Network Enforcement | MDE and firewall enforced a deny policy for all connections to the domain/IP |
| Threat Intel Integration | Domain and IP added to the custom CrowdStrike IOC list |
| IOC Hunt | SIEM queried for the past 30 days across DNS/proxy logs for recurrence |
| Endpoint Process Review | No signs of persistence, scheduled tasks, or PowerShell/scripting activity |
| ATT&CK Mapping | Considered T1566.002 (phishing via service), T1204.001 (user-triggered link) |

# 📚 References

* Check Point Research – "[CDN Service Exposes Users to Malicious Packages for Phishing Attacks Invisible to Security Tools](https://blog.checkpoint.com/securing-the-cloud/cdn-service-exposes-users-to-malicious-packages-for-phishing-attacks-invisible-to-security-tools/)"
    
* HackRead – "[Global CDN Service ‘jsdelivr’ Exposed Users to Phishing Attacks](https://hackread.com/global-cdn-service-jsdelivr-phishing-attacks/)"
    
* GitHub – [jsDelivr Design & File Caching Model](https://github.com/jsdelivr/jsdelivr)
