The exploit kit landing page is hosted on atvisti.ro, a forum for ATV enthusiasts that’s also been compromised. “If the Java exploit succeeds the final payload is loaded,” writes Malwarebytes senior security researcher Jerome Segura. “In this particular example, the payload was the Zero Access Trojan which Malwarebytes Anti-Malware detects as Rootkit.0Access.”
According to VirusTotal, the malware is currently detected by only 7 of 46 leading anti-virus solutions.
Kahu Security researchers uncovered a similar compromise on the forum for the Nissan Pathfinder Off Road Association (NPORA) in July of 2013 — in both cases, JJEncode was used to obfuscate the malicious script.