Turning Antivirus into an offensive weapon

Jigsaw Security has been tracking a series of moves that appear to be directly attacking users of Avast, AVG and McAfee anti-virus products. In addition we previously reported on some sneaky content distribution activity whereas legitimate applications have been attack using CDN networks to support a large number of legitimate downloads.

Read more below.

McAfee and Avast Targeting

Upon researching some strange blocking activity on our FirstWatch server, we observed 3 domains associated with this activity. The domains have been triggering a heuristics alert on our sensors with malware payloads.

The domains associated with this activity are mcafee-support-number[.]uk and avg-support[.]uk and avast-support[.]uk as well as Paypal phishing activity on the same host serving these domains.


There are reports in VirusTotal as well as Malwarebytes products that detect this type of activity in addition to Jigsaw FirstWatch products. Fortinet also picks this site up as Malicious according to their website.

The CDN Connection

Looking at responses from CDN, Jigsaw Security has been able to determine that depending on the network where the request is made, different binaries are received. When coming from US based IP space, the legitimate files are being server by the web server. When accessing the same resources from EU, Brazil, Canada and some other countries, malicious content is bundled with the legitimate programs by some CDN services (Redacted Names and Sources).





We have warned about CDN activity in the past. The investigation into this activity is ongoing. The Jigsaw Analytic platform shows that this campaign has been active since 16 Oct, 2017.



Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.