Lucide Proxy: Turning Student Web Proxies into DDoS Bots

Shavit Satou, JFrog Security Researcher | 13 Jul, 2026

We deobfuscated a massive campaign of 148 npm packages, including ilovefemboys, miguelphonk, and charlie-kirk. Disguised as student web proxies under names like Riverbend Tutoring, these packages hid mutable remote code execution vectors and a high-performance Wisp-compatible WebSocket traffic generator. They were designed to silently enlist visiting browsers into distributed denial-of-service botnets while generating aggressive popunder advertising revenue.

During a recent registry audit, we identified a highly active npm malware campaign consisting of 148 packages published under suspicious names. The first wave was uploaded beginning on May 27, 2026, by the npm account terminal3airport, followed by a newer wave on July 8, 2026, by eerikakirk. Many of these packages were removed from npm, but several remained active, including charlie-kirk version 2.0.0 and version 3.0.1.

The campaign's public-facing presentation is a web proxy application branded as "Lucide," disguised as a tutoring landing page named "Riverbend Tutoring" or "Northstar Tutoring." When a user visits the proxy page, the application functions normally, allowing students to browse restricted websites or play games. However, beneath this functional facade, the application executes a series of malicious scripts that connect visitor browsers to a coordinated, remotely controlled traffic-generation network.

Archived Lucide Proxy website during the malicious campaign

The Lucide Proxy website archived on May 18, 2026, during the period when the remote loader and Wisp traffic generator were present.

This campaign is not a traditional dependency infection. The packages contain no installation lifecycle hooks or native node build scripts. Instead, they abuse the npm registry as a free, high-bandwidth content delivery network to host the static browser application assets. Users are affected when they visit any instance of these web proxies, turning their browser sessions into active denial-of-service nodes.

The early wave of this campaign was covered by SafeDep in a brief advisory, which documented 141 packages published by the terminal3airport account. At the time, prior reporting classified the campaign purely as adware spam and npm registry abuse. SafeDep noted that the packages hosted an ad-supported Scramjet proxy targeting student users to generate click revenue via popunders.

However, static analysis and deobfuscation of the active entry bundles reveal that the campaign carries highly toxic capabilities that were completely undocumented. By tracing the historical evolution of the upstream builds and retrieving archived payloads from the Internet Archive, we recovered the actual operational history of the campaign. During a critical window in late May, the operators actively weaponized the proxy network, turning each visiting student's browser into a high-rate HTTP flood source and a protocol-level WebSocket traffic generator.

We traced the campaign back to a group of closely coordinated GitHub accounts and infrastructure.

The active application assets were compiled and distributed from a public GitHub repository under the organization lucideproxy. Metadata from GitHub reveals a tight registration timeline:

  • The account coinbaselarper was created on April 12, 2026, at 02:34:09 UTC.
  • The account simswaplarper was created exactly 43 seconds later, at 02:34:52 UTC.
  • The lucideproxy organization was created at 02:46:33 UTC, just twelve minutes after coinbaselarper.
  • The build repository lucideproxy/svg was created at 03:54:05 UTC.

Most commits in the build repository were authored by coinbaselarper, who listed the public commit email main@geeked.wtf and the Discord alias @ap5z. A second account, svg-bot, registered with the email stefanvangetson54@gmail.com, was also used to automate publication.

The hosting footprints are highly concentrated. A pivot on the campaign's stable Google Analytics property (G-0VL3ZSBXDH) and monetization domains recovered 93 deployment hostnames. Ninety of these deployments resolved to a single IP address: 92.38.177.17, hosted in AS199524 (G-Core Labs).

The domains used for these deployments were deep, rapidly changing, education-themed subdomains, such as:

  • teamparker.id.au (37 scans)
  • homeless.camdvr.org (21 scans)
  • appleishealthy.duckdns.org (16 scans)

The threat actors also registered a large number of bizarre, highly specific npm package names. Standalone titles include charlie-kirk, testdonotredeemit, acidic, backupgenuine-updated, bismillahitidakimas, bomboclatwallahi, captainindia, crazynut, fflc-updated, howmanygreatbritain, kirkland, lowkeybored, lowkirkuenly, midnightrush, miguelphonk, omglucidesotuff, omgyesyesyes, pasirianspirit, thebigyahu, whatsadmaidk, changiairportpromax, and ilovefemboys.

The rest of the campaign consists of numbered batches. These include the abuden, imillegal, ishowfeet, nottuff, ratelimitsucks, sixseven, speed, backupsitetuff, and timmytuffknuckles families of packages. The actor also used a loosely numbered backup family, with names such as backup1-gg up to backup5-updated.

The entry point of the application is loaded from index.html, which runs assets/73sxysj46r.js. This file was distributed as a 5.4 MB, single-line bundle with heavy string arrays, rotation functions, hex-identifier decoding, and arithmetic expressions used to hide simple constants. Before deobfuscation, the original file was a single, massive line of code. After passing it through static deobfuscation, this single line of code expanded into over 20,600 lines of fully structured, readable JavaScript, exposing the hidden logic.

Upon loading, and before any user interface is rendered, the application tail-executes two hidden modules:

Malicious code runs before React renders

The functions G2() and I2() are responsible for the remote code execution and traffic generation capabilities, respectively.

Before deobfuscation, the jsDelivr URL is assembled from decoder calls and partial strings, while the loader function is buried beneath generated identifiers and numeric lookup tables:

Remote loader before deobfuscation

After running the deobfuscator, the mutable remote URL and the script injection sequence become explicit:

Remote loader after deobfuscation

This loader implements several dangerous design patterns:

  • Mutable Target: The loader targets the mutable main branch of a GitHub repository rather than an immutable commit hash.
  • No Integrity Checks: No Subresource Integrity (SRI) hash is provided, allowing the owner of the GitHub account canyoupleasesaysomething to change the code executed by every visitor at any time.
  • Full Origin Privilege: The loaded script runs with the same origin privileges as the proxy app, giving it full access to cookies, local storage, and same-origin API endpoints.
  • Concealed Source: The referrerPolicy = "no-referrer" attribute reduces the referrer visibility in the request, helping to conceal the originating site.

Although the GitHub repository canyoupleasesaysomething/cdn returned HTTP 404 at our analysis time, we recovered a historical response from May 30, 2026, using Wayback Machine archives. This snapshot captured the actual second-stage payload (cdn.js) that was actively served to visitor browsers.

The recovered script was extremely simple but highly destructive:

Recovered HTTP Flood Payload

This payload is an unthrottled browser-based HTTP flood:

  • It sets an interval that runs every 500 milliseconds.
  • Every half-second, it generates a fresh one-million-character string using "a".repeat(1000000).
  • It serializes this string into a JSON request body and issues a cross-origin POST request to cdn.caan.edu, the public network domain of the CAAN Academy of Nursing in Matteson, Illinois.
  • Because the interval is unthrottled and does not await the response of prior requests, the client browser will continuously pile up outgoing requests, consuming all available system memory and upload bandwidth.
  • At a rate of two 1MB requests per second, each active proxy visitor generates roughly 2 megabytes per second of raw upload traffic. A fleet of only 1,000 active visitors would generate an aggregate flood of 2 gigabytes per second, easily overwhelming a school's public website.
  • The randomized query parameter v defeats caching proxies, and mode: "no-cors" allows the simple cross-origin POST to skip CORS preflight, ensuring the packet is sent immediately.

The same contrast appears in the WebSocket module. Before deobfuscation, the configuration URL and operational constants are reconstructed through decoder calls and arithmetic:

WebSocket module before deobfuscation

The deobfuscated output reveals the mutable websocket.txt endpoint, the 1,024-socket limit, the localhost destination, and the loop that staggers each connection by 120 milliseconds:

WebSocket module after deobfuscation

The application fetches websocket.txt with cache: "no-store" to bypass browser cache and retrieve the configuration in real-time. It parses the text file for two values: a target WebSocket URL (ws:// or wss://) and a numeric connection count constrained between 1 and 1,024.

An archived copy of websocket.txt recovered from the attacker's GitHub repository contained:

Archived websocket.txt configuration targeting lunaron.top

This configuration instructed each visitor's browser to open 30 WebSocket connections to the specified Wisp endpoint. At analysis time, lunaron.top was itself hosting a working web proxy:

Lunar v2 web proxy hosted at lunaron.top

The live Lunar v2 proxy hosted at lunaron.top, captured on July 13, 2026. While the domain is currently used for standard ad-supported proxy hosting and does not actively serve the weaponized Lucide DDoS modules, it remains unsafe as it actively injects malvertising scripts from profitablecpmratenetwork.com into visitor sessions.

Once parsed, the application enters a staggered loop, launching the connection pool with a 120-millisecond delay between sockets.

Once a WebSocket connection is successfully established with the target, the application sets the socket's binaryType to arraybuffer. Every 100 milliseconds, each of the active connections sends a pair of binary packets: a CONNECT packet followed immediately by a CLOSE packet.

These packets are built using little-endian byte orders and match the transport semantics of the Wisp v2 protocol:

Connect Packet Structure (17 bytes):

  • Offset 0: 0x01 (Connect Opcode)
  • Offset 1: Stream ID (4-byte little-endian)
  • Offset 5: 0x01 (Hostname address type)
  • Offset 6: Port 1 (2-byte little-endian)
  • Offset 8: localhost (9-byte ASCII string)

Close Packet Structure (6 bytes):

  • Offset 0: 0x04 (Close Opcode)
  • Offset 1: Same Stream ID (4-byte little-endian)
  • Offset 5: 0x02 (Close reason/status code)

Because the proxy application utilizes a Scramjet and Wisp background bridge to route browser traffic, these packets are syntactically valid Wisp control frames. The target is not the visiting user's local machine, but rather the remote Wisp proxy server.

By sending a rapid stream of CONNECT frames targeting localhost:1 followed by a CLOSE frame for the same stream ID, a single visitor's browser asks the remote Wisp server to establish and destroy up to 10,240 socket connections per second.

In legacy Wisp implementations, such as Mercury Workshop's wisp-server-node, each received CONNECT frame triggers the immediate instantiation of a new net.Socket and launches an asynchronous socket connection without verifying if the target is a loopback or private address. Additionally, the server logs every connection attempt at the INFO level.

At the maximum configuration of 1,024 concurrent WebSockets, a single browser session can force a target Wisp server to process:

  • 10,240 socket allocations and connection attempts per second.
  • 10,240 corresponding socket destructions.
  • Over 20,000 log writes per second.

This control-plane attack easily exhausts the target server's file descriptor limits, floods its log storage, and crashes the proxy service entirely.

To verify these capabilities without risking live network calls, we performed a sandboxed local simulation. Feeding the decompiled variables into a mock browser runtime proved that the remote code easily extracts cookies and local storage tokens, sending them back to the attacker via beaconing. The loopback test also captured the exact binary frames of the Wisp protocol:

Captured Wisp control frames

This confirmed our manual packet-level reconstruction, demonstrating that the Wisp protocol encoder functions exactly as designed to generate coordinated control-plane traffic.

An analysis of 22 public commits in the lucideproxy/svg build repository reveals a rapid evolution of features and threat levels over a very short timeframe:

Date Event Malicious Modules
March 5, 2026 Earliest Lucide page observed utilizing GA property G-0VL3ZSBXDH and reverse DNS geeked.wtf. None (Adware Only)
March 16, 2026 First traffic monetized via woofbeginner.com scripts. None (Adware Only)
May 16, 2026 Commit bcc9868e345b6 adds the remote script loader cdn.js just 33 minutes after the GitHub account canyoupleasesaysomething was created. Remote Loader (RCE)
May 17, 2026 Commit 9b7ca53d6bd8c adds the Wisp WebSocket generator, capped at 64 sockets. Remote Loader + Wisp Flood (64 sockets)
May 17, 2026 Commit ccc7c921bc931 introduces full-bundle obfuscation and increases the maximum socket limit to 1,024. Remote Loader + Wisp Flood (1,024 sockets)
May 30, 2026 Wayback records active HTTP flood attacking cdn.caan.edu from visitor browsers. Active HTTP Flood
May 31, 2026 Commit cf741e982181a removes the remote script loader and Wisp modules, returning the build to standard ad-supported files. None (Adware Only)
July 8, 2026 A second wave brings the campaign total to 148 packages under account eerikakirk, containing the obfuscated, ad-monetized builds. None (Adware Only)

The timeline shows that the aggressive DDoS capabilities were active for a window of roughly two weeks in May 2026. After public reporting began, the operators cleanly stripped the remote loader and Wisp traffic generators from the upstream repository, reverting the build back to standard popunder adware. The wave of packages published in July 2026 contains these later, adware-only builds.

However, because the underlying application structure remains heavily obfuscated and continues to load external third-party scripts from domains like c.vipersfutbol.com, the threat actor preserves the ability to re-introduce malicious capabilities or direct traffic dynamically.

Because this threat is delivered as a client-side web application rather than an installation-phase implant, the remediation steps focus on identifying hosting instances, protecting student workstations, and blocking infrastructure communication.

Network administrators, particularly in educational and corporate environments where student web proxies are frequently accessed, should immediately block the following domains at the DNS level:

  • woofbeginner.com
  • c.vipersfutbol.com
  • realizationnewestfangs.com
  • protrafficinspector.com
  • preferencenail.com
  • skinnycrawlinglax.com
  • cdn.conditionfuneral.com
  • lucideon.top
  • wisp.breadarchive.dpdns.org
  • 21baseballacademy.com

Users who have visited any of the affected proxy websites should clear their browser data to remove registered service workers and cached assets:

  1. Open the browser's settings menu.
  2. Select Clear Browsing Data.
  3. Choose to delete Cached images and files and Cookies and other site data for all time.
  4. For advanced users, navigate to chrome://serviceworker-internals/ or the equivalent path in your browser and unregister any service worker registered by a tutoring or proxy domain.

If your build pipelines or development environments have fetched any package listed in this campaign, remove every matching package from dependency manifests and lockfiles. Rebuild affected environments from clean sources, then verify that none of the package names in the table below remain in direct or transitive dependencies.

Package Name Malicious Versions Xray ID
charlie-kirk 2.0.0, 3.0.1 XRAY-1026483
ilovefemboys 1.1.3, 2.0.0 XRAY-1026418
abuden1 1.1.7, 1.7.7, 2.0.0 XRAY-1026380
abuden2 1.1.7, 1.7.7, 2.0.0 XRAY-1026396
abuden21 1.1.7, 1.7.7, 2.0.0 XRAY-1026474
abuden210 1.1.7, 1.7.7, 2.0.0 XRAY-1026403
abuden211 1.1.7, 1.7.7, 2.0.0 XRAY-1026461
abuden212 1.1.7, 1.7.7, 2.0.0 XRAY-1026478
abuden213 1.1.7, 1.7.7, 2.0.0 XRAY-1026451
abuden214 1.1.7, 1.7.7, 2.0.0 XRAY-1026372
abuden215 1.1.7, 1.7.7, 2.0.0 XRAY-1026376
abuden216 1.1.7, 1.7.7, 2.0.0 XRAY-1026433
abuden217 1.1.7, 1.7.7, 2.0.0 XRAY-1026518
abuden218 1.1.7, 1.7.7, 2.0.0 XRAY-1026472
abuden219 1.1.7, 1.7.7, 2.0.0 XRAY-1026485
abuden22 1.1.7, 1.7.7, 2.0.0 XRAY-1026484
abuden220 1.1.7, 1.7.7, 2.0.0 XRAY-1026498
abuden221 1.1.7, 1.7.7, 2.0.0 XRAY-1026448
abuden222 1.1.7, 1.7.7, 2.0.0 XRAY-1026493
abuden223 1.1.7, 1.7.7, 2.0.0 XRAY-1026425
abuden224 1.1.7, 1.7.7, 2.0.0 XRAY-1026444
abuden225 1.1.7, 1.7.7, 2.0.0 XRAY-1026456
abuden226 1.1.7, 1.7.7, 2.0.0 XRAY-1026440
abuden227 1.1.7, 1.7.7, 2.0.0 XRAY-1026419
abuden228 1.1.7, 1.7.7, 2.0.0 XRAY-1026491
abuden229 1.1.7, 1.7.7, 2.0.0 XRAY-1026502
abuden23 1.1.7, 1.7.7, 2.0.0 XRAY-1026473
abuden230 1.1.7, 1.7.7, 2.0.0 XRAY-1026515
abuden24 1.1.7, 1.7.7, 2.0.0 XRAY-1026452
abuden25 1.1.7, 1.7.7, 2.0.0 XRAY-1026409
abuden26 1.1.7, 1.7.7, 2.0.0 XRAY-1026463
abuden27 1.1.7, 1.7.7, 2.0.0 XRAY-1026400
abuden28 1.1.7, 1.7.7, 2.0.0 XRAY-1026458
abuden29 1.1.7, 1.7.7, 2.0.0 XRAY-1026454
abuden3 1.1.7, 1.7.7, 2.0.0 XRAY-1026519
abuden4 1.1.7, 1.7.7, 2.0.0 XRAY-1026416
abuden5 1.1.7, 1.7.7, 2.0.0 XRAY-1026462
acidic 2.0.0 XRAY-1026252
backup1-gg 1.1.2, 2.0.0 XRAY-1026432
backup2-asd 1.1.2, 2.0.0 XRAY-1026385
backup3-ff 1.1.2, 2.0.0 XRAY-1026508
backup4-gasp 1.1.2, 2.0.0 XRAY-1026445
backup5-updated 1.1.2, 2.0.0 XRAY-1026453
backupgenuine-updated 1.1.2, 2.0.0 XRAY-1026466
backupsitetuff10 1.1.7, 2.0.0 XRAY-1026481
backupsitetuff3 1.1.7, 2.0.0 XRAY-1026407
backupsitetuff6 1.1.7, 2.0.0 XRAY-1026422
backupsitetuff9 1.1.7, 2.0.0 XRAY-1026467
bismillahitidakimas 1.1.2, 2.0.0 XRAY-1026381
bomboclatwallahi 1.1.2, 2.0.0 XRAY-1026497
captainindia 1.1.2, 2.0.0 XRAY-1026388
crazynut 1.1.2, 2.0.0 XRAY-1026374
fflc-updated 1.1.2, 2.0.0 XRAY-1026512
howmanygreatbritain 1.1.2, 2.0.0 XRAY-1026404
imillegal1 1.1.7, 1.7.7, 2.0.0 XRAY-1026475
imillegal2 1.1.7, 1.7.7, 2.0.0 XRAY-1026441
imillegal3 1.1.7, 1.7.7, 2.0.0 XRAY-1026389
imillegal4 1.1.7, 1.7.7, 2.0.0 XRAY-1026511
imillegal5 1.1.7, 1.7.7, 2.0.0 XRAY-1026414
ishowfeet1 1.1.7, 1.7.7, 2.0.0 XRAY-1026428
ishowfeet10 1.1.7, 1.7.7, 2.0.0 XRAY-1026471
ishowfeet11 1.1.7, 1.7.7, 2.0.0 XRAY-1026394
ishowfeet12 1.1.7, 1.7.7, 2.0.0 XRAY-1026490
ishowfeet13 1.1.7, 1.7.7, 2.0.0 XRAY-1026505
ishowfeet14 1.1.7, 1.7.7, 2.0.0 XRAY-1026426
ishowfeet15 1.1.7, 1.7.7, 2.0.0 XRAY-1026501
ishowfeet16 1.1.7, 1.7.7, 2.0.0 XRAY-1026486
ishowfeet17 1.1.7, 1.7.7, 2.0.0 XRAY-1026420
ishowfeet18 1.1.7, 1.7.7, 2.0.0 XRAY-1026417
ishowfeet19 1.1.7, 1.7.7, 2.0.0 XRAY-1026438
ishowfeet2 1.1.7, 1.7.7, 2.0.0 XRAY-1026487
ishowfeet20 1.1.7, 1.7.7, 2.0.0 XRAY-1026410
ishowfeet3 1.1.7, 1.7.7, 2.0.0 XRAY-1026408
ishowfeet4 1.1.7, 1.7.7, 2.0.0 XRAY-1026455
ishowfeet5 1.1.7, 1.7.7, 2.0.0 XRAY-1026436
ishowfeet6 1.1.7, 1.7.7, 2.0.0 XRAY-1026406
ishowfeet7 1.1.7, 1.7.7, 2.0.0 XRAY-1026386
ishowfeet8 1.1.7, 1.7.7, 2.0.0 XRAY-1026401
ishowfeet9 1.1.7, 1.7.7, 2.0.0 XRAY-1026446
kirkland 1.1.2, 2.0.0 XRAY-1026402
lowkeybored 1.1.2, 2.0.0 XRAY-1026378
lowkirkuenly 1.1.2, 2.0.0 XRAY-1026507
midnightrush 1.1.2, 2.0.0 XRAY-1026465
miguelphonk 1.1.2, 2.0.0 XRAY-1026517
nottuff1 1.1.7, 1.7.7, 2.0.0 XRAY-1026464
nottuff10 1.1.7, 1.7.7, 2.0.0 XRAY-1026450
nottuff11 1.1.7, 1.7.7, 2.0.0 XRAY-1026373
nottuff12 1.1.7, 1.7.7, 2.0.0 XRAY-1026379
nottuff13 1.1.7, 1.7.7, 2.0.0 XRAY-1026468
nottuff14 1.1.7, 1.7.7, 2.0.0 XRAY-1026423
nottuff15 1.1.7, 1.7.7, 2.0.0 XRAY-1026391
nottuff16 1.1.7, 1.7.7, 2.0.0 XRAY-1026449
nottuff17 1.1.7, 1.7.7, 2.0.0 XRAY-1026447
nottuff18 1.1.7, 1.7.7, 2.0.0 XRAY-1026499
nottuff19 1.1.7, 1.7.7, 2.0.0 XRAY-1026383
nottuff2 1.1.7, 1.7.7, 2.0.0 XRAY-1026470
nottuff20 1.1.7, 1.7.7, 2.0.0 XRAY-1026421
nottuff21 1.1.7, 1.7.7, 2.0.0 XRAY-1026459
nottuff22 1.1.7, 1.7.7, 2.0.0 XRAY-1026480
nottuff23 1.1.7, 1.7.7, 2.0.0 XRAY-1026479
nottuff24 1.1.7, 1.7.7, 2.0.0 XRAY-1026488
nottuff25 1.1.7, 1.7.7, 2.0.0 XRAY-1026442
nottuff26 1.1.7, 1.7.7, 2.0.0 XRAY-1026399
nottuff27 1.1.7, 1.7.7, 2.0.0 XRAY-1026434
nottuff28 1.1.7, 1.7.7, 2.0.0 XRAY-1026415
nottuff29 1.1.7, 1.7.7, 2.0.0 XRAY-1026382
nottuff3 1.1.7, 1.7.7, 2.0.0 XRAY-1026489
nottuff30 1.1.7, 1.7.7, 2.0.0 XRAY-1026439
nottuff4 1.1.7, 1.7.7, 2.0.0 XRAY-1026443
nottuff5 1.1.7, 1.7.7, 2.0.0 XRAY-1026424
nottuff6 1.1.7, 1.7.7, 2.0.0 XRAY-1026413
nottuff7 1.1.7, 1.7.7, 2.0.0 XRAY-1026390
nottuff8 1.1.7, 1.7.7, 2.0.0 XRAY-1026495
nottuff9 1.1.7, 1.7.7, 2.0.0 XRAY-1026392
omglucidesotuff 1.1.2, 2.0.0 XRAY-1026482
omgyesyesyes 1.1.2, 2.0.0 XRAY-1026504
pasirianspirit 1.1.2, 2.0.0 XRAY-1026405
ratelimitsucks 1.1.2, 1.1.7, 1.7.7, 2.0.0 XRAY-1026494
ratelimitsucks1 1.1.3, 1.1.7, 2.0.0 XRAY-1026503
ratelimitsucks10 1.1.7, 1.7.7, 2.0.0 XRAY-1026516
ratelimitsucks2 1.1.4, 1.1.7, 1.7.7, 2.0.0 XRAY-1026429
ratelimitsucks3 1.1.5, 1.1.7, 2.0.0 XRAY-1026435
ratelimitsucks4 1.1.6, 1.1.7, 2.0.0 XRAY-1026460
ratelimitsucks5 1.1.7, 1.7.7, 2.0.0 XRAY-1026430
ratelimitsucks6 1.1.7, 1.7.7, 2.0.0 XRAY-1026510
ratelimitsucks9 1.1.7, 2.0.0 XRAY-1026398
sixseven1 1.1.7, 1.7.7, 2.0.0 XRAY-1026457
sixseven10 1.7.7 XRAY-1026276
sixseven2 1.1.7, 1.7.7, 2.0.0 XRAY-1026375
sixseven3 1.1.7, 1.7.7, 2.0.0 XRAY-1026393
sixseven4 1.1.7, 1.7.7, 2.0.0 XRAY-1026384
sixseven5 1.1.7, 1.7.7, 2.0.0 XRAY-1026509
sixseven6 1.1.7, 1.7.7, 2.0.0 XRAY-1026395
sixseven7 1.7.7 XRAY-1026279
sixseven8 1.7.7 XRAY-1026269
sixseven9 1.7.7 XRAY-1026250
speed1 1.1.7, 2.0.0 XRAY-1026469
speed2 1.1.7, 2.0.0 XRAY-1026506
speed3 1.1.7, 2.0.0 XRAY-1026427
speed4 1.1.7, 2.0.0 XRAY-1026411
speed5 1.1.7, 2.0.0 XRAY-1026476
thebigyahu 1.1.2, 2.0.0 XRAY-1026492
timmytuffknuckles3 1.1.7, 2.0.0 XRAY-1026496
timmytuffknuckles6 1.1.7, 2.0.0 XRAY-1026387
timmytuffknuckles9 1.1.7, 2.0.0 XRAY-1026377
whatsadmaidk 1.1.2, 2.0.0 XRAY-1026513
changiairportpromax 1.1.3, 2.0.0 XRAY-1026514
testdonotredeemit 1.0.0, 2.0.0, 2.1.1 XRAY-1026313

The Lucide Proxy campaign illustrates the risks of using third-party unblocking applications and proxies. While students and general users perceive these services as convenient bypass utilities, the underlying infrastructure can be, and has been, used as a weaponized browser botnet. By leveraging mutable remote scripts and high-concurrency connection pools, the threat actors demonstrated how easily static web assets can conduct massive, coordinated floods without direct system infection. Security teams must monitor and block the associated infrastructure domains to keep network resources safe from silent background abuse.

  • https[:]//cdn[.]jsdelivr[.]net/gh/canyoupleasesaysomething/cdn@main/cdn[.]js
  • https[:]//cdn[.]jsdelivr[.]net/gh/canyoupleasesaysomething/cdn@main/websocket[.]txt
  • https[:]//cdn[.]caan[.]edu/-/?v=
  • https[:]//woofbeginner[.]com/jivd2xu8
  • https[:]//woofbeginner[.]com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1[.]js
  • https[:]//wisp[.]breadarchive[.]dpdns[.]org
  • https[:]//21baseballacademy[.]com
  • https[:]//lucideon[.]top
  • https[:]//c[.]vipersfutbol[.]com/script[.]js
  • https[:]//realizationnewestfangs[.]com
  • https[:]//protrafficinspector[.]com/stats
  • https[:]//preferencenail[.]com/sfp[.]js
  • https[:]//skinnycrawlinglax[.]com/dnn2hkn8
  • https[:]//cdn[.]conditionfuneral[.]com

  • 92[.]38[.]177[.]17
  • 92[.]38[.]177[.]10
  • 153[.]75[.]225[.]178
  • 5[.]188[.]124[.]67
  • 92[.]38[.]177[.]16
  • 92[.]38[.]177[.]37

  • Google Analytics: G-0VL3ZSBXDH
  • Publisher Placement: 0a913561831bdf2c26dcf18b852b5cc1
  • Popunder Key: c6851a038da578a80eeb201e0588c84c
  • Developer Email: main@geeked[.]wtf
  • Developer Email: me@geeked[.]wtf
  • Developer Email: stefanvangetson54@gmail[.]com

SHA-256 Description
eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84 assets/73sxysj46r.js
10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75 assets/script.js
4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd Archived HTTP flood payload