



According to cyber security firm Volexity, four websites of Hong Kong democracy activists are compromised and serves malware.





Volexity has observed malicious code being served up from the website of the Alliance for True Democracy (ATD) in Hong Kong (www.atd.hk). ATD is an alliance of people and organizations dedicated to democracy and universal suffrage in Hong Kong.





Steven Adair wrote that the malicious JavaScript file superfish.js is still live on the website. Volexity found that the javascript is loaded from java-se.com which is hosted on the Japanese IP addess 210.253.101.105.





Volexity also observed that the website had a "angel webshell" placed on it (A password protected backdoor webshell). That allows the attackers to upload new webshells or add simple China Chopper style modifications to legitimate existing files in an attempt to maintain persistence to these systems.





Volexity found that the both the English and Chinese language websites for the Democratic Party Hong Kong compromised with the same malicious code found on the ATD website.





Volexity observed that the website of the political coalition and pan-democratic organization People Power in Hong Kong (www.peoplepower.hk) had been compromised as well.









But, unlike the other two websites, the People Power website did not contain JavaScript modifications pointing to java-se.com. Instead the website appears to have malicious iFrames leveraging the Chinese URL shortener 985.so.









After digging deeper into the Professional Commons (www.procommons.org.hk) website, volexity found a suspicious JavaScript code that writes an iFrame pointing back to a non-existent HTML page on a hotel website in South Korea.









This indicates that, above URL was a formerly active exploit URL. If it is actually malicious, it is possible the code could be re-activated at any time.



