Three years after the U.S. Department of Justice shutdown Megaupload, some of the seized sites are being used to distribute malware.
Instead of displaying a banner identifying them as sites seized as part of an investigation, Megaupload.com and Megavideo.comsites are directing users to a Zero-Click advertising feed that contains malicious links and ads.
One ad redirects users to a fake BBC article that offers the iPhone 6 for 1 Euro while another redirects them to malicious links prompting users to update their browser. Researchers at TorrentFreak said the servers still list Megaupload Limited as registrant but the CIRFU.BIZ domain in the nameserver, PLEASEDROPTHISHOST15525.CIRFU.BIZ, is not an official FBI Cyber Initiative and Resource Fusion Unit domain but rather "points to a server in the Netherlands hosted by LeaseWeb."
The CIRFU.NET domain, which the FBI unit once used, now shows “Syndk8 Media Limited” as the registrant,