A while back I received some spam email with the theme of adding new friends of facebook. This is how I became aware of the campaign now known as the "Aqua VPN" campaign.

World renowned and internationally respected anti virus vendor MalwareBytes also blogged about this campaign here (thanks to @paperghost)

After gaining admin rights to the web panel I built a sjdb (silent java driveby) here is what I found.


Build options








More build options







Lets take a look at the available domains:







who.is of all those domains
(no need for aquavpn thats already well known)
osrsbot(.)net > http://who.is/whois/osrsbot.net
twitch (.)pw > http://who.is/whois/twitch.pw (trying to lure gamers thinking this is the real twitch url) << confirmed takedown by @vriesHd now this domain leads to a 502. 
ucam(.)me > http://who.is/whois/ucam.me
videoreaper(.)com > http://who.is/whois/videoreaper.com
live-stream(.)us > http://who.is/whois/live-stream.us
teentalk(.)us > http://who.is/whois/teentalk.us
rapid-miner(.)net > http://who.is/whois/rapid-miner.net

what a surprise! all registered by namecheap

Now for a scan of the .jar
(virustotal was down but I have scanned this file on there before)
in the meantime this will do http://nodistribute.com/result/OCP1Mox9mV02p

Add-on Domains!
If you want you can spend a little extra money and ill be honest, one of these domains is very good for social engineering.






riotpointgenerator(.)com > http://who.is/whois/RiotPointGenerator.com
leageuoflegends(.)com > http://who.is/whois/LeageuOfLegends.com

Both these registrars have had abuse reports sent and im awaiting response