zqvee2re50mr.com: badware

[ExtRIELICi]

Prerequisites

• [X] This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• [X] I read and understand the policy about what is a valid filter issue.
• [X] I verified that this issue is not a duplicate. (Search here to find out.)
• [X] I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• [X] I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• [X] I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• [X] I am not using uBlock Origin along with other content blockers.
• [X] I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• [X] I have verified that other extensions are not causing the issue.
• [X] If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• [ ] I did not answer truthfully to ALL the above checkboxes.

URL(s) where the issue occurs.

https://zqvee2re50mr.com/yu932ns0?key=c8efb1f92002fe49f29900703554cfb6

Description

This is a malicious domain that hides within search bars and other places in some websites. It doesn't seem to be blocked by uBlock Origin.

Other extensions used

none

Screenshot(s)

Screenshot(s)

Configuration

Details

```yaml ```

[JobcenterTycoon]

the redirect is blocked by .com/api/users*^pii=&in=false^$document

Please report the sites which using this crap instead of just reporting the unstable badware domain.

[ExtRIELICi]

I found it in gamatotv.info, which is quite a popular website in Greece and Cyprus.

[JobcenterTycoon]

The javascript popup coming from https://gamatotv.info/fbb53bfb0e7dad3e75ca078edbe1cf98.js but there is also a <a> tag with https://zqvee2re50mr.com/yu932ns0?key=c8efb1f92002fe49f29900703554cfb6 (both popups blocked with generic rules already).

Maybe also the link itself can be blocked if its stable:

simplest filter to hide: ###ads5 (EL contains ###ads50) link target: gamatotv.info##a[rel="noopener"][onclick^="javascript:window.open('https://"][onclick*="?key="]

@Yuki2718 something known here?

[ghajini]

download links on site also has popups

gmtcloud.best###ads5
||gamatotv.info^$script,3p

[Yuki2718]

something known here?

I don't, the best I know is that those Apate web/VexTrio links with key= are also spread via email. If it is globally seen in the web too, maybe worth considering generic cosmetic filters.