Disclaimer: I might be wrong, but …
This is what I discovered after being attacked. Several "Paytriot's" systems were compromised and were/are being used as attack platforms to implant spyware on visitor's systems.
As of this point in time the evidence that I am aware of is not sufficient to determine whether some of site owners (the paytriots) were willfully actively involved in the attacks. Though there are indications that the systems were compromised and used in the attacks by entities other than the site owners (C_A are indicated).
I have already reported all of my findings to the FTC. This is an on going inquiry.
The malware being sent can not be seen by the victim via any software or apps found in the normal App stores, Google Play, Microsoft etc.
The malware is aggressive and persistent. It will survive normal disk formatting. It can only be removed from magnetic media via a drive bios “low level sectorial formatting” (LLSF). Such system capability is no longer commercially available to the consumer. In order to remove the malware the sectors on the drive must be destroyed (wiped) by over writing the sectorial LLSF with a rotational offset (newly created sectors span around existing sectors). Only LLSF systems can accomplish this.
Solid state memory (SSD, mobile device storage, etc) can be cleared by most authorized repair centers of the major brands. However, as with the case of magnetic storage all content with be irretrievably destroyed.
Moreover, the malware, once installed (following a system restart) is on “autopilot” 100% and will persist autonomously for an indefinite period.
Deployment is through the Patriots’ host system upon receiving a read request from the visitor’s system (http get request). In other words, when a visitor connects to the host server the malware is delivered with the webpage fetch.
The host’s FQDN is then spoofed by the malware and used as the transport hostname for the data transfer. Note in the graphic “two-domain-formats-with-www-and-without-www.png” both hostnames www.[FQDN].com and [FQDN].com can be detected. All obtained data is transported offshore via the spoofed FQDN; which is the one without “www.” Leaving basic observation to believe the attack was initiated abroad so as implicate foreign actors (such as FVEY), masking the domestic hosts’ complicity.
This, however, is not the only place I have seen this. I downloaded a graphics package from Corel. Was not happy with it and used their unistaller. Following I found a residual package was transmitting private data from my machine to a Corel IP Address, via CUH.app that uninstall left behind.
This too is a persistent piece of malware and along with the stuff found coming from Paytriot systems. Others you may find are pixel.watch (FB tool normally deployed from a 31.13.X.X address) and gracenote ratings system, found in iTunes and several streaming apps and sites.