- Posted on
- • Uncategorized
MevaSearch Operation Mirror — Full Description
- Author
-
-
- User
- Ixavence
- Posts by this author
- Posts by this author
-
On October 23, 2025, the Ixavence Support team received user reports concerning advertisements leading to an alleged copy of the MevaSearch search engine.
The suspicious website was located at:
mevasearch[.]zya[.]me
Preliminary analysis indicated that the site mimicked the MevaSearch interface almost identically, using the same layout, color scheme, and name.
msX Guard Analysis
The msX Guard TAD team conducted a full analysis of the fake website on October 24, 2025. It was determined that the site's HTML and CSS code had been almost entirely copied from the official mevasearch.org domain. Authentic references to Ixavence resources were also found, including analytics.ixavence.org, assets.mevasearch.org, and images.mevasearch.org. The fake website used identical SEO metadata, OpenGraph data, and JSON manifest as the original.
Technical Analysis of the Fake Website
After a thorough examination of the source code, a malicious mechanism was identified. The site’s code contained a malicious JavaScript script designed to monitor user interactions with website elements. Upon clicking certain elements, the script generated a random string of characters and saved it into a text file named sh3233.zip.txt.
The file was then automatically downloaded by the user. One second after the download, the user was redirected to mysafpexyhost.hostagerangaco[.]xyz/download.exe. This site is currently unavailable and does not contain any information about the files or content previously hosted there.
Conclusions from the Analysis
The MevaSearch copy was created using publicly available code, suggesting that the attacker did not gain access to any internal Ixavence resources or server data. The presence of references to real MevaSearch resources (e.g., analytics) was an intentional masking tactic aimed at increasing the site’s credibility. The malicious software was likely intended to install additional executable files or potentially capture user data or modify the browser (e.g., search engine hijacking).
Summary
The incident was labeled MevaSearch Operation Mirror. It revealed an attempted scam aimed at impersonating MevaSearch and exploiting user trust to distribute malicious software.