On July 21, after several days of inactivity, the botnet lurched into action once more, replacing the Download Free Video series with new landing pages entitled "Watch Free Movie".

This featured a new malware filename, "codecinst.exe", an invisible iframe which I should investigate before these older servers go dead, and the fascinating comment "no title variant of spy partners & ruler cash landings". What kind of technical botnet mastermind leaves comments in the code telling you what they're trying to pull?

Full content here.

No real analysis; I'm still trying to get through the landing pages from July.