Xtube porn website spreads malware, after being compromised by hackers

XtubeThe popular Xtube hardcore porn website, visited by approximately 25 million people every month, has been compromised by hackers and is spreading malware onto visiting computers.

According to a report from security firm Malwarebytes, the infection has not come through boobytrapped third-party adverts on the site, but instead through malicious hackers managing to dynamically inject a line of code onto the Xtube website.

Injected code

The code points to JavaScript on a third-party site that ultimately leads to the execution of the Neutrino Exploit Kit, activating an Adobe Flash exploit in unprotected computers to install malware via a drive-by-download.

Sign up to our free newsletter.
Security news, advice, and tips.

Adobe Flash exploit

In short, you visit Xtube for some cheap thrills, and end up having your computer pwned by hackers.

Something has clearly gone badly wrong at Xtube, if hackers have been able to hijack their website’s HTML code and abuse it in this way.

Malwarebytes says it detects the malware the exploit attempts to run on vulnerable computers as Trojan.MSIL.ED.

As always, be sure to keep Adobe Flash – and other software – fully patched to reduce the chances of attackers successfully infecting your computer.

And remember, it’s not just naughty websites like Xtube and RedTube that can infect your computer with malware.

It’s also more family-friendly websites (like that belonging to celebrity chef Jamie Oliver) which might have fallen foul of hackers, and be silently installing malicious code onto your PC.

Stay safe out there.

For more details of the Xtube attack, check out the Malwarebytes blog post.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Xtube porn website spreads malware, after being compromised by hackers”

  1. Anonymous

    "Something has clearly gone badly wrong at Xtube, if hackers have been able to hijack their website's HTML code and abuse it in this way."

    From reading the Malwarebytes blog Graham the malware is served up by "dynamic, on-the-fly injection". There's not much that Xtube can do to prevent this apart from blocking the infringing ads, which, Malwarebytes go on to say, use "rotating domains". Essentially the malware is being injected into the cached version of the webpage as it's being downloaded to the user, i.e. no actual modification is being made to the online/server-side version of the site.

    Preventing such exploits would be near impossible with sites like Xtube because of how they render their videos: HTML5 / Flash.

    Users who haven't got their version of Flash patched should be protected by Microsoft's EMET if it has been properly configured. Malwarebytes note that users of their "Anti-Exploit [software] are protected from this threat."

    1. Coyote · in reply to Anonymous

      Well… to be fair, he did indeed point out that it is dynamic injection. But the bottom line is that they're vulnerable, and one could argue that that is what Graham is getting at. Up to interpretation of course, and how things are worded can change the meaning to different people, drastically, but in that case maybe it is semantics (and maybe not – even that is up to interpretation, I suppose).

  2. Coyote

    Will check their website momentarily (or rather check the information on the trojan horse, hoping that they give an analysis with enough detail, to determine this) but in the meantime… do we know if this malware places them in to a botnet ? Not that I can do much about it, but it seems more and more, there are more surges in mail relay (and mail to never-existing email addresses at the domains being served) attempts… and that each has far more bots (presumably) involved….

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.