Tag: malvertising

38 Attack Reports | 0 Vulnerabilities

Attack reports

Parked Domains Become Weapons with Direct Search Advertising

Parked domains are increasingly being weaponized through direct search advertising, posing significant risks to users. The investigation found that over 90% of visits to parked domains led to scams, malware, or unwanted content. Three key actors were identified: one using lookalike domains and mail…
malvertising
typosquatting
traffic distribution systems
dns abuse
2025-12-17
babar
direct search advertising
domain parking
fast flux
parked domains
tedy
Published: December 17, 2025
Downloadable IOCs: 4

Cooking up trouble: How TamperedChef uses signed apps to deliver stealthy payloads

The TamperedChef campaign is a global malvertising and SEO operation that distributes seemingly legitimate software with valid code signing to trick users into executing malicious installers. These fake applications mimic common software and establish persistence through scheduled tasks, delivering…
social engineering
malvertising
persistence
javascript
remote access
scheduled tasks
seo
code-signing
javascript payload
2025-11-20
shell companies
2025-11-26
code-signing certificates
signed applications
Published: November 26, 2025
Downloadable IOCs: 132

Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine

Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This marks the first observed instance of a RomCom payload being distributed through SocGholish. The attack chain involved compromising legitimate websites, using …
malvertising
ukraine
socgholish
fakeupdate
gru
2025-11-25
ta569
mythic agent
vipertunnel
Published: November 25, 2025
Linked vulnerabilities : CVE-2025-64446 (CVSS 9.8)
Downloadable IOCs: 8

Certified OysterLoader: Tracking Rhysida ransomware gang activity via code-signing certificates

The Rhysida ransomware gang, formerly known as Vice Society, is conducting an ongoing malicious ad campaign to deliver OysterLoader malware. This initial access tool establishes a foothold on devices for dropping a persistent backdoor. The campaign uses Bing search engine advertisements to direct u…
ransomware
malvertising
latrodectus
initial access
code-signing
2025-11-03
microsoft trusted signing
oysterloader
Published: November 3, 2025
Downloadable IOCs: 271

Threat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers

A new campaign is distributing the Oyster (Broomstick) backdoor through trojanized Microsoft Teams installers. Threat actors are using SEO poisoning and malvertising to trick users into downloading fake installers from spoofed websites. The malicious installers deploy a persistent backdoor that ena…
malvertising
seo poisoning
persistence
dll sideloading
microsoft teams
c2 communication
oyster
broomstick
2025-10-02
oyster backdoor
trojanized installer
Published: October 2, 2025
Downloadable IOCs: 15

Potentially Unwanted Applications (PUAs) weaponized for covert delivery

A malware distribution campaign leveraging digitally signed binaries, deceptive packaging, and browser hijackers has been uncovered. The campaign centers around two malicious applications, ImageLooker.exe and Calendaromatic.exe, delivered via self-extracting 7-Zip archives. These artifacts align wi…
malvertising
seo-poisoning
CVE-2025-0411
7-zip
neutralinojs
2025-09-29
pua
imagelooker
digital-signing
trojanized-productivity-tools
code-signing-abuse
calendaromatic
browser-hijacker
Published: September 29, 2025
Linked vulnerabilities : CVE-2025-0411 (CVSS 7.0)
Downloadable IOCs: 6

GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe

A sophisticated malware campaign dubbed 'GPUGate' has been uncovered, targeting Western European IT professionals through malicious Google Ads mimicking GitHub Desktop. The attack leverages GitHub's repository structure and a GPU-gated decryption mechanism to evade analysis. The malware, a 128 MB M…
malvertising
anti-analysis
amos stealer
2025-09-08
gpugate
gpu-gated decryption
opencl
western europe
Published: September 8, 2025
Linked vulnerabilities : CVE-2025-20265 (CVSS 10.0), CVE-2025-7775 (CVSS 9.2)
Downloadable IOCs: 42

Like PuTTY in Admin's Hands

The LevelBlue Managed Detection and Response team handled incidents related to a malvertising campaign distributing trojanized versions of the PuTTY terminal emulator. The malicious software, masquerading as legitimate PuTTY, was downloaded by privileged users and exhibited behaviors such as Kerber…
malvertising
putty
kerberoasting
2025-08-27
oyster
broomstick
trojanized
Published: August 27, 2025
Downloadable IOCs: 0

Think before you Click(Fix): Analyzing the ClickFix social engineering technique

The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate …
obfuscation
screenconnect
phishing
social engineering
malvertising
infostealer
macos
darkgate
lumma stealer
latrodectus
remote access tool
mintsloader
atomic macos stealer (amos)
lampion
2025-08-21
windows run dialog
Published: August 21, 2025
Downloadable IOCs: 10

What happened in Vegas (that you actually want to know about)

This article recaps key highlights from Black Hat USA, including Joe Marshall's live incident-response exercise using the Backdoors & Breaches card game, Amy Chang's research on bypassing AI guardrails through 'decomposition', and Philippe Laulheret's ReVault presentation on vulnerabilities in embe…
malvertising
powershell
c#
CVE-2025-6543
ps1bot
2025-08-14
embedded security
ai guardrails
incident-response
black hat usa
Published: August 14, 2025
Linked vulnerabilities : CVE-2025-6543 (CVSS 9.2)
Downloadable IOCs: 3

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and u…
malvertising
powershell
cryptocurrency
modular
in-memory execution
information stealer
multi-stage
c#
2025-08-12
ahk bot
ps1bot
skitnet
Published: August 12, 2025
Downloadable IOCs: 0

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for pro…
evasion
malvertising
powershell
cryptocurrency
stealer
node.js
multi-stage
fake apps
2025-07-31
jsceal
jsc
Published: July 31, 2025
Downloadable IOCs: 268

New BrowserVenom malware being distributed via fake DeepSeek phishing website

A new malicious campaign is distributing previously unknown malware through a fake DeepSeek-R1 LLM environment installer. The phishing site, promoted via Google Ads, mimics the official DeepSeek homepage. The attack installs BrowserVenom, an implant that forces all browsing traffic through a proxy …
phishing
malvertising
proxy
llm
deepseek
2025-06-11
browser manipulation
browservenom
Published: June 11, 2025
Linked vulnerabilities : CVE-2024-3721
Downloadable IOCs: 7

Crocodilus Mobile Malware: Evolving Fast, Going Global

A new Android banking Trojan, Crocodilus, has rapidly evolved since its discovery in March 2025. Initially targeting Turkey, it has expanded to European countries and South America. The malware is distributed through malicious advertising on social networks, masquerading as banking and e-commerce a…
social engineering
android
malvertising
cryptocurrency
banking trojan
2025-06-03
crocodilus
Published: June 3, 2025
Downloadable IOCs: 4

The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website

A threat actor has orchestrated a sophisticated malvertising campaign impersonating Kling AI, a popular AI-powered image and video synthesis tool. The attackers use counterfeit Facebook pages and paid ads to drive traffic to a convincing fake website. Users are tricked into downloading malicious fi…
malvertising
infostealer
purehvnc
facebook ads
2025-05-21
crypto theft
Published: May 21, 2025
Downloadable IOCs: 42

New Nitrogen Ransomware Targets Financial Firms in the US, UK and Canada

Nitrogen, a new ransomware strain identified in September 2024, has become a significant threat to organizations worldwide, particularly in the financial sector. It encrypts critical data and demands substantial payments for decryption, targeting industries such as finance, construction, manufactur…
ransomware
malvertising
cobalt strike
meterpreter
data exfiltration
nitrogen
2025-05-20
vulnerable driver
Published: May 20, 2025
Downloadable IOCs: 2

Nitrogen Dropping Cobalt Strike – A Combination of 'Chemical Elements'

The Nitrogen ransomware group has expanded its operations from North America to Africa and Europe since September 2024. They utilize malvertising tactics, disguising malicious payloads as legitimate software like WinSCP. The group employs DLL sideloading for initial access, followed by Cobalt Strik…
ransomware
malvertising
cobalt strike
dll sideloading
lateral movement
nitrogen
2025-05-02
nitrogenloader
Published: May 2, 2025
Downloadable IOCs: 2

The "free money" trap: How scammers exploit financial anxiety

This analysis explores how scammers capitalize on financial stress by promising 'free money' through fake subsidy programs, government grants, or relief cards. Common tactics include using urgency, exclusivity, and fabricated social proof to manipulate victims. Scammers employ various techniques su…
phishing
social engineering
malvertising
njrat
identity theft
government impersonation
qr code scams
2025-04-18
financial scams
fake subsidies
Published: April 18, 2025
Downloadable IOCs: 0

Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a…
malvertising
powershell
icedid
google ads
c2
remote access tool
2025-04-03
thundershell
rvtools
trojanized software
Published: April 3, 2025
Downloadable IOCs: 0

Malvertising campaign leads to info stealers hosted on GitHub

A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms.…
malvertising
lumma stealer
github
lumma
netsupport rat
information stealer
multi-stage attack
doenerium
2025-03-06
living-off-the-land
Published: March 6, 2025
Downloadable IOCs: 3

Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems

This analysis explores the use of traffic distribution systems (TDS) by threat actors to redirect network traffic for illicit purposes like phishing and malvertising. TDS act as central hubs, obfuscating final destinations and hindering detection. The study found that malicious TDS exhibit distinct…
phishing
malvertising
2025-03-05
cloaking
darknet
traffic distribution systems
Published: March 5, 2025
Downloadable IOCs: 0

Booking a Threat: Inside LummaStealer's Fake reCAPTCHA

A new malicious campaign targeting booking websites has been discovered, utilizing LummaStealer, an info-stealer operating under a Malware-as-a-Service model. The attack employs fake CAPTCHAs to trick users into executing malicious PowerShell commands. Initially targeting the Philippines, the campa…
obfuscation
social engineering
malvertising
powershell
clickfix
fake captcha
lummastealer
2025-03-04
emotet
info-stealer
binary padding
booking websites
indirect control flow
Published: March 4, 2025
Downloadable IOCs: 12

Lumma Stealer Malware Thrives as Unique Patterns Uncovered in the Infostealer's Domain Clusters

Recent research reveals Lumma Stealer command and control domain clusters share specific technical characteristics, enabling mapping of entire infrastructure clusters. The infostealer's logs are being shared for free on Leaky[.]pro, a new hacking forum, offering billions of stolen credential record…
malvertising
infostealer
lumma stealer
credential theft
youtube
malspam
sectoprat
c2 infrastructure
2025-02-22
domain clusters
Published: February 22, 2025
Downloadable IOCs: 0

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Cybercriminals are targeting Google Ads advertisers through phishing campaigns, impersonating Google Ads via fraudulent ads. The scheme involves stealing advertiser accounts by redirecting victims to fake login pages, with the goal of reselling these accounts on blackhat forums. The operation uses …
phishing
malvertising
2025-01-20
advertising fraud
Published: January 20, 2025
Downloadable IOCs: 29

Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising

A large-scale fake captcha campaign has been distributing Lumma info-stealer malware through malvertising techniques. The campaign, relying on a single ad network, delivers over 1 million daily ad impressions, causing thousands of daily victims to lose their accounts and money. The malicious activi…
malvertising
powershell
lumma stealer
fake captcha
2024-12-18
Published: December 18, 2024
Downloadable IOCs: 50

Hello again, FakeBat: popular loader returns after months-long hiatus

FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site…
loader
obfuscation
malvertising
powershell
lummac2
stealer
fakebat
google ads
brand impersonation
2024-11-11
Published: November 11, 2024
Downloadable IOCs: 19

InfoStealer Malware Attacking Meta Business Page To Steal Logins

A sophisticated malvertising campaign is distributing the SYS01 infostealer malware through Meta's advertising platform. The attackers impersonate trusted brands and popular software, targeting primarily senior male demographics. The malware, designed to steal personal data and credentials, is dist…
malvertising
powershell
infostealer
persistence
electron
credential theft
sys01
meta
social media
2024-11-04
Published: November 4, 2024
Downloadable IOCs: 26

LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER, a Russian-speaking financially motivated threat group, has resumed operations following law enforcement disruptions. They've shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware, targeting financial services through SEO poisoning malvertising campaigns. The g…
ransomware
malvertising
seo poisoning
icedid
latrodectus
2024-10-31
brute ratel c4
financial sector
infrastructure sharing
Published: October 31, 2024
Downloadable IOCs: 0

Malicious CAPTCHA delivers Lumma and Amadey Trojans

An adware campaign targets online users by presenting them with fake CAPTCHA or update prompts, tricking them into running malicious PowerShell commands that deploy credential-stealing malware like Lumma and Amadey. The attackers leverage ad networks to redirect victims to compromised sites hosting…
malvertising
adware
remcos
amadey
infostealers
social-engineering
lumma
captcha
2024-10-29
Published: October 29, 2024
Downloadable IOCs: 1

A Measure of Motive: How Attackers Weaponize Digital Analytics Tools

Threat actors are repurposing digital analytics and advertising tools to evade detection and enhance their malicious campaigns. The report explores how link shorteners, IP geolocation utilities, CAPTCHA systems, and advertising intelligence platforms are being weaponized. It provides insights into …
phishing
malvertising
captcha
2024-09-30
azorult
sockrat
adwind
jsocket
jrat
jfrutas
jbifrost
alienspy
trojan.maljava
frutas
unrecom
geolocation
evasion techniques
kraken ransomware
turkeydrop
friendspeak
dancefloor
link shorteners
digital analytics
advertising tools
mixlabel
Published: September 30, 2024
Downloadable IOCs: 10

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…
malvertising
infostealer
cryptocurrency
macos
2024-09-09
amos
atomic macos stealer
passwords
Published: September 9, 2024
Downloadable IOCs: 17

Detecting evolving threats: NetSupport RAT campaign

This analysis examines a recent malware campaign that utilizes the NetSupport RAT, a legitimate remote administration tool, for persistent infections. The threat actors behind this campaign employ obfuscation techniques and updates to evade detection. However, by identifying weaknesses in the obfus…
obfuscation
rat
malvertising
powershell
persistence
netsupport rat
2024-08-02
Published: August 2, 2024
Downloadable IOCs: 3

'Evil Twin' Apps Spread for Multiple Fraud Schemes

HUMAN's Satori Threat Intelligence and Research team recently uncovered a massive ad fraud operation dubbed Konfety, involving threat actors operating 'evil twin' versions of 'decoy twin' apps available on major app marketplaces. The decoy twins on official stores behave normally, while the evil tw…
obfuscation
impersonation
malvertising
2024-07-17
mobile
konfety
ad fraud
Published: July 17, 2024
Downloadable IOCs: 0

WorkersDevBackdoor and MadMxShell converge in malvertising campaigns

This report analyzes two recent malware distribution campaigns that leverage malvertising techniques. The campaigns deliver the WorkersDevBackdoor and MadMxShell backdoors, which have data exfiltration capabilities and can facilitate ransomware deployment. The malware's delivery infrastructure, inc…
malvertising
madmxshell
2024-07-15
workersdevbackdoor
Published: July 15, 2024
Downloadable IOCs: 51

Fake Microsoft Teams for Mac delivers Atomic Stealer

A malvertising campaign lures Mac users into downloading a counterfeit Microsoft Teams installer containing Atomic Stealer, a data-stealing malware. The campaign uses advanced filtering techniques, compromised ad accounts, and decoy pages to deliver unique payloads that bypass security measures. Up…
malvertising
data theft
stealer
macos
adware
2024-07-12
atomic stealer
Published: July 12, 2024
Downloadable IOCs: 6

Exposing FakeBat loader: distribution methods and adversary infrastructure

During the first semester of 2024, FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using the drive-by download technique. Researchers uncovered multiple FakeBat distribution campaigns leveraging malvertising, software impersonation, fake web browser updates, and social …
loader
social engineering
malvertising
fakebat
2024-07-02
drive-by download
paykloader
eugenloader
eugenfest
payk_34
Published: July 2, 2024
Downloadable IOCs: 237

Polyfill supply chain attack hits 100K+ sites

A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain imper…
malvertising
supply chain
2024-06-27
polyfill.js
redirection
Published: June 27, 2024
Downloadable IOCs: 7

Threat actors ride the hype for newly released Arc browser

The release of the Arc browser for Windows sparked interest among cyber criminals who quickly launched a malvertising campaign impersonating the new software. The scheme uses Google search ads to lure potential victims with fake Arc installers. These installers employ various techniques, including …
malvertising
infostealer
2024-05-28
arc browser
Published: May 28, 2024
Downloadable IOCs: 9
Click here to see more Attack Reports