All news with #malvertising tag

🛡️ Attackers are embedding AI-generated lookalike domains inside legitimate third-party scripts, transforming typosquatting from a user mistake into a browser-runtime threat that traditional controls miss. Firewalls, WAFs, EDR, and CSPs cannot observe what approved scripts do once executed, enabling silent exfiltration as in the Trust Wallet compromise. Effective detection needs runtime behavioral monitoring that traces script actions, network calls, and deviations from established baselines rather than relying on static vetting.

🔍 Researchers at HUMAN's Satori Threat Intelligence team disclosed "Trapdoor," a multi-stage Android ad fraud and malvertising operation involving 455 malicious apps and 183 threat actor-owned C2 domains. The campaign used utility-like apps to trick users into installing secondary apps that launch hidden WebViews, load HTML5 cashout domains, and perform automated touch-fraud. At its peak Trapdoor generated about 659 million bid requests per day, drove over 24 million app installs—mostly from U.S. traffic—and Google removed the identified apps after disclosure.

⚠️ Attackers are using Google Ads to direct macOS users to malicious instructions hosted inside Claude.ai shared chats. The chats disguise themselves as official installation guides and prompt users to paste Terminal commands that download compressed shell scripts and execute them in memory. Some variants profile victims (including keyboard locale) before running a second-stage payload via osascript, while others immediately steal browser credentials, cookies, and Keychain items. Avoid pasting terminal commands and visit the official site directly.

🚨 Garrett Dutton (G. Love) says he downloaded a counterfeit Ledger Live app from Apple's App Store while setting up a new computer and was tricked into entering his seed phrase. Thieves used it to steal 5.9 BTC (about $440,000). Apple removed the fraudulent app on April 12 after investigators linked it to roughly $9.5 million stolen from more than 50 victims. Legitimate wallets never ask for your seed phrase; verify developer names and ratings and be especially cautious when installing apps on new devices.

🔒 Google announced Play policy updates to restrict contact and location permissions and to strengthen app ownership protections, while reporting it blocked or removed over 8.3 billion ads and suspended 24.9 million accounts in 2025. The update introduces a standardized Contact Picker and a one‑time precise location button in Android 17, and urges developers to remove broad READ_CONTACTS usage. Google also added a native account transfer feature and said its Gemini AI is detecting and preemptively blocking malvertising at scale.

🛡️ Google says it now relies heavily on Gemini AI to detect and block malicious ads across its advertising platforms, reporting 8.3 billion ads blocked or removed and 24.9 million advertiser account suspensions in 2025, including 602 million scam-related ads. Gemini analyzes billions of signals—beyond simple keywords—such as advertiser behavior, account history, campaign patterns, and intent to identify threats. The company reports faster processing of user reports and an 80% reduction in incorrect advertiser suspensions, and it plans to extend Gemini-driven, submission-time reviews to more ad formats.

🔒 Researchers at Socket have discovered more than 100 malicious Chrome extensions in the official Web Store that harvest Google OAuth2 bearer tokens, hijack sessions, deploy backdoors, and conduct ad fraud. The extensions were published under multiple publisher identities and span categories such as Telegram sidebars, games, video enhancers, translation tools, and utilities. Socket links the campaign to a centralized command-and-control backend hosted on a Contabo VPS and notes code comments that suggest a Russian malware-as-a-service operation. Users are urged to check installed extensions against the IDs Socket published and remove any matches immediately.

🔔 Researchers uncovered 'Pushpaganda', an ad fraud campaign that uses search engine poisoning and AI-generated content to surface deceptive stories in Google Discover and trick Android and Chrome users into enabling persistent browser notifications. Once enabled, the alerts deliver scareware-style legal threats and redirect victims through actor-controlled domains that generate illicit ad revenue and funnel users to financial scams. HUMAN's findings link the operation to hundreds of domains and hundreds of millions of bid requests, and Google has deployed a fix.

⚠️ A large-scale malvertising campaign since January 2026 uses Google Ads to deliver rogue installers for ConnectWise ScreenConnect, ultimately installing a BYOVD EDR killer named HwAudKiller that disables security tools. The actor stacks commercial cloaking services (Adspect and JustCloakIt) and abuses a legitimately signed Huawei audio driver to terminate AV processes from kernel mode. Huntress observed over 60 malicious ScreenConnect sessions and multiple RMM backdoors, indicating pre-ransomware or initial access broker behavior.

🎵 North Carolina musician Michael Smith pleaded guilty to running a multi-year streaming fraud that generated over $10 million in illicit royalties. Smith purchased hundreds of thousands of AI-generated songs and uploaded them to Spotify, Apple Music, Amazon Music, and YouTube Music, then used automated bots routed through VPNs to create billions of fake streams between 2017 and 2024. Prosecutors say he ran more than 1,000 bot accounts, agreed to $8,091,843.64 in forfeiture, and faces up to five years in prison after pleading to one count of conspiracy to commit wire fraud.

🔒 Kaspersky researchers uncovered malicious Google Search ads that mimic documentation for popular AI assistants (for example, Claude Code, OpenClaw and Doubao) to trick users into running installer commands. The fake guides prompt victims to execute commands that deploy AMOS on macOS (via curl) or the Amatera infostealer on Windows (via mshta.exe), which exfiltrates browser data, crypto-wallets and files to a remote server. Organizations should warn staff, centrally manage access to AI tools and maintain endpoint protections.

🛡️ The Media Trust reports that online advertisements are increasingly exploited to deliver malware, and malvertising now surpasses email and direct hacks as the leading global delivery vector. Millions of infected creatives or scripts can propagate across publishers in seconds, and attackers are leveraging AI to produce adaptive malware that changes by location, browser, or device. Notable examples include Ghost Cat, Click Fix and SocGholish, while the company warns of emerging AI-assisted evasion and the abuse of adtech infrastructure.

🛡️ 1Campaign is a cloaking service that helps threat actors run malicious Google Ads by passing automated screening and serving benign pages to security researchers while exposing real users to phishing and crypto-drainer content. According to Varonis, the platform offers a dashboard for targeting by geography, ISP, and device, and assigns fraud risk scores to filter out cloud-based and researcher traffic. It also includes a Google Ads launcher that aids operators in bypassing policy checks and impersonating brands, allowing malicious ads to remain online until manually reported.

⚠️ Juniper Research says social media platforms collected nearly £3.8bn ($5.2bn) from malicious or scam adverts across 11 European markets in 2025, based on roughly 993 billion ad impressions. The Revolut-sponsored analysis found about 10% of impressions were linked to scams and estimates platforms took in £38bn overall from social advertising. The report warns impressions could reach 1.4 trillion by 2030, potentially increasing scam-linked revenue to about £8.4bn unless detection, enforcement and user education are strengthened. It urges greater transparency, manual advertiser checks and faster adaptability to evolving scams to protect user trust.

⚠ Microsoft warns that information-stealing campaigns are expanding beyond Windows to target Apple macOS by leveraging cross-platform languages like Python and abusing trusted distribution platforms. Since late 2025, attackers have used malvertising and Google Ads to redirect users to fake sites that employ ClickFix lures and DMG installers to deploy families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Campaigns use fileless execution, native macOS utilities, and AppleScript to harvest browser credentials, session cookies, iCloud Keychain items, and developer secrets. Organizations are urged to train users on malvertising and fake installers, monitor Terminal and iCloud Keychain access, and inspect network egress for POSTs to newly registered or suspicious domains.

🔐 Most of this week's threats exploited trusted systems and routine workflows rather than new techniques, achieving access with low friction and high persistence. Incidents ranged from targeted spear‑phishing that delivered the FALSECUB backdoor to widespread malvertising campaigns distributing .NET RATs and the TamperedChef infostealer. Google Project Zero detailed a multi‑stage Pixel zero‑click chain, vendors disclosed DLL side‑loading and WSL abuse, and supply‑chain exposures and large reconnaissance sweeps were widely observed. Administrators should prioritize patching, plugin hygiene, and tightening automated support and supply‑chain controls.

🚨 Security researchers have uncovered the CrashFix campaign, which uses a deceptive Chrome extension to intentionally crash browsers and trick victims into executing attacker-supplied commands. The malicious add-on, identified as NexShield-Advanced Web Protection and branded to resemble uBlock Origin Lite, remains dormant for about an hour before exhausting resources and forcing repeated crashes. On restart, users see a fake repair prompt instructing them to paste a command into the Windows Run dialog; executing it launches a multistage infection that ultimately deploys a previously undocumented Python-based remote access trojan named ModelRAT. Huntress ties the activity to a threat cluster it calls KongTuke and warns administrators to remove look-alike extensions, avoid running unsolicited fix commands, and use published IOCs to detect related activity.

🛑 A malvertising campaign deployed a fake ad-blocker extension named NexShield that intentionally crashes Chrome and Edge to stage ClickFix attacks. Researchers at Huntress found the extension creates infinite chrome.runtime port loops that exhaust memory, freezing or crashing browsers. After restart, a deceptive pop-up instructs users to run a clipboard-pasted command that launches an obfuscated PowerShell chain. On domain-joined systems this delivers the Python-based ModeloRAT; home users receive a test payload.

🔒 Sophos researchers warn that the TamperedChef malvertising campaign is delivering trojanised PDF manuals and fake downloads to organisations worldwide. Attackers use malicious adverts and promoted search results to trick users searching for technical manuals into installing an infostealer that harvests browser-stored credentials and contacts a C2 server. A second-stage payload, ManualFinderApp.exe, is a trojanised application that acts as both an infostealer and a persistent backdoor. The campaign employs delayed activation, staged payload delivery and code-signing abuse to evade detection; organisations should avoid clicking advert links and obtain software only from official vendor sites.

🛡️ ReversingLabs has identified a versatile Windows packer, pkr_mtsi, used since April 2025 in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers pretending to be utilities like PuTTY, Rufus and Microsoft Teams. The infections arise from fake download sites promoted via paid search ads rather than vendor compromise. The loader drops varied follow-on payloads (Oyster, Vidar, Vanguard Stealer, Supper), increasingly employs obfuscation and anti‑analysis techniques, and RL has released an expanded YARA rule to improve detection.