< ciso
brief />
Tag Banner

All news with #malvertising tag

54 articles

OnlyFans DMCA Requests Reveal Compromised Domains

🔎 Armed with copyright law and internet scanning, OnlyFans creators and specialized vendors have been using DMCA takedowns to identify and remove unauthorized adult-content listings that appear on high-authority government and education websites. By tracking requests in Google’s Transparency Report and the Lumen database, researchers mapped thousands of compromised .gov and .edu domains used by traffic distribution systems (TDS) and parasite SEO. This trend has grown rapidly since 2020 as decentralized content ownership increased detection coverage and vendor capabilities.
read more →

Malicious Steam Workshop wallpapers used to deliver malware

🛡️ Researchers at Kaspersky report threat actors abusing Steam Workshop to distribute malware via the Wallpaper Engine app. Attackers upload malicious application-type wallpapers that execute payloads when installed, leading to account theft, backdoors, miners, and information stealers. Valve removed the identified items, but users are advised to only download from trusted creators and scan Workshop content with up-to-date antivirus.
read more →

Sniper Dz phishing scam targets MENA users

🛡️ Group-IB disclosed a large-scale fraud campaign using fake Facebook accounts to lure Middle East and North Africa users with offers like free mobile internet and government subsidies. Victims were routed via link-aggregation services to pages that abused browser notifications, back-button hijacks, and tab-under redirects to enroll users in a push-notification ecosystem. The operation monetized victims through premium SMS, premium-rate calls, investment scams, and ad fraud tied to a Sniper Dz PhaaS infrastructure.
read more →

Attackers Use Short-Form Videos to Spread Vidar Stealer

🎯 New research from ReversingLabs reveals threat actors are using TikTok and Instagram Reels to distribute the Vidar infostealer by posing as tutorials for unlocking premium software. Campaigns manipulate platform algorithms to boost saves and shares, driving viewers to lookalike domains that deliver Vidar via PowerShell or gateware-filled download sites. ReversingLabs recommends auditing install privileges and expanding phishing training to include social feeds.
read more →

Threat actors exploit AI branding in social engineering

🛡️ Microsoft Threat Intelligence describes campaigns that impersonate popular AI platforms such as ChatGPT, Copilot, and Claude to lure victims via phishing, malvertising, and SEO abuse. These operations use trusted branding, redirect chains, and urgency-driven messaging to steal credentials, commit fraud, or deliver malware. The blog emphasizes abuse of brand names rather than service compromise and recommends leveraging AI-powered security for detection and response.
read more →

FlutterShell macOS backdoor spreads via malvertising

🛡️ Palo Alto Networks Unit 42 uncovered Operation FlutterBridge, a macOS malvertising campaign distributing a Flutter-built backdoor called FlutterShell. The campaign links to a cluster known as JSCoreRunner/FileRipple and an actor tracked as CL-CRI-1089, active since at least 2023. FlutterShell uses WebView and a JavaScript-to-native bridge to load malicious logic from attacker-controlled sites, supports command execution, file manipulation, and exfiltration, and has multiple evolving variants that passed Apple notarization.
read more →

Typosquatting: Runtime Risks in Third-Party Web Scripts

🛡️ Attackers are embedding AI-generated lookalike domains inside legitimate third-party scripts, transforming typosquatting from a user mistake into a browser-runtime threat that traditional controls miss. Firewalls, WAFs, EDR, and CSPs cannot observe what approved scripts do once executed, enabling silent exfiltration as in the Trust Wallet compromise. Effective detection needs runtime behavioral monitoring that traces script actions, network calls, and deviations from established baselines rather than relying on static vetting.
read more →

Trapdoor Android Ad-Fraud Chain Fuels Malvertising

🔍 Researchers at HUMAN's Satori Threat Intelligence team disclosed "Trapdoor," a multi-stage Android ad fraud and malvertising operation involving 455 malicious apps and 183 threat actor-owned C2 domains. The campaign used utility-like apps to trick users into installing secondary apps that launch hidden WebViews, load HTML5 cashout domains, and perform automated touch-fraud. At its peak Trapdoor generated about 659 million bid requests per day, drove over 24 million app installs—mostly from U.S. traffic—and Google removed the identified apps after disclosure.
read more →

Malvertising: Claude.ai Shared Chats Deliver Mac Malware

⚠️ Attackers are using Google Ads to direct macOS users to malicious instructions hosted inside Claude.ai shared chats. The chats disguise themselves as official installation guides and prompt users to paste Terminal commands that download compressed shell scripts and execute them in memory. Some variants profile victims (including keyboard locale) before running a second-stage payload via osascript, while others immediately steal browser credentials, cookies, and Keychain items. Avoid pasting terminal commands and visit the official site directly.
read more →

Singer Loses Life Savings to Fake Ledger Live App Download

🚨 Garrett Dutton (G. Love) says he downloaded a counterfeit Ledger Live app from Apple's App Store while setting up a new computer and was tricked into entering his seed phrase. Thieves used it to steal 5.9 BTC (about $440,000). Apple removed the fraudulent app on April 12 after investigators linked it to roughly $9.5 million stolen from more than 50 victims. Legitimate wallets never ask for your seed phrase; verify developer names and ratings and be especially cautious when installing apps on new devices.
read more →

Google updates Play policies to tighten contacts, location

🔒 Google announced Play policy updates to restrict contact and location permissions and to strengthen app ownership protections, while reporting it blocked or removed over 8.3 billion ads and suspended 24.9 million accounts in 2025. The update introduces a standardized Contact Picker and a one‑time precise location button in Android 17, and urges developers to remove broad READ_CONTACTS usage. Google also added a native account transfer feature and said its Gemini AI is detecting and preemptively blocking malvertising at scale.
read more →

Google Expands Gemini Use to Combat Malicious Ads at Scale

🛡️ Google says it now relies heavily on Gemini AI to detect and block malicious ads across its advertising platforms, reporting 8.3 billion ads blocked or removed and 24.9 million advertiser account suspensions in 2025, including 602 million scam-related ads. Gemini analyzes billions of signals—beyond simple keywords—such as advertiser behavior, account history, campaign patterns, and intent to identify threats. The company reports faster processing of user reports and an 80% reduction in incorrect advertiser suspensions, and it plans to extend Gemini-driven, submission-time reviews to more ad formats.
read more →

Over 100 Chrome Extensions Steal Accounts and Data

🔒 Researchers at Socket have discovered more than 100 malicious Chrome extensions in the official Web Store that harvest Google OAuth2 bearer tokens, hijack sessions, deploy backdoors, and conduct ad fraud. The extensions were published under multiple publisher identities and span categories such as Telegram sidebars, games, video enhancers, translation tools, and utilities. Socket links the campaign to a centralized command-and-control backend hosted on a Contabo VPS and notes code comments that suggest a Russian malware-as-a-service operation. Users are urged to check installed extensions against the IDs Socket published and remove any matches immediately.
read more →

AI-Powered Pushpaganda Scam Hijacks Google Discover

🔔 Researchers uncovered 'Pushpaganda', an ad fraud campaign that uses search engine poisoning and AI-generated content to surface deceptive stories in Google Discover and trick Android and Chrome users into enabling persistent browser notifications. Once enabled, the alerts deliver scareware-style legal threats and redirect victims through actor-controlled domains that generate illicit ad revenue and funnel users to financial scams. HUMAN's findings link the operation to hundreds of domains and hundreds of millions of bid requests, and Google has deployed a fix.
read more →

Tax Search Ads Deliver ScreenConnect EDR Killer Campaign

⚠️ A large-scale malvertising campaign since January 2026 uses Google Ads to deliver rogue installers for ConnectWise ScreenConnect, ultimately installing a BYOVD EDR killer named HwAudKiller that disables security tools. The actor stacks commercial cloaking services (Adspect and JustCloakIt) and abuses a legitimately signed Huawei audio driver to terminate AV processes from kernel mode. Huntress observed over 60 malicious ScreenConnect sessions and multiple RMM backdoors, indicating pre-ransomware or initial access broker behavior.
read more →

Musician Pleads Guilty in $10M AI-Powered Streaming Fraud

🎵 North Carolina musician Michael Smith pleaded guilty to running a multi-year streaming fraud that generated over $10 million in illicit royalties. Smith purchased hundreds of thousands of AI-generated songs and uploaded them to Spotify, Apple Music, Amazon Music, and YouTube Music, then used automated bots routed through VPNs to create billions of fake streams between 2017 and 2024. Prosecutors say he ran more than 1,000 bot accounts, agreed to $8,091,843.64 in forfeiture, and faces up to five years in prison after pleading to one count of conspiracy to commit wire fraud.
read more →

Fake AI Agent Ads Deliver AMOS and Amatera Infostealers

🔒 Kaspersky researchers uncovered malicious Google Search ads that mimic documentation for popular AI assistants (for example, Claude Code, OpenClaw and Doubao) to trick users into running installer commands. The fake guides prompt victims to execute commands that deploy AMOS on macOS (via curl) or the Amatera infostealer on Windows (via mshta.exe), which exfiltrates browser data, crypto-wallets and files to a remote server. Organizations should warn staff, centrally manage access to AI tools and maintain endpoint protections.
read more →

Targeted Online Ads Emerging as Primary Malware Vector

🛡️ The Media Trust reports that online advertisements are increasingly exploited to deliver malware, and malvertising now surpasses email and direct hacks as the leading global delivery vector. Millions of infected creatives or scripts can propagate across publishers in seconds, and attackers are leveraging AI to produce adaptive malware that changes by location, browser, or device. Notable examples include Ghost Cat, Click Fix and SocGholish, while the company warns of emerging AI-assisted evasion and the abuse of adtech infrastructure.
read more →

1Campaign Cloaking Service Enables Malicious Google Ads

🛡️ 1Campaign is a cloaking service that helps threat actors run malicious Google Ads by passing automated screening and serving benign pages to security researchers while exposing real users to phishing and crypto-drainer content. According to Varonis, the platform offers a dashboard for targeting by geography, ISP, and device, and assigns fraud risk scores to filter out cloud-based and researcher traffic. It also includes a Google Ads launcher that aids operators in bypassing policy checks and impersonating brands, allowing malicious ads to remain online until manually reported.
read more →

Social Media Earns Billions from Malicious Ads in Europe

⚠️ Juniper Research says social media platforms collected nearly £3.8bn ($5.2bn) from malicious or scam adverts across 11 European markets in 2025, based on roughly 993 billion ad impressions. The Revolut-sponsored analysis found about 10% of impressions were linked to scams and estimates platforms took in £38bn overall from social advertising. The report warns impressions could reach 1.4 trillion by 2030, potentially increasing scam-linked revenue to about £8.4bn unless detection, enforcement and user education are strengthened. It urges greater transparency, manual advertiser checks and faster adaptability to evolving scams to protect user trust.
read more →