< ciso
brief />
Tag Banner

All news with #malvertising tag

54 articles · page 2 of 3

Microsoft: Python-based infostealers targeting macOS

⚠ Microsoft warns that information-stealing campaigns are expanding beyond Windows to target Apple macOS by leveraging cross-platform languages like Python and abusing trusted distribution platforms. Since late 2025, attackers have used malvertising and Google Ads to redirect users to fake sites that employ ClickFix lures and DMG installers to deploy families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Campaigns use fileless execution, native macOS utilities, and AppleScript to harvest browser credentials, session cookies, iCloud Keychain items, and developer secrets. Organizations are urged to train users on malvertising and fake installers, monitor Terminal and iCloud Keychain access, and inspect network egress for POSTs to newly registered or suspicious domains.
read more →

Threatsday Bulletin: Supply, Ads, Zero-Click, Scans

🔐 Most of this week's threats exploited trusted systems and routine workflows rather than new techniques, achieving access with low friction and high persistence. Incidents ranged from targeted spear‑phishing that delivered the FALSECUB backdoor to widespread malvertising campaigns distributing .NET RATs and the TamperedChef infostealer. Google Project Zero detailed a multi‑stage Pixel zero‑click chain, vendors disclosed DLL side‑loading and WSL abuse, and supply‑chain exposures and large reconnaissance sweeps were widely observed. Administrators should prioritize patching, plugin hygiene, and tightening automated support and supply‑chain controls.
read more →

CrashFix Fake Extension Delivers ModelRAT via Browser Crash

🚨 Security researchers have uncovered the CrashFix campaign, which uses a deceptive Chrome extension to intentionally crash browsers and trick victims into executing attacker-supplied commands. The malicious add-on, identified as NexShield-Advanced Web Protection and branded to resemble uBlock Origin Lite, remains dormant for about an hour before exhausting resources and forcing repeated crashes. On restart, users see a fake repair prompt instructing them to paste a command into the Windows Run dialog; executing it launches a multistage infection that ultimately deploys a previously undocumented Python-based remote access trojan named ModelRAT. Huntress ties the activity to a threat cluster it calls KongTuke and warns administrators to remove look-alike extensions, avoid running unsolicited fix commands, and use published IOCs to detect related activity.
read more →

Fake NexShield Extension Crashes Browsers for ClickFix

🛑 A malvertising campaign deployed a fake ad-blocker extension named NexShield that intentionally crashes Chrome and Edge to stage ClickFix attacks. Researchers at Huntress found the extension creates infinite chrome.runtime port loops that exhaust memory, freezing or crashing browsers. After restart, a deceptive pop-up instructs users to run a clipboard-pasted command that launches an obfuscated PowerShell chain. On domain-joined systems this delivers the Python-based ModeloRAT; home users receive a test payload.
read more →

TamperedChef malvertising drops trojanised PDFs globally

🔒 Sophos researchers warn that the TamperedChef malvertising campaign is delivering trojanised PDF manuals and fake downloads to organisations worldwide. Attackers use malicious adverts and promoted search results to trick users searching for technical manuals into installing an infostealer that harvests browser-stored credentials and contacts a C2 server. A second-stage payload, ManualFinderApp.exe, is a trojanised application that acts as both an infostealer and a persistent backdoor. The campaign employs delayed activation, staged payload delivery and code-signing abuse to evade detection; organisations should avoid clicking advert links and obtain software only from official vendor sites.
read more →

pkr_mtsi Loader Used in Malvertising to Deploy Payloads

🛡️ ReversingLabs has identified a versatile Windows packer, pkr_mtsi, used since April 2025 in large-scale malvertising and SEO-poisoning campaigns to deliver trojanized installers pretending to be utilities like PuTTY, Rufus and Microsoft Teams. The infections arise from fake download sites promoted via paid search ads rather than vendor compromise. The loader drops varied follow-on payloads (Oyster, Vidar, Vanguard Stealer, Supper), increasingly employs obfuscation and anti‑analysis techniques, and RL has released an expanded YARA rule to improve detection.
read more →

DarkSpectre Browser Extension Campaigns Hit Millions

🔍 Koi Security links three coordinated browser-extension campaigns — ShadyPanda, GhostPoster, and DarkSpectre — to a Chinese threat actor that collectively compromised millions of users across Chrome, Edge, Opera, and Firefox. The attacks combine affiliate-link hijacking, ad and click fraud, time-delayed logic bombs, and a targeted Zoom Stealer component that exfiltrates meeting links, credentials, and participant data. Many add-ons behaved legitimately for years before being weaponized via malicious updates.
read more →

Nomani Investment Scam Surges 62% Using AI Deepfake Ads

🔍 ESET says the Nomani investment scam rose 62% in 2025 as actors expanded beyond Facebook to platforms such as YouTube and deployed AI-generated deepfake video testimonials to lure victims. The firm blocked over 64,000 unique malicious URLs, with most detections in Czechia, Japan, Slovakia, Spain, and Poland. Attackers improved deepfake quality, shortened ad runs, used cloaking and native ad tools like forms to harvest credentials and payments, and even followed up with fake Europol/INTERPOL recovery schemes to extract more funds.
read more →

Google Ads Lead to ChatGPT/Grok Guides Installing AMOS

⚠️ Security researchers warn of a macOS infostealer campaign that uses Google search ads to push users toward publicly shared ChatGPT and Grok conversations containing malicious installation instructions. According to Kaspersky and Huntress, the ClickFix attack spoofs troubleshooting guides and decodes a base64 payload into a bash script that prompts for a password, then uses it to install the AMOS infostealer with root privileges. Users are urged not to execute commands copied from online chats and to verify safety first.
read more →

German fraud ring used fake celebrity ads for investments

🔍 Investigators say an alleged international fraud ring used fake celebrity advertising to market a purported 'secret financial product,' duping at least 120 people across Germany out of more than €1.3 million. Authorities carried out coordinated searches in Germany and Israel, focusing on Tel Aviv and Düsseldorf, and targeted publishers accused of running misleading campaigns. The scheme promoted AI-optimized investment strategies and automated crypto trading via large social-media campaigns and fake news sites, and victims were typically left with total loss of invested capital while seized evidence is analyzed.
read more →

Predator Spyware Uses Ad-Based Zero-Click Infection

📢 Researchers report that the Predator spyware operator Intellexa developed a zero-click delivery mechanism called Aladdin that can infect targets simply by serving a weaponized advertisement. The technique abuses commercial mobile advertising systems and Demand Side Platforms to force malicious ads to specific IPs and devices, with viewing alone triggering redirections to exploit servers. First deployed in 2024 and routed through shell companies across multiple countries, the campaign is corroborated by leaked Intellexa documents and technical analysis from Amnesty, Google, and Recorded Future. Analysts recommend blocking ads, hiding public IPs, and using platform protections, though leaked materials suggest operators can obtain subscriber IP/location data from local mobile operators.
read more →

Avast Makes AI-Driven Scam Defense Free for Users Worldwide

🛡️ Avast has integrated its new AI-powered Scam Guardian into Avast Free Antivirus, offering free, continuous protection against increasingly sophisticated, AI-enhanced scams worldwide. The feature analyzes website content, code, links, SMS and email context to flag deceptive intent and neutralize hidden threats. A premium Scam Guardian Pro in Avast Premium Security adds an Email Guard for contextual email scanning across devices. The rollout aims to democratize AI-based scam defense and give users clear, actionable guidance.
read more →

TamperedChef Malware Uses Fake Installers in Global Campaign

⚠️ Acronis Threat Research Unit (TRU) reports an ongoing global malvertising campaign, dubbed TamperedChef, that employs counterfeit installers masquerading as popular utilities and product manuals to deploy an information-stealer and obfuscated JavaScript backdoors. Operators use SEO poisoning, malicious ads, and abused code-signing certificates from shell companies in the U.S., Panama, and Malaysia to increase trust and evade detection. Installers drop an XML file to create a scheduled task that launches the JavaScript backdoor, which exfiltrates encrypted, Base64-encoded JSON over HTTPS. Infections concentrate in the U.S. and have also been observed in Israel, Spain, Germany, India, and Ireland, with healthcare, construction, and manufacturing among the most affected sectors.
read more →

Payroll Pirates Malvertising Hijacks Hundreds of Sites

🏴‍☠️ Since mid‑2023, researchers tracked a financially motivated malvertising network named Payroll Pirates that impersonated payroll portals to harvest credentials and facilitate fraud. The operation used sponsored ads to funnel more than 500,000 visitors to cloned login pages and targeted over 200 interfaces, including payroll systems, credit unions, and trading platforms across the U.S. Its tactics evolved with refined ad placement, credential-harvesting pages, and coordinated infrastructure to maximize theft and evade detection.
read more →

ClickFix attacks add multi-OS support, videos, timers

🔒 ClickFix campaigns have evolved to include embedded video tutorials, an automated OS detector, and a countdown timer to pressure victims into executing pasted commands. Researchers at Push Security observed fake Cloudflare CAPTCHA pages that auto-copy malicious commands to the clipboard and adapt instructions for Windows, macOS, or Linux. Attackers promote these pages via malvertising, SEO poisoning, and compromised sites, then deliver varying payloads such as MSHTA executables and PowerShell scripts. Users are strongly advised never to paste and run terminal commands from unknown web prompts.
read more →

Rhysida Ransomware Abuses Microsoft Code-Signing Trust

🔒Rhysida, a known enterprise-focused ransomware gang, is distributing malware via malvertising on Microsoft's Bing that redirects users to fake download pages for common tools such as Microsoft Teams, PuTTY, and Zoom. Victims who download receive an initial access trojan called OysterLoader, which establishes a persistent backdoor and is signed with Microsoft-like certificates to appear legitimate. The campaign pairs obfuscation/packing to lower static detection with trusted code signing to bypass allow-lists and AV. Experts urge behavior-based EDR, certificate pinning, DNS filtering, and tighter certificate oversight.
read more →

Rhysida Ransomware Uses Microsoft Signing to Evade Defenses

🛡️ Rhysida ransomware operators have shifted to malvertising and the abuse of Microsoft Trusted Signing certificates to slip malware past defenses. By buying Bing search ads that point to convincing fake download pages for Microsoft Teams, PuTTY and Zoom, they deliver initial access tools such as OysterLoader (formerly Broomstick/CleanUpLoader) and Latrodectus. Signed, packaged binaries evade static detection and often run without scrutiny on Windows endpoints.
read more →

Google Ads Promote Fake Homebrew, LogMeIn, TradingView Sites

🚨 Researchers uncovered a malvertising campaign that uses Google Ads to surface convincing fake Homebrew, LogMeIn, and TradingView download sites targeting macOS developers. The pages prompt victims to copy a curl command into Terminal, but the clipboard often contains a base64-encoded installer that decodes and runs an install.sh payload. That script removes quarantine flags, bypasses Gatekeeper, and delivers infostealers that check for analysis environments before executing. Operators deploy AMOS and Odyssey, which harvest browsers, wallets, and credentials; users are urged not to paste unknown commands into Terminal.
read more →

Email-bombing Abuse Exploits Lax Zendesk Authentication

📧 Cybercriminals abused a lack of authentication in the customer-service platform Zendesk to trigger mass ticket-creation notifications that appeared to come from hundreds of legitimate customer domains. KrebsOnSecurity received thousands of messages in rapid succession from brands including The Washington Post, Discord, NordVPN and more, with subjects ranging from alleged law-enforcement warnings to insults. Because some customers allow anonymous ticket creation and enable auto-responder triggers, replies and notifications were sent from those customers' domains, amplifying brand and inbox impact. Zendesk says it is investigating and recommends customers require verified ticket submission.
read more →

AI-aided malvertising: Chatbot prompt-injection scams

🔍 Cybercriminals have abused X's AI assistant Grok to amplify phishing links hidden in paid video posts, a tactic researchers have dubbed 'Grokking.' Attackers embed malicious URLs in video metadata and then prompt the bot to identify the video's source, causing it to repost the link from a trusted account. The technique bypasses ad platform link restrictions and can reach massive audiences, boosting SEO and domain reputation. Treat outputs from public AI tools as untrusted and verify links before clicking.
read more →