All news with #malvertising tag

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

🔍 Cybersecurity researchers have flagged a technique dubbed Grokking that attackers use to bypass X's promoted-ads restrictions by abusing the platform AI assistant Grok. Malvertisers embed a hidden link in a video's "From:" metadata on promoted video-card posts and then tag Grok in replies asking for the video's source, prompting the assistant to display the link publicly. The revealed URLs route through a Traffic Distribution System to drive users to fake CAPTCHA scams, malware, and deceptive monetization networks. Guardio Labs observed hundreds of accounts posting at scale before suspension.

🔍 Threat actors used Google ads to promote a fraudulent AppSuite PDF Editor that silently delivered the TamperedChef infostealer. Multiple domains hosted signed installers with revoked certificates; the malicious payload was activated after a delay and is launched with the "-fullupdate" argument, checking for security agents and extracting browser secrets via DPAPI. Operators also pushed related apps such as OneStart, ManualFinder and Epibrowser, and in some cases converted hosts into residential proxies; Truesec and Expel published IoCs for detection.

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.

🔒 CrowdStrike disrupted a malvertising campaign that redirected users to counterfeit macOS help pages and urged them to run a malicious one-line installation command. Observed between June and August 2025, the operation sought to deliver the SHAMOS variant of the Atomic macOS Stealer (AMOS), a Mach-O binary distributed by MaaS operator Cookie Spider. The installer decoded a Base64 string, executed a Bash script that captured credentials and fetched the payload from icloudservers[.]com.

🔍 Cisco Talos describes a widespread malvertising campaign delivering a modular malware framework called PS1Bot. The multi-stage operation uses in-memory PowerShell and C# components to steal browser credentials, target cryptocurrency wallets, capture screenshots and keylogs, and maintain persistent access through modular updates. Active and evolving through 2025, PS1Bot minimizes its footprint to evade detection. Talos urges caution when downloading files, keeping security software current, and using dedicated password managers instead of browser-stored credentials.

🔍 Cisco Talos reports an active malvertising campaign delivering a multi-stage PowerShell/C# malware framework dubbed PS1Bot. The modular framework executes modules in-memory to minimize artifacts and supports information theft, keylogging, screenshot capture and cryptocurrency wallet exfiltration. Delivery begins with SEO-poisoning archives containing a downloader that writes a polling PowerShell script to C:\ProgramData and executes received code with Invoke-Expression.

🔍 Fraudsters are promoting hundreds of polished fake gaming sites across Discord and other social platforms, falsely claiming partnerships with influencers and offering a $2,500 'promo code' to lure users. Visitors create free accounts to play sleek casino-style games (for example gamblerbeast[.]com's B-Ball Blitz), but cashouts are blocked and victims are prompted for a cryptocurrency 'verification deposit' and repeated payments. Investigators, including a Discord researcher and the threat-hunting firm Silent Push, linked a shared chat API key to at least 1,270 active domains and found centralized wallets, AI-assisted support, and network-wide tracking that make these scaled scams efficient and hard to report.