malvertising
-
Trapdoor Android ad fraud scheme hit millions of devices, researchers say
Researchers said Trapdoor used Android utility apps, hidden WebViews and HTML5 cashout domains to drive ad fraud at scale. Google removed the identified apps after disclosure, and the campaign had reached millions of downloads.
-
Microsoft warns Python-based infostealers are targeting macOS via malvertising and fake installers
Microsoft warned in a technical analysis that Python-based infostealers have expanded to macOS since late 2025. Campaigns use malvertising, fake DMG installers, and fileless techniques to steal credentials and iCloud Keychain data.
-
Recorded Future identifies four threat clusters using CastleLoader
Recorded Future’s Insikt Group identified four clusters using the CastleLoader malware loader, assigned the operator the name GrayBravo, and detailed distinct tactics, payloads and a multi-tiered infrastructure while noting the loader’s proliferation among other threat actors.
-
Calendly-themed phishing campaign spoofs top brands to hijack ad manager accounts
Security researchers found a targeted phishing campaign using fake Calendly invites and brand impersonation to steal Google Workspace and Facebook business credentials and seize advertising manager accounts for malvertising and other attacks.
-
Acronis warns of ongoing ‘TamperedChef’ malvertising campaign using signed fake installers
Acronis Threat Research Unit says operators are using signed counterfeit installers in a global malvertising campaign dubbed TamperedChef to deploy a JavaScript backdoor, with infections concentrated in the U.S. and several industries affected; some variants have been used for advertising fraud while broader motives remain unclear.
-
Fake Microsoft Teams installers promoted in search ads deliver Oyster backdoor, researchers say
Search ads and SEO poisoning have been used to promote fake Microsoft Teams installers that deliver the Oyster backdoor to Windows machines, researchers said; the trojanized installer drops a DLL and creates a scheduled task for persistence.
-
Vane Viper identified as a major malvertising operator, DNS-driven adtech network linked to trillions of queries
A deep-dive by Infoblox, with Guardio and Confiant, accuses the threat actor Vane Viper of running a vast malvertising and adtech operation that generated about 1 trillion DNS queries across thousands of compromised sites. The network leverages push notifications and service workers to stay persistent, links to major adtech players like PropellerAds, and has expanded…
-
Mac ad campaign impersonating brands pushes macOS credential stealer, LastPass warns
Security researchers warn of a malvertising campaign that uses search ads to impersonate LastPass and other services, delivering the Atomic Stealer/Amos Stealer on macOS via fraudulent GitHub pages; LastPass says takedowns are underway and IoCs are shared.
-
Two campaigns push fake Meta Verified extensions to steal Facebook data, researchers say
Cybersecurity researchers uncovered two malvertising campaigns distributing fake Meta Verified browser extensions and rogue Chrome tools aimed at Meta advertisers, stealing Facebook cookies and account data with the goal of selling compromised assets and fueling further malvertising.
-
TamperedChef information stealer emerges in malvertising campaign promoting AppSuite PDF Editor
Cybersecurity researchers have identified a malvertising campaign delivering a backdoored PDF editor, AppSuite PDF Editor, that drops a new information stealer dubbed TamperedChef. The operation leverages Windows Registry persistence, a C2-enabled backdoor, and widespread Google ad campaigns to maximize downloads.
