malvertising Archives

Tech Optimizer

December 12, 2025

The digital impersonators: How cybercriminals hijack your brand to launch malvertising attacks

Brand trust is highly valued by consumers, leading cybercriminals to exploit it through malvertising, which embeds malicious code in legitimate ads. Malvertising can redirect users to phishing sites or download malware. Cybercriminals create fake ads that mimic trusted brands, targeting high-traffic moments and using real-time bidding to distribute these ads on reputable sites. The process involves setting up fake accounts, creating convincing ads, purchasing ad space, and delivering malware through exploit kits. The consequences include identity theft and financial loss for consumers, and reputational damage for brands. To protect against these threats, organizations should implement regular software updates, continuous employee training, protective tools, and consider partnering with managed service providers for enhanced security measures.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 14, 2025

All Microsoft Windows Users Warned As New Bot Attacks Confirmed

A t-shirt states, "It gets worse before it gets worse," reflecting the current situation for Microsoft users facing a zero-day vulnerability in Windows. Cybersecurity researchers report a resurgence of DanaBot, a trojan previously thought diminished after Operation Endgame, which resulted in the arrest of 16 individuals and the seizure of millions in stolen cryptocurrency. DanaBot is now operating under version 669, utilizing a new infrastructure and employing malicious emails and malvertising campaigns for attacks. Experts advise Microsoft Windows users to enhance security measures with advanced monitoring and detection systems while remaining vigilant against phishing and malvertising threats.

Tech Optimizer

October 31, 2025

PC Matic Pricing and Review 2025

PC Matic features a whitelisting security model and robust protection against fileless malware, which embeds in legitimate programs to evade detection. It offers various scanning options: full scan, quick scan, selective scan, and scheduled scans, with competitive scan durations. The software is compatible with multiple operating systems, including Windows, Mac, iOS, and Android, although the free version is limited to Windows. Automated updates monitor and install updates for all applications and drivers to enhance security. PC Matic includes a VPN service with AES-256 encryption and a no-logs policy, supporting up to 10 devices. Dark web monitoring alerts users to potential identity theft by scanning for personally identifiable information. It features ad blocking to filter intrusive ads and includes optimization tools like registry cleaning, junk file removal, and performance benchmarks, though these tools are only available for Windows devices.

Tech Optimizer

September 12, 2025

Shamos malware tricks Mac users with fake fixes

A new malware campaign targeting Mac users has been identified, featuring a variant called Shamos, part of the Atomic macOS Stealer (AMOS) family, created by the cybercriminal group COOKIE SPIDER. The malware spreads through deceptive tactics that lure victims to counterfeit websites or GitHub repositories, where they are tricked into executing a command in Terminal that downloads Shamos, bypassing macOS Gatekeeper protections. Once installed, Shamos seeks sensitive information such as Apple Notes, Keychain items, browser passwords, and cryptocurrency wallets, sending the stolen data to attackers along with additional malware. The fraudulent distribution of these "fixes" is facilitated through malvertising campaigns and imitation tech support sites. Victims are encouraged to execute commands that download malicious scripts, which can capture passwords and disable file protections, allowing Shamos to maintain control even after system restarts. To protect against Shamos, users are advised to avoid running unfamiliar commands, steer clear of sponsored search results, be cautious with GitHub projects, use strong antivirus protection, consider personal data removal services, and keep macOS updated to close vulnerabilities.

AppWizard

September 2, 2025

Crooks exploit Meta malvertising to target Android users with Brokewell

Cybercriminals are using Meta's advertising platform to spread the Brokewell malware, targeting Android users through deceptive promotions, particularly fake TradingView Premium ads since July 2024. Over 75 counterfeit ads have been identified, leading users to download a trojanized .apk file from cloned websites. Once installed, the app requests accessibility permissions and disguises itself with fake update notifications, ultimately deploying Brokewell, a spyware and Remote Access Trojan (RAT) that conducts extensive surveillance and data theft, primarily targeting users in the European Union. Brokewell employs obfuscation techniques and native libraries to hide its code, featuring a JSON configuration for overlaying legitimate applications and a decrypted .dex file for its main payload. It communicates with command and control servers via Tor and WebSocket, enabling various espionage activities, including crypto theft, 2FA bypass, account takeover, surveillance, SMS interception, and remote control of the device. Experts recommend that users only install apps from official app stores, avoid suspicious ads, verify URLs before downloading software, and review app permissions carefully. The risks associated with compromised devices are significant, especially as mobile banking and cryptocurrency wallets become more common.

AppWizard

September 1, 2025

Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans

Recent research indicates a shift in the Android malware ecosystem, with dropper apps now being used to distribute simpler malware like SMS stealers and basic spyware, particularly in regions such as India and Asia. This change is attributed to enhanced security measures by Google, which aim to prevent the sideloading of harmful applications that request sensitive permissions. Attackers are adapting by designing droppers that avoid high-risk permissions and present users with innocuous update screens to bypass security scans. Notable dropper apps identified include RewardDropMiner, which has been linked to spyware and a Monero miner, and other variants like SecuriDropper and Zombinder. Google has stated that it has not found any applications using these techniques in the Play Store and continues to enhance its security measures. Additionally, Bitdefender Labs has warned of a campaign using malicious ads on Facebook to promote a fake premium version of the TradingView app, which deploys the Brokewell banking trojan to extract sensitive information from users' devices.

AppWizard

August 30, 2025

Threat Actors Use Facebook Ads to Deliver Android Malware

Cybercriminals are increasingly targeting mobile devices with a sophisticated Android banking trojan disguised as a free TradingView Premium app, as reported by Bitdefender Labs. Since July 22, 2025, at least 75 Facebook ads have promoted this fake application, reaching tens of thousands of users in the European Union by August 22. The ads use official TradingView branding and redirect desktop users to benign content while leading mobile users to a cloned website to download an infected APK file. The trojan, which is an evolved version of the Brokewell spyware, requests extensive permissions under the guise of a fake update and can perform various malicious activities, including crypto theft, 2FA bypass, account takeover, surveillance, SMS interception, and remote control. The application employs obfuscation techniques and communicates via Tor and secure WebSocket channels. This campaign is part of a broader malvertising operation that previously targeted desktop users and is localized in multiple languages. Bitdefender Mobile Security identifies the dropper as Android.Trojan.Dropper.AVV and the payload as Android.Trojan.Banker.AVM. Users are advised to only install apps from official stores, scrutinize ads, review app permissions, and use trusted security solutions to mitigate risks.

Tech Optimizer

August 30, 2025

New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

Cybersecurity experts have identified a new malware framework called PS1Bot, which features a modular architecture allowing it to perform various malicious actions, including information theft, keylogging, reconnaissance, and establishing persistent access. PS1Bot employs stealth techniques, such as in-memory execution, to minimize its digital footprint and complicate forensic investigations. Active since early 2025, it uses malvertising as a primary infection vector, delivering a compressed archive containing a JavaScript payload that downloads and executes a PowerShell script. This script connects to a command-and-control server to retrieve additional commands and can perform actions like antivirus detection, screen capture, data extraction from cryptocurrency wallets, and maintaining persistence on the infected system. The information stealer module is particularly concerning due to its ability to locate sensitive files related to cryptocurrency. PS1Bot shares technical similarities with AHK Bot and is linked to previous ransomware campaigns using Skitnet. In response to these threats, Google has implemented advanced AI systems to combat invalid traffic, achieving a 40% reduction in deceptive ad practices.

AppWizard

August 29, 2025

Threat Actors Weaponizing Facebook Ads with Free TradingView Premium App Lures That Delivers Android Malware

Cybersecurity researchers have identified a sophisticated malvertising campaign targeting Android users on Meta’s Facebook platform, promoting a fake TradingView Premium application through deceptive ads. Clicking these ads leads users to download a malicious APK that installs a crypto-stealing trojan, which exploits accessibility features to harvest user credentials and bypass two-factor authentication. The campaign, discovered on July 22, 2025, has spread across Europe, utilizing cloned webpages and localized messages in multiple languages to enhance credibility. The malware employs a multi-stage infection process, dynamically loading its payload to evade detection and maintaining persistence by re-enabling accessibility services and hiding its icon. By August 22, at least 75 unique ads had been identified, reaching tens of thousands of users in the EU.