malvertising Archives

Winsage

May 20, 2026

MSHTA abuse helps malware hide in Windows processes

Bitdefender's research highlights the use of Microsoft's MSHTA utility in malware attacks, noting its default activation in Windows systems. Cybercriminals exploit MSHTA to execute malicious scripts under the guise of legitimate processes, linking it to various malware families like LummaStealer and PurpleFox. The study reports a rise in MSHTA-related detections, indicating a shift towards "living-off-the-land" tactics that utilize legitimate tools to evade security alerts. Social engineering is identified as a common entry point for attacks, employing deceptive methods such as fake software downloads and phishing links. MSHTA can retrieve and execute additional payloads through multi-stage chains, complicating detection efforts. The attacks target sensitive information, including credentials and financial data, and the continued presence of MSHTA poses risks as it allows threat actors to conceal malicious actions. To mitigate these threats, organizations are advised to restrict or disable legacy scripting tools and exercise caution with untrusted downloads. The report emphasizes the challenge of detecting unusual behaviors associated with legitimate utilities in the context of cyber threats.

AppWizard

May 20, 2026

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Cybersecurity researchers have identified an ad fraud and malvertising operation called Trapdoor, targeting Android users with 455 malicious applications and 183 command-and-control domains. Users often download these disguised apps, which initiate malvertising campaigns and lead to further downloads of malicious applications. At its peak, Trapdoor generated 659 million bid requests daily, with over 24 million downloads of the associated apps, primarily from the United States. The operation exploits install attribution tools to activate malicious activities only for users acquired through fraudulent ad campaigns, while suppressing such behavior for organic downloads. Trapdoor employs advanced evasion techniques, including obfuscation and impersonation of legitimate software, to avoid detection. Google has removed the identified malicious apps from the Play Store in response to the threat.

Tech Optimizer

March 24, 2026

This tax-themed malvertising attack can blind security software before it arrives — and then unleashes ransomware

Cybercriminals are targeting taxpayers with phishing schemes and malware attacks as the April 15 tax deadline approaches. They create fake tax form websites that appear in Google Ads, leading users to download malicious software like ScreenConnect, which can disable device security. These tactics aim to steal sensitive information and potentially facilitate ransomware attacks. Counterfeit Chrome updates are also being used in similar schemes. Taxpayers are advised to verify the authenticity of websites and rely on trusted sources to protect their personal information.

Tech Optimizer

December 12, 2025

The digital impersonators: How cybercriminals hijack your brand to launch malvertising attacks

Brand trust is highly valued by consumers, leading cybercriminals to exploit it through malvertising, which embeds malicious code in legitimate ads. Malvertising can redirect users to phishing sites or download malware. Cybercriminals create fake ads that mimic trusted brands, targeting high-traffic moments and using real-time bidding to distribute these ads on reputable sites. The process involves setting up fake accounts, creating convincing ads, purchasing ad space, and delivering malware through exploit kits. The consequences include identity theft and financial loss for consumers, and reputational damage for brands. To protect against these threats, organizations should implement regular software updates, continuous employee training, protective tools, and consider partnering with managed service providers for enhanced security measures.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

Winsage

November 14, 2025

All Microsoft Windows Users Warned As New Bot Attacks Confirmed

A t-shirt states, "It gets worse before it gets worse," reflecting the current situation for Microsoft users facing a zero-day vulnerability in Windows. Cybersecurity researchers report a resurgence of DanaBot, a trojan previously thought diminished after Operation Endgame, which resulted in the arrest of 16 individuals and the seizure of millions in stolen cryptocurrency. DanaBot is now operating under version 669, utilizing a new infrastructure and employing malicious emails and malvertising campaigns for attacks. Experts advise Microsoft Windows users to enhance security measures with advanced monitoring and detection systems while remaining vigilant against phishing and malvertising threats.

Tech Optimizer

October 31, 2025

PC Matic Pricing and Review 2025

PC Matic features a whitelisting security model and robust protection against fileless malware, which embeds in legitimate programs to evade detection. It offers various scanning options: full scan, quick scan, selective scan, and scheduled scans, with competitive scan durations. The software is compatible with multiple operating systems, including Windows, Mac, iOS, and Android, although the free version is limited to Windows. Automated updates monitor and install updates for all applications and drivers to enhance security. PC Matic includes a VPN service with AES-256 encryption and a no-logs policy, supporting up to 10 devices. Dark web monitoring alerts users to potential identity theft by scanning for personally identifiable information. It features ad blocking to filter intrusive ads and includes optimization tools like registry cleaning, junk file removal, and performance benchmarks, though these tools are only available for Windows devices.

Tech Optimizer

September 12, 2025

Shamos malware tricks Mac users with fake fixes

A new malware campaign targeting Mac users has been identified, featuring a variant called Shamos, part of the Atomic macOS Stealer (AMOS) family, created by the cybercriminal group COOKIE SPIDER. The malware spreads through deceptive tactics that lure victims to counterfeit websites or GitHub repositories, where they are tricked into executing a command in Terminal that downloads Shamos, bypassing macOS Gatekeeper protections. Once installed, Shamos seeks sensitive information such as Apple Notes, Keychain items, browser passwords, and cryptocurrency wallets, sending the stolen data to attackers along with additional malware. The fraudulent distribution of these "fixes" is facilitated through malvertising campaigns and imitation tech support sites. Victims are encouraged to execute commands that download malicious scripts, which can capture passwords and disable file protections, allowing Shamos to maintain control even after system restarts. To protect against Shamos, users are advised to avoid running unfamiliar commands, steer clear of sponsored search results, be cautious with GitHub projects, use strong antivirus protection, consider personal data removal services, and keep macOS updated to close vulnerabilities.

AppWizard

September 2, 2025

Crooks exploit Meta malvertising to target Android users with Brokewell

Cybercriminals are using Meta's advertising platform to spread the Brokewell malware, targeting Android users through deceptive promotions, particularly fake TradingView Premium ads since July 2024. Over 75 counterfeit ads have been identified, leading users to download a trojanized .apk file from cloned websites. Once installed, the app requests accessibility permissions and disguises itself with fake update notifications, ultimately deploying Brokewell, a spyware and Remote Access Trojan (RAT) that conducts extensive surveillance and data theft, primarily targeting users in the European Union. Brokewell employs obfuscation techniques and native libraries to hide its code, featuring a JSON configuration for overlaying legitimate applications and a decrypted .dex file for its main payload. It communicates with command and control servers via Tor and WebSocket, enabling various espionage activities, including crypto theft, 2FA bypass, account takeover, surveillance, SMS interception, and remote control of the device. Experts recommend that users only install apps from official app stores, avoid suspicious ads, verify URLs before downloading software, and review app permissions carefully. The risks associated with compromised devices are significant, especially as mobile banking and cryptocurrency wallets become more common.

AppWizard

September 1, 2025

Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans

Recent research indicates a shift in the Android malware ecosystem, with dropper apps now being used to distribute simpler malware like SMS stealers and basic spyware, particularly in regions such as India and Asia. This change is attributed to enhanced security measures by Google, which aim to prevent the sideloading of harmful applications that request sensitive permissions. Attackers are adapting by designing droppers that avoid high-risk permissions and present users with innocuous update screens to bypass security scans. Notable dropper apps identified include RewardDropMiner, which has been linked to spyware and a Monero miner, and other variants like SecuriDropper and Zombinder. Google has stated that it has not found any applications using these techniques in the Play Store and continues to enhance its security measures. Additionally, Bitdefender Labs has warned of a campaign using malicious ads on Facebook to promote a fake premium version of the TradingView app, which deploys the Brokewell banking trojan to extract sensitive information from users' devices.