Cyber Threats #malvertising#drive-by download#ad network abuse

Malvertising: How Malicious Ads Deliver Malware

Malvertising injects malware through legitimate ad networks via drive-by downloads and redirect chains. Learn how it works and how to harden your browser.

7 min read

You do not have to click anything. You do not have to download a file. In a malvertising attack, simply loading a web page that displays a malicious advertisement can be enough to compromise your system. The malicious code is delivered through the same advertising infrastructure that serves billions of legitimate ads every day — and that infrastructure is extraordinarily difficult to police at scale.

Malvertising is not new, but it has grown significantly more sophisticated in 2024–2026, with campaigns targeting users of popular software brands through search engine advertising, a technique that bypasses browser exploit mitigations entirely by relying on user deception rather than technical vulnerabilities.

The Anatomy of a Malvertising Attack

Drive-By Downloads

The classic malvertising attack uses a drive-by download: an exploit embedded in an ad that runs automatically when the ad is rendered, targeting vulnerabilities in the browser, browser plugins (historically Flash and Java), or the operating system’s media parsing libraries.

The attack chain typically looks like this:

  1. Attacker creates an ad account with a legitimate ad network using stolen or fake identity
  2. The ad creative appears benign — a banner for antivirus software, a deal on electronics
  3. The ad contains obfuscated JavaScript that fingerprints the visitor’s browser, OS, and installed plugins
  4. If the victim matches the target profile (specific browser version, OS, locale), the script redirects to an exploit kit landing page
  5. The exploit kit tries multiple exploits in sequence; a successful one silently installs malware
  6. The ad server and the ad network see only normal ad traffic

Modern browsers with sandboxing, automatic updates, and built-in exploit mitigations have made pure drive-by downloads less reliable than they were in the Flash era. Attackers have adapted.

Redirect Chains

Rather than executing code directly, many modern malvertising campaigns use multi-hop redirect chains to reach a malicious destination while obscuring the trail:

Legitimate news site
  → Ad network A (trusted)
    → Ad exchange B
      → Malicious intermediary domain
        → Exploit kit or phishing page

Each redirect happens in milliseconds, often in hidden iframes. The ad network’s click fraud detection sees normal traffic patterns. The news site’s security team sees no direct connection to malicious content. The full chain is only visible to an analyst who captures every network request.

Search Engine Ad Hijacking (2024–2026 Trend)

The most prevalent malvertising technique in 2025 requires no browser exploits at all. Attackers purchase Google Ads or Bing Ads for searches like “download Notepad++”, “7-Zip download”, “VLC media player”, or “WinSCP”. Their ad appears above the legitimate search result.

The ad links to a typosquat domain — for example, notepad-plus-plus-download.com — which serves a convincing clone of the legitimate software site. The downloaded installer is real software bundled with an infostealer or RAT.

Real campaigns documented in 2024–2025:

  • FakeBat (EugenLoader) campaign: Google Ads impersonating Notion, Zoom, and Slack drove users to trojanized installers delivering Lumma Stealer
  • MadMxShell backdoor campaign: Ads impersonating IT tools (Advanced IP Scanner, Angry IP Scanner) delivered a novel backdoor via DLL sideloading — documented by Zscaler ThreatLabz in April 2024
  • Atomic Stealer (macOS): Malvertising via Google Ads targeted macOS users searching for Slack, TradingView, and Arc Browser with .dmg files containing the Atomic infostealer
  • NightOwl/DeerStealer: Campaigns impersonating Google Translate and Google Meet in mid-2024, spotted by Malwarebytes Threat Intelligence

How Ad Networks Get Abused

The ad ecosystem’s complexity is its greatest vulnerability. A major publisher’s page may involve:

LayerExamples
PublisherCNN.com, news site
Ad serverDoubleClick, Xandr
Supply-Side Platform (SSP)PubMatic, Magnite
Ad ExchangeGoogle Ad Exchange
Demand-Side Platform (DSP)The Trade Desk
AdvertiserAttacker

The attacker operates at the advertiser layer, purchasing inventory through an automated bidding system. Many of these relationships are programmatic — no human reviews every ad creative. Obfuscated JavaScript payloads in ad creatives are difficult to distinguish from legitimate analytics and tracking code.

Ad networks do have malware scanning. Attackers counter with:

  • Cloaking: serving benign content to ad network scanners (which come from known IP ranges) and malicious content to regular users
  • Time-bombing: ad is benign for the first 48 hours until it passes review, then activates malicious payload
  • Geofencing: malicious payload only activates for specific countries, avoiding scanners in the US or UK

Browser Hardening Defenses

1. Use an ad blocker. This is the single most impactful defense. uBlock Origin (Firefox and Chromium browsers) blocks requests to known malvertising domains and ad networks entirely. The privacy and security benefit of blocking ads outweighs concerns about supporting publishers for most users. In 2025, Chrome’s Manifest V3 restrictions have reduced the effectiveness of some ad blockers in Chrome — Firefox remains the more capable platform for blocking.

2. Keep your browser and OS fully updated. Drive-by exploits target known vulnerabilities. Current browser versions have extensive mitigations (ASLR, sandboxing, JIT compiler hardening) that make exploitation significantly harder. Enable automatic updates.

3. Enable Enhanced Safe Browsing in Chrome / SmartScreen in Edge. These services check URLs against databases of known malicious sites. They do not catch zero-day campaigns but provide meaningful protection against known infrastructure.

4. Use DNS filtering. Services like Cloudflare 1.1.1.1 for Families or NextDNS block connections to known malicious domains at the DNS level, before any content loads. This works across all apps on your system, not just the browser.

5. Treat sponsored search results with suspicion. For software downloads, navigate directly to the official domain rather than clicking any search result — organic or sponsored. Bookmark software vendor pages you use regularly.

6. Enable script blocking for untrusted sites. uBlock Origin in medium or hard mode, or dedicated extensions like NoScript, prevent JavaScript from third-party domains from executing at all. This breaks some site functionality but essentially eliminates drive-by download risk.

7. Use a non-admin account for daily browsing. Even if a drive-by download succeeds, an exploit running in a limited user context faces significantly more barriers to system-wide compromise.

Malvertising represents the uncomfortable truth that the internet’s economic model — free content funded by advertising — creates an inherent security tension. Every ad loaded on a page is code from a third party you did not choose to trust. Until the ad ecosystem develops significantly stronger security controls, an ad blocker and a healthy skepticism toward sponsored search results are essential personal security hygiene.

#malware #browser security #ad network abuse #drive-by download #malvertising

// related articles

cyber-threats Cryptojacking Explained: How It Works and How to Stop It 7 min read cyber-threats Steganography in Malware: Hiding Attacks in Plain Sight 7 min read cyber-threats Browser-in-the-Browser Phishing: Fake SSO Popups 7 min read