Cybersecurity experts have exposed a major malvertising campaign called DeceptionAds, which delivers over 1 million ad impressions daily. This campaign targets thousands of victims each day, using more than 3,000 websites to spread malicious content.
The attack relies on a single ad network to redirect users from pirated content sites to fake CAPTCHA pages. These pages trick users into running Base64-encoded PowerShell commands, which install information-stealing malware like Lumma. Multiple threat groups now use this technique to deliver trojans, stealers, and post-exploitation tools such as Brute Ratel C4.
Attackers use ad management platforms to hide their intent. By submitting safe-looking URLs, they bypass moderation and redirect users to harmful CAPTCHA pages hosted on cloud services. Although platforms have removed hundreds of malicious accounts, attackers continue their activities. New instances of this campaign appeared in December 2024.
This campaign reveals how attackers abuse legitimate ad networks for malicious purposes. They exploit clickbait sites and use advanced cloaking techniques to evade detection. The lack of responsibility among ad networks, publishers, and hosting providers complicates prevention.
Collaborative efforts between ad networks, hosting providers, and cybersecurity teams are essential to combat such threats. By sharing threat intelligence and enforcing stricter content moderation policies, these platforms can make it harder for attackers to misuse their services. Additionally, raising user awareness about safe browsing practices can further reduce the impact of such campaigns.
To defend against campaigns like DeceptionAds, avoid visiting untrustworthy websites, especially those offering pirated content. Always verify CAPTCHA requests and never execute unknown commands, even if they appear legitimate. Organizations should strengthen ad network moderation processes and implement robust account verification to reduce malicious activity. Keeping your software updated and enabling anti-malware tools can further help protect against these attacks.