Malvertising emerges as growing access point for cybercriminals

Malvertising: How malicious ads are compromising security

Malicious online ads, or malvertising, have become one of the easiest ways for cybercriminals to break into systems, no hacking required. By exploiting legitimate advertising networks, attackers can deliver malware to unsuspecting users, often without any direct interaction.

Microsoft Threat Intelligence uncovered a large-scale malvertising campaign  in 2025 that compromised nearly one million devices globally. The attackers used malicious advertisements to redirect users from illegal streaming sites to GitHub-hosted malware, demonstrating how malvertising can exploit trusted platforms to deliver malicious payloads without direct user interaction.

What is malvertising?

Malvertising (malicious advertising) is a cyberattack technique where attackers use online ads to distribute malware or redirect users to malicious websites. Instead of hacking a site directly, attackers inject or purchase ads through legitimate networks, meaning they can appear on trusted websites.

While many of these attacks are aimed at consumers, the consequences often spill into corporate environments.  

Employees may encounter malicious ads while using work devices for personal browsing or while performing work-related duties. Once malware reaches a company endpoint, it can hijack browser sessions, steal credentials, or deploy payloads that move laterally through the network.  

For businesses, the entry point may look like a harmless ad—but the fallout can be anything but.

How malvertising works

Malvertising embeds malicious code in online advertisements, which are then distributed through legitimate ad networks. These ads may appear on trusted, high-traffic websites, giving them the appearance of legitimacy.

Once loaded, the ad may silently redirect the user to a malicious site or initiate code execution in the browser. In some cases, no click is necessary—malware is delivered based solely on how the ad loads and fingerprints the user’s device.

Malvertising techniques used in recent campaigns

Recent campaigns show how threat actors continue to refine their methods and how damaging that can be not just consumers, but businesses.

Fake game cheat software

In March 2026, ThreatLocker Threat Intelligence observed a malware campaign called Powercat that delivers malware disguised as cheat software for popular PC games. The campaign originates from a domain previously flagged for staging malicious binaries. When downloaded, users unknowingly execute a multi-stage infection chain and deploy an infostealer that targets crypto wallets, Discord accounts, and browser activity.

Fake AI video generators

In May 2025, Mandiant reported that a threat group tracked as UNC6032 launched a malvertising campaign impersonating popular AI video tools like Luma AI and Canva Dream Lab. The attackers created counterfeit websites promoted through Facebook and LinkedIn ads, enticing users to download malware disguised as AI-powered video editors. These malicious downloads deployed Python-based infostealers and backdoors, compromising users' systems and exfiltrating sensitive data.  

Hijacked social accounts

At the beginning of 2025, Check Point Research reported that cybercriminals hijacked verified Facebook pages, rebranded them as AI photo apps like Kling AI, a popular AI-powered image and video synthesis tool, and ran paid ad campaigns that lured users to malware downloads disguised as image editors.

Fake software installers

In 2024, attackers placed malicious ads posing as downloads for popular tools like WinSCP, PuTTY, and OBS Studio. Victims who clicked were led to counterfeit sites that served ransomware or info-stealers such as RedLine and IcedID.

The brands cybercriminals hid behind in these attacks, Meta, Luma AI, Canva Dream Lab, Kling AI, WinSCP, PuTTY, and OBS Studio, were not directly compromised, but the fallout still affects them.

When attackers use brand names to distribute malware, it can erode public trust, damage reputations, and burden legitimate developers with support issues and misinformation. Platforms like Google, Facebook, and LinkedIn may also face criticism for enabling malicious ads that appear alongside or even above legitimate listings.  

As these campaigns become more sophisticated, the reputational and financial risks extend well beyond individual victims to the brands being impersonated, and the platforms that unknowingly help deliver the bait.

Why traditional defenses fail against malvertising

Common endpoint security tools often miss these attacks due to how they operate. Many malvertising payloads are fileless, running in memory using PowerShell or JavaScript, and evading antivirus software that only scans files at rest.

Other failures include:

• DNS filters that allow traffic from trusted services like Firebase or Cloudflare

• MFA bypass via session hijacking—no login is triggered, so no secondary challenge is presented

• Ad platform review systems that fail to detect redirect swaps after campaign approval

How to strengthen endpoint defense against malvertising

A proactive, execution-focused defense model to stop malvertising attacks at the endpoint level is the best approach to take.  

For organizations, the real risk isn’t just that employees might click on a bad ad. It’s that a single lapse in execution control can open the door to credential theft, ransomware, or network compromise. Malvertising bypasses perimeter defenses by preying on human behavior and abusing trusted infrastructure, leaving endpoint security as the last, and most critical, line of defense.

Implementing a default-deny posture at the endpoint level ensures that even if users are exposed to malicious ads, payloads can’t run, privileges can’t escalate, and lateral movement is stopped in its tracks.  

In today’s threat landscape, businesses can no longer afford to rely on reactive tools alone. Proactive, policy-driven controls are essential to shutting down threats before they ever gain a foothold.

Key tactics include:

• Application Allowlisting to block all but unauthorized software from launching

• Ringfencing and script control to limit what apps and scripts can do or access

• PowerShell restrictions to prevent clipboard-executed attacks like ClickFix

• Real-time auditing for visibility into command-line behavior and privilege escalations

Training users to avoid suspicious ads and verify the legitimacy of download sources are also critical components of a defense-in-depth strategy.

Malvertising is a growing threat that shouldn’t be ignored

Malvertising has evolved into a highly effecting and scalable attack vector that affects individuals and enterprises alike. The fact that these attacks can deliver malware without direct interaction makes them particularly dangerous.  

A successful malvertising campaign can lead to credential theft, session hijacking, ransomware deployment, and data exposure, and because they leverage trusted infrastructure, they are uniquely positioned to evade detection-based security tools.  

Adopting a Zero Trust, default-deny security model is essential to preventing unauthorized executions and protecting your organization from data breaches, operational disruptions, financial loss, and reputational damage.