Threats Tagged 'malvertising'
View all threats tagged with 'malvertising'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'malvertising'
Click on any threat for detailed analysis and mitigation recommendations
Vidar Stealer Unmasked: Code Signing Abuse, Go Loaders and File Inflation 0 A financially motivated campaign identified in April 2026 distributes Vidar stealer and XMRig cryptocurrency miner globally via malvertising. The attackers use password-protected archives impersonating cracked software and Go-based loaders built with the Factory-v3 framework. The malware employs evasion techniques such as rogue Authenticode certificates, file inflation with null bytes, and AMSI bypass. Vidar stealer exfiltrates browser credentials, cookies, and cryptocurrency wallets, while XMRig mines Monero. Persistence is achieved through registry changes, scheduled tasks, and startup scripts. The threat actor, known as X3D MINER, targets victims primarily in the U.S. and European Union, combining credential theft and cryptojacking for dual monetization. Join the discussion | AlienVault OTX General | 07/07/2026, 23:19:29 UTC Added: 07/09/2026, 11:32:31 UTC |
OXLOADER: new loader evading detection to drop infostealer 0 A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices. Join the discussion | AlienVault OTX General | 06/19/2026, 00:03:22 UTC Added: 06/19/2026, 08:35:48 UTC |
Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign 0 Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai's legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations. MediumMalware Join the discussion | AlienVault OTX General | 06/18/2026, 10:09:50 UTC Added: 06/18/2026, 20:20:24 UTC |
Showing 1 to 3 of 3 results