A reader reaches the end of an article and scrolls into the recommendation widget below it. One card offers a free tool to speed up a sluggish laptop. They tap it, and land on a page insisting their browser is dangerously out of date, pushing a “Chrome update” that turns out to be a banking trojan. On another site, a card promising a video player sends the visitor to what looks like the official installer, and a few minutes later, ransomware is running on the machine.
In both cases, the reviewer who approved the campaign saw none of this. They saw a clean landing page that matched the ad and broke no rules.
That gap between what the reviewer saw and what the user got is ad cloaking. A cloaked campaign shows one version of an ad or landing page to the people and systems checking it, and a different version to the real audience.
Google treats it as a serious offense under its circumventing systems policy, and accounts caught doing it are suspended on detection without warning.
To pull this off, the campaign has to answer one question about every single visitor before it serves anything: is this a reviewer, a scanner, or a real user?
Cloaking is a sorting machine. It profiles each visitor in real time and routes them to one of two destinations. In that sense, it is the mirror image of what an anti-fraud platform does. A fraud filter sorts traffic to keep bad visitors out. A cloaker sorts traffic to keep reviewers out and let victims in.
This piece walks through that sorting decision the way the cloaker builds it: the signals it reads to tell a reviewer from a victim, and how detection answers each one. The framing matters, because once you see cloaking as a classification problem run backwards, the defense stops being “scan the ad once” and starts being “assume the page you reviewed is not the page the user will get.”
Contents
- The Sorting Decision Behind Every Cloaked Campaign
- Reading the Visitor's Network Address
- The Device and Browser Check
- Behavior: What the Visitor Does on the Page
- The Cloaker’s Sorting Decision
- Timing the Switch
- Why the Post-Click Version Is So Hard to Catch
- What the Split Looks Like to Publishers and Advertisers
- Four Faces of Cloaking and Where Each One Breaks
- The Line Between Cloaking and Legitimate Variation
- How Responsible Networks Defend Against It
- FAQ
- Where This Leaves Advertisers and Publishers
Key Takeaways
- Cloaking serves a clean page to reviewers and scanners and a malicious one to real users, which is why a campaign can pass moderation and still harm people.
- The mechanism is visitor classification: the campaign reads IP, device, behavior, and timing to decide who sees what. Each of those signals is also where detection pushes back.
- Post-click cloaking, where the swap happens only after a real click, is the hard case because the creative under review is genuinely clean.
- Showing different content by language, geography, or device is allowed when the product stays the same for everyone. Cloaking abuses that allowance to hide a rule-breaking destination, while the variation by itself is fine.
- Because most reviews happen at approval and cloakers switch on afterward, the defensible posture is continuous re-checking, redirect-chain analysis, and zero trust applied even to high-reputation domains.
The Sorting Decision Behind Every Cloaked Campaign
Before any content is served, a cloaked campaign decides which visitor it is dealing with. The clean version, often called the “white page,” goes to anything that looks like a reviewer: an ad platform’s crawler, a security scanner, an automated quality check.
The real version, the phishing form, or the malware download, goes to visitors who pass as genuine. Get the sorting right, and the campaign passes inspection while still reaching its targets.
HUMAN Security splits the technique along two lines that are useful to keep separate. Cloaking can happen at the creative level, where the image shown above the ad unit is swapped, or at the landing-page level, where the destination URL is swapped. And it can be static or dynamic.
- Static cloaking means the fraudster submits a compliant ad, waits for approval, then manually changes the creative or URL to the malicious one.
- Dynamic cloaking means the ad carries logic that decides in real time, on every load, whether to show the clean version or the live payload based on who is visiting.
One distinction is worth holding onto. An ad that simply deceives users without ever changing its content or intent is not cloaked, even if the harm is similar.
Cloaking specifically involves the swap or the conditional logic that hides the real behavior from review.
HUMAN notes that dynamically cloaked attacks are comparatively rare and highly targeted, and they are the hardest to catch, because the malicious content only appears after the ad has loaded under the right conditions.
The four checks below are the conditions. They are the questions a dynamic cloaker asks about each visitor.
Reading the Visitor’s Network Address
The first thing a cloaker looks at is where the visitor is connecting from. IP address, the network operator behind it (the ASN), whether the connection comes from a data center or a residential line, and the country all feed into the decision.
Security scanners and ad-platform crawlers tend to run from cloud infrastructure, so their addresses cluster in recognizable ranges.
Varonis Threat Labs documented this in detail when it analyzed 1Campaign, a commercial cloaking platform built specifically to get malicious ads past Google’s review.
The platform assigns every visitor a fraud score and automatically blocks traffic from known cloud and security providers by their network operator: Microsoft, Google, Tencent, OVH, and others. One campaign it inspected had processed 1,676 visitors and approved only 10 of them, a 0.6% pass rate. Tellingly, traffic identified as coming from Microsoft’s cloud in Amsterdam was blocked even when it scored a clean zero, because the platform recognized the network itself as a scanner regardless of the score.
This is why a scanner that always connects from the same data-center IP range learns nothing. The cloaker has already filed that range under “not a real user.” Detection responds by varying the vantage point: rotating through diverse IP pools, including residential ones, so the request looks like it came from an ordinary user rather than a known security operator.
It is also where the legitimate variation rule gets tested, since Google explicitly allows adjusting a landing page for geography. The line is that the product has to stay the same. Geography can change the currency or the language while the offer behind it stays identical.
The Device and Browser Check
If the network address looks clean, the cloaker inspects what the visitor’s device claims to be, and whether that claim holds up. The user-agent string says “iPhone, Safari,” but a real iPhone has a touch screen, a battery that is rarely at exactly 100%, and a browser that renders graphics in a particular way. Automated scanners frequently run headless browsers that fail these small tests.
GeoEdge describes the fingerprinting in concrete terms. If a visitor claims to be on a mobile device, the cloaking script checks for a touch screen; if there is none, it concludes it is dealing with a security platform and serves the clean page. It tracks battery charge, on the logic that a machine reporting a constant 100% is probably not a phone in someone’s hand. It uses the HTML5 Canvas element, which renders slightly differently across real devices, to identify and exclude testing environments.
Varonis saw the same pattern: 1Campaign flags headless browsers and automation frameworks, and treats inconsistent user-agent strings as a giveaway.
The detection answer is to stop looking like a scanner. That means presenting a realistic device fingerprint and a full browser that executes JavaScript and renders pages the way a person’s phone or laptop would.
The arms race here is granular because every property the cloaker checks is a property the analyst’s environment has to convincingly fake.
Behavior: What the Visitor Does on the Page
Network and device checks can be passed by a well-built testing environment, so sophisticated cloakers add a third layer: behavior.
Does the visitor execute the page’s JavaScript? Does the page load suspiciously fast, the way an automated fetch does, rather than a human who waits for content to render? Does anything resemble a real interaction?
Varonis lists behavioral analysis as one of the filtering layers in 1Campaign: rapid page loads, missing JavaScript execution, and other patterns that separate a crawler from a person. This is the layer that defeats shallow scanning. A tool that simply requests the ad tag and reads what comes back never behaves like a user, so it never sees the malicious version.
Beating it requires following the visitor’s path the whole way through, the way a real person would: past the first page, through any intermediate redirects, all the way to the final destination. A scan that stops at the ad tag, before the impression renders, is exactly the scan a cloaker is built to satisfy. The behavioral check is also why post-click cloaking is so difficult, which is worth taking on its own.
The Cloaker’s Sorting Decision
One visitor in – two possible destinations out.
ad call
Data-center IP or a known
security ASN?
clean white page
Headless, or failing fingerprint
checks – no touch screen,
battery at 100%, Canvas mismatch?
clean white page
No JS execution, instant load,
no interaction on the page?
clean white page
Is the campaign still
under review?
clean white page
How detection beats it
Detection works by making the reviewer’s request pass all four gates exactly as a real user would – so the page the victim sees is the page that gets scanned.
Timing the Switch
The fourth check is the simplest and, in many cases, the most effective. It turns on timing: when the visitor arrives relative to the review.
GeoEdge describes the standard sequence. Because the campaign has to be approved before it can run, the fraudster launches it with the cloaker turned off and pointed at minimal traffic. The clean version passes review.
Where a network concentrates its checks at submission and does not re-examine campaigns afterward, that gap is the whole opening: once approval comes through, the operator switches the cloaker on, counting on the fact that no later scan will look at the redirect logic again. Static cloaking is the blunt version of the same idea: submit a clean creative or URL, get approved, then swap in the malicious one afterward.
This timing is the reason scanning at a single point fails. A cloaked ad reveals its real nature only after the last review it expects to face. The defensive answer is to refuse to treat approval as the end of scrutiny.
The Adex investigation into the Triada malware showed what that looks like in practice: after attackers began hijacking long-standing, fully verified advertiser accounts to push cloaked redirect chains, the response was to apply checks to every campaign continuously, including ones pointing at trusted destinations, rather than trusting the state at approval time.
Why the Post-Click Version Is So Hard to Catch
The checks above describe pre-click cloaking, where different visitors are served different creatives before anyone clicks. There is a second mode that is harder, and it is the one that gives moderators the most trouble.
In post-click, or page-level, cloaking, everyone sees the same ad. The creative is genuinely clean, and a creative review will pass it every time because there is nothing wrong with it. The decision about where to send the visitor is made only after the click, at the landing-page level.
GeoEdge notes that this is more common than pre-click cloaking and much harder to detect, because catching it requires actually clicking the ad and meeting the cloaker’s criteria for a real user. A review that inspects the creative and stops there has no way to see the split.
This is the point that separates a useful detection program from a checkbox one. It is easy to overestimate how much the visible creative reveals: reviewing the ad, you can see says almost nothing about a post-click cloaked campaign, because the part that matters sits downstream of the click, in the redirect chain and the conditional logic that the creative never exposes. Detection has to go where the decision is actually made.
What the Split Looks Like to Publishers and Advertisers
Cloaking does not announce itself. Nothing flags that a campaign is serving one page to reviewers and another to users; the split is invisible from the dashboard. What shows up instead are second-order effects, and learning to read those is part of the defense.
A publisher whose inventory has been hit by a cloaked campaign often sees the symptoms in performance metrics before anyone identifies the cause.
GeoEdge points to a few:
- An unexplained spike in click-through rate on display ads, which normally sit at a fraction of a percent
- A drop in time on site
- Session depth
- Revenue as users bounce off pages that misbehave
- Declines in viewability and CPM when a campaign quietly diverts value elsewhere
None of these confirms cloaking on its own, but a cluster of them is a reason to ask demand partners hard questions.
For an advertiser buying media, the more relevant exposure is the reverse: a cloaked campaign riding on a hijacked account, or counterfeit inventory that mimics a real site, can route spend toward placements that no genuine user ever sees. The buyer rarely catches this by eye. The realistic defense sits at the platform and verification layer, where the redirect chain and the destination can be inspected continuously rather than trusted once.
That is also where a holding-level anti-fraud posture earns its place. Adex, the anti-fraud platform within AdTech Holding (which also includes PropellerAds, Notix, and Zeydoo), treats even high-trust sources such as GitHub and Discord as high-risk precisely because attackers use them as “clean” intermediaries inside cloaked redirect chains.
Its approach leans on redirect-chain analysis, business metrics, and a broader set of detection patterns rather than a single verdict on the creative. In its review of 2025’s malvertising cases, the team noted that fake browser extensions were a favorite vehicle for cloakers that year, and that the campaigns were caught at the moderation stage through that combination of signals. PropellerAds, drawing on the same family of defenses, reported in its 2025 Ads Safety Report that infrastructure-heavy cloaking, multi-layer setups that route users through intermediaries and vary content by geography or device, was one of the dominant patterns its moderation flagged across the year.
Four Faces of Cloaking and Where Each One Breaks
| Cloaking type | What gets swapped | What the reviewer sees | Why it passes review | Where detection catches it |
|---|---|---|---|---|
| Static creative cloaking | The ad image, after approval | A compliant creative | Swap happens post-approval | Re-scanning creatives after they go live |
| Static page cloaking | The destination URL, after approval | A compliant landing page | Swap happens post-approval | Continuous redirect-chain checks |
| Dynamic pre-click cloaking | Creative chosen per visitor in real time | The clean creative reviewer fails the visitor checks | Reviewer is profiled as a non-user | Realistic fingerprints, IP rotation, behavioral analysis |
| Dynamic post-click cloaking | Landing page chosen per visitor after the click | A genuinely clean creative | Nothing is wrong with the creative | Following the click through to the final page |
The Line Between Cloaking and Legitimate Variation
Not every difference in what users see is cloaking, and treating it that way leads to false positives that punish ordinary advertising. The boundary is specific.
Google’s policy spells out what is allowed: showing a landing page in different languages, running different special offers, or adjusting for geographic location or slower internet connections.
The condition is that the promoted product or service stays the same for everyone. A retailer that shows euro pricing in Germany and dollar pricing in the United States is varying the wrapper around an identical product, which the policy allows.
Cloaking is when the variation exists to hide that the real destination breaks the rules, for example, showing the review system of a clothing store while sending users to something the policy prohibits.
The same boundary appears in how security teams define the term. HUMAN draws a line between a cloaked ad and an ad that merely deceives without changing its content.
If there is no swap and no conditional logic hiding the real intent from review, it may still be a bad ad, but it is not cloaking. Keeping that distinction sharp matters for detection, because the two problems are caught in different ways.
Deceptive-but-static ads are caught by reviewing what is there. Cloaked ads are caught by detecting the machinery that decides who sees what.
How Responsible Networks Defend Against It
No single check stops cloaking, because the technique is built to pass whichever check it expects.
The defenses that hold up share a common shape: they assume the reviewed version is not the served version, and they keep looking after approval.
- Stop scanning like a scanner
The first move is to stop scanning like a scanner. Detection that rotates IP addresses, presents realistic device fingerprints, executes JavaScript, and behaves like a person denies the cloaker the network and device tells it relies on.
- Fingerprinting
A useful second move is to look for the fingerprinting itself. When a page is running scripts that check for a touch screen, battery charge, or Canvas behavior, that machinery is a signal in its own right, and its presence can flag a likely cloak even when the payload stays hidden.
GeoEdge built its real-time approach around exactly this idea: detect the cloaking apparatus, then block the bad ad before it renders.
- Continuity
The third move is continuity. Because cloakers switch on after approval, re-scanning live campaigns and re-walking redirect chains closes the timing gap that one-time review leaves open.
The Triada investigation pushed this to a zero-trust stance, where every redirect, landing page, and target URL is checked, even when it points at a reputable domain, because reputable domains are exactly what attackers borrow to look clean. And because cloaked campaigns frequently ride on hijacked advertiser accounts, login-anomaly monitoring, two-factor authentication, and strict identity verification at signup all cut off a common path to getting a campaign approved under someone else’s good name. Several of these abuse trusted domains as the front of the chain, which is why a clean-looking destination cannot be the end of the inquiry.
None of this delivers zero incidents. Cloaking is an arms race, and a determined operator can build a new evasion faster than any single rule adapts. What the layered approach does is raise the cost and shorten the window: it makes the clean-version trick harder to set up, and it catches the switch sooner after it happens.
FAQ
Is ad cloaking illegal, or just against platform policy?
It is firmly against the policies of every major ad platform and is treated as one of the most serious violations. Google suspends accounts for it on detection without warning. Beyond policy, cloaking is usually the delivery mechanism for activity that is itself illegal, such as malware distribution or phishing, and platform operators have pursued cloaking-tool vendors in court.
How is cloaking different from a normal redirect?
Redirects are a routine, allowed part of advertising, including for click tracking. The difference is intent and concealment. A redirect becomes cloaking when it sends the review system to a compliant page while routing real users to one that breaks the rules, and hides that split from the platform.
Why can a campaign pass moderation and still be malicious?
Because moderation mostly happens at approval, and cloaking is designed to behave at that moment. The campaign shows its clean face during review, then either swaps content afterward or uses live visitor checks to keep showing reviewers the clean version. The malicious page only appears to visitors who pass as real users.
What is the hardest type of cloaking to catch?
Dynamic post-click cloaking. The ad creative is genuinely clean, so the creative review passes it, and the decision about where to send the visitor is made only after the click and behind device and behavior checks. Catching it requires following the click through to the real destination under conditions that look human.
Can advertisers or publishers detect cloaking themselves?
Rarely in real time, and rarely by looking at the creative. What they can watch for are second-order symptoms, such as abnormal click-through spikes, drops in time on site, or unexplained declines in viewability and CPM, and then escalate to partners. The detection itself sits at the platform and verification layer, where the redirect chain can be inspected continuously.
Where This Leaves Advertisers and Publishers
The instinct when fighting cloaking is to scan harder at the gate. That instinct is only half right. A cloaked campaign is built to look perfect at the gate, because the gate is the one moment it knows it will be watched. Reviewing the creative more carefully does little against a post-click cloak where the creative is clean by design.
The more durable stance treats approval as the beginning of scrutiny rather than the end of it.
Assume the page a reviewer saw is not the page a user will get. Walk the redirect chain the way a real visitor would, from a vantage point that does not announce itself as a scanner. Re-check live campaigns instead of trusting the verdict from launch day. Extend the same suspicion to domains with good reputations, since those are the ones attackers borrow. Cloaking is a sorting machine pointed at your reviewers; the defense is to keep arriving as someone it cannot afford to sort out.
Adex tracks cloaking and the redirect-chain techniques behind it as part of its anti-fraud and traffic-quality work across AdTech Holding. Teams that want to compare notes on emerging evasion patterns can reach the Adex anti-fraud team directly.