Phrases such as ‘attackers are becoming more sophisticated’ and ‘fraud keeps evolving’ have become almost default language in the cybersecurity industry. Often, people assume it means more advanced exploits and complex malware.
However, the biggest malvertising incidents of 2025 highlight a different – and probably more disturbing – picture. In many of the most high-impact cases, attackers relied on something far more effective than technical innovation: trust. Rather than directly breaking into systems, they blended into legitimate user journeys, abusing well-known platforms and everyday workflows.
Let’s take a closer look at some of the largest malvertising campaigns of 2025 and what security experts comment on how modern threats really work.
What’s Overall Happening With Malware?
Before we move on to specific case studies, let’s outline several key trends that define how malware spreads today.
- Infostealer epidemic. Infostealers are malicious programs designed to silently steal the most sensitive user data, including passwords, cookies, and session tokens. This data is extremely valuable to fraudsters, as it allows them to quickly and easily take control of accounts, often without brute-forcing credentials.
Once an infostealer has collected the required data, the next steps may include selling stolen credential databases, hijacking advertising accounts or corporate services, or using the access as an entry point for a ransomware attack.
- Legitimate user journeys. 2025 has shown that malware attacks tend to look less and less suspicious. Malicious software is no longer distributed through blunt, direct system hacks, but instead slips in through users’ trust in familiar and popular tools and platforms such as YouTube, GitHub, Dropbox, browser extension stores, and more. As a result, these attacks often go unnoticed until the moment they cause real damage.
- Professionals as the new target. It seems we are witnessing a shift in attackers’ focus from a mass audience to professionals. More and more campaigns are targeting marketers, designers, developers, and office workers. Malware is disguised as professional tools, extensions, and files that look entirely legitimate and fit the standard workflows.
It means malware is no longer a problem of careless users, but a risk for businesses and digital ecosystems.
Top 4 Malvertising Campaigns of 2025: From Video Sites to YouTube
Modern malware campaigns no longer rely on technical complexity: their strongest sides are scale, trust, and familiar user behavior. And here are four case studies that totally prove the trend.
Storm-0408
The Storm-0408 campaign targeted users of unauthorized content sites: unofficial video streaming platforms, sites distributing unlicensed movies and TV shows, and sometimes websites offering modified software. Malicious ads on these sites led users to fake pages claiming a specific, unknown video player or update was required to watch a video. After clicking the download button, a user received an infostealer from a trusted platform such as GitHub, Dropbox, or Discord.
At first, antivirus software didn’t detect the attack because they were new and had no signatures – unique fingerprints that usually identify malware. Later, security systems began to detect them based on behavior: attempts to steal browser data, gain system access, and send information to external servers. Besides, researchers noted that the malware was mainly downloaded from GitHub, Dropbox, and Discord, and that the files were hosted on newly created accounts and repositories.
Microsoft updated its protection to better spot these threats and shared the findings with other platforms. GitHub, Dropbox, and Discord removed harmful files and accounts and improved their checks, but, obviously, they can’t fully block .exe files, as this ruins the overall point of how their services work.
Adex Expert: The use of platforms such as GitHub and Discord for distributing malware is not a new scenario for the market. As part of our anti-cloaking efforts, these sources are already treated as high-risk. We rely on redirect chain analysis, business metrics, and a broader set of detection patterns – and it enables us to identify and block malware campaigns at an early stage. Based on our observations, this case did not have a large-scale impact on our clients. The potential risks were contained early on, before they could result in any material damage.
Farukh Rakhimov, Information Security Manager at PropellerAds: In my view, visiting unauthorized websites always involves certain risks, as the files available on such sites are often of unknown or questionable origin. The fact that malicious files may be hosted on seemingly trusted platforms does not change this general risk, which is why we reject them as a source of traffic. This shows why it is important for users to improve their own cybersecurity awareness, and for companies to regularly educate their employees on basic security practices.
Fake Meta Ads Tools
While there was no single-named campaign, marketers, media buyers, and ad teams suffered from multiple large-scale attacks with fake Meta Ads tools and browser extensions in 2024-2025.
Attackers disguised malware as useful work tools such as ad helpers, policy checkers, and browser extensions. These tools looked legitimate, and even performed basic advertised functions in some cases – for example, opened Ads Manager pages.
Once installed, the tools gained access to the browser environment and active session data. This allowed attackers to steal cookies and session tokens, enabling them to hijack advertising accounts without needing passwords or bypassing two-factor authentication. As a result, they could access the accounts as legitimate users.
Note: Similar attacks targeting professionals are not limited to the advertising industry. In 2025, researchers also identified campaigns that distributed malware through professional file formats. For example, malicious Blender files containing hidden Python scripts were used to install the StealC infostealer on the systems of designers and 3D artists.
Adex Expert: Disguising malware as productivity tools or browser extensions is a well-known attack vector for us. In 2025, fake browser extensions were especially popular among cloakers. We regularly detect attempts to launch advertising campaigns that promote such solutions under the guise of legitimate tools. Such campaigns are blocked at the moderation stage, and the advertisers are banned.
Farukh Rakhimov: The YouTube Ghost Network showed that malware can be spread through regular content on fully legitimate platforms, and that’s why such attacks are almost inevitable in cases where cybersecurity awareness is lacking.
Rhysida Campaign
The Rhysida campaign targeted corporate users looking to install Microsoft Teams through ads and search results. Malicious advertisements led users to fake Microsoft Teams download pages that closely resembled the official website. Users downloaded what seemed to be a legitimate Teams installer, often signed with valid-looking certificates.
After the file was executed, the second step of the attack began: first, a hidden loader was installed, then a backdoor – remote access to the system, and finally, the Rhysida was deployed. This extortion ransomware locked the files and demanded payment to restore access.
Note: Security researchers later linked similar delivery methods to other campaigns– for example, the one known as Vanilla Tempest.
Adex Expert: Enhanced checks at the moderation stage, along with anomaly monitoring, helped prevent such campaigns from going live and protected our clients from potential risks.
YouTube Ghost Network
In 2025, researchers uncovered a network of YouTube channels used to distribute malicious software. The campaign worked this way: users watched videos that looked completely legitimate – typical tutorials or guides about free software, productivity tools, or AI services.
As in most YouTube videos that contain native advertising, viewers were offered to follow links in the video descriptions and download the tools mentioned in the video. However, instead of the advertised software, users downloaded infostealers that stole browser data, passwords, and cryptocurrency wallet information.
As in previous cases, this campaign did not rely on software vulnerabilities; user trust remained the key factor. What makes this case even more disturbing is the entry point itself: a highly trusted platform. Unlike unauthorized websites, which are often associated with malware and already carry a certain level of risk in users’ minds, YouTube is a mainstream service where most users do not expect anything malicious to happen.
Adex Expert: Attackers are increasingly using highly trusted platforms to distribute malware. We take this into account in our risk models and during the evaluation of advertising campaigns. For us, a combination of signals is critical: redirect structures, detections triggered during redirects, and activity anomalies. This allows us to identify such schemes even in cases where the content appears fully legitimate. This attack vector did not have a significant impact on our company’s clients.
Farukh Rakhimov: Many of these cases appear to exploit user trust. Addressing this requires action from both sides: improving cybersecurity awareness among users and greater responsibility from platforms. Companies like Meta and Google should play a stronger role in ensuring the safety of the ecosystems built around their advertising products.
Does It Mean Anti-Fraud Tools Don’t Make Sense Anymore?
At first glance, it may seem that if fraud schemes have become this subtle and trust-based, advanced protection tools no longer make sense. But that’s not the case.
First, even in 2025, a large share of attacks still relies on outdated and mass-scale techniques: bot traffic, primitive redirects, fake engagement, and obvious behavioral anomalies. Modern anti-fraud solutions filter out these threats automatically, so using them helps mitigate a huge layer of basic risk.
Second, today’s ad anti-fraud tools work not only by blocking known threats, but by detecting behavioral anomalies early. When something unusual – sudden spikes in suspicious traffic, strange behavior patterns, or changes in audience quality – starts happening, it can be identified before the damage becomes critical. Even with a complex attack, speed of response becomes the key factor.
This is exactly how modern anti-fraud platforms like ADEX operate: they don’t just record fraud after it has already happened, but help identify early warning signs in traffic and enable action at an early stage, when the problem is still manageable.
