ad fraud | Breaking Cybersecurity News | The Hacker News

The first ThreatsDay Bulletin of 2026 lands on a day that already feels symbolic — new year, new breaches, new tricks. If the past twelve months taught defenders anything, it's that threat actors don't pause for holidays or resolutions. They just evolve faster. This week's round-up shows how subtle shifts in behavior, from code tweaks to job scams, are rewriting what "cybercrime" looks like in practice. Across the landscape, big players are being tested, familiar threats are mutating, and smaller stories are quietly signaling bigger patterns ahead. The trend isn't about one big breach anymore; it's about many small openings that attackers exploit with precision. The pace of exploitation, deception, and persistence hasn't slowed; it's only become more calculated. Each update in this edition highlights how the line between normal operations and compromise is getting thinner by the week. Here's a sharp look at what's moving beneath the surface of the cybersecurity world as 2026 begin...

The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster , has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of a Chinese threat actor that Koi Security is tracking under the moniker DarkSpectre . In all, the campaigns have collectively affected over 8.8 million users spanning a period of more than seven years. ShadyPanda was first unmasked by the cybersecurity company earlier this month as targeting all three browser users to facilitate data theft, search query hijacking, and affiliate fraud. It has been found to affect 5.6 million users, including 1.3 newly identified victims stemming from over 100 extensions flagged as connected to the same cluster. This also includes an Edge add-on named "New Tab - Customized Dashboard" that features a logic bomb that waits for three days prior to t...

A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available. These browser programs were advertised as VPNs, screenshot utilities, ad blockers, and unofficial versions of Google Translate. The oldest add-on, Dark Mode, was published on October 25, 2024, offering the ability to enable a dark theme for all websites. The full list of the browser add-ons is below - Free VPN Screenshot Weather (weather-best-forecast) Mouse Gesture (crxMouse) Cache - Fast site loader Free MP3 Downloader Google Translate (google-translate-right-clicks) Traductor de Google Global VPN - Free Forever Dark Reader Dark Mode Translator - Google Bing Baidu DeepL Weather...

The threat actor known as Vane Viper has been outed as a purveyor of malicious ad technology (adtech), while relying on a tangled web of shell companies and opaque ownership structures to deliberately evade responsibility. "Vane Viper has provided core infrastructure in widespread malvertising, ad fraud, and cyberthreat proliferation for at least a decade," Infoblox said in a technical report published last week in collaboration with Guardio and Confiant. "Vane Viper not only brokers traffic for malware droppers and phishers, but appears to run their own campaigns, consistent with previously documented ad-fraud techniques." Vane Viper, also called Omnatuor , was previously documented by the DNS threat intelligence firm in August 2022, describing it as a malvertising network akin to VexTrio Viper that takes advantage of vulnerable WordPress sites to build a massive network of compromised domains and use them to spread riskware, spyware, and adware. One of t...

A massive ad fraud and click fraud operation dubbed SlopAds ran a cluster of 224 apps , collectively attracting 38 million downloads across 228 countries and territories. "These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks," HUMAN's Satori Threat Intelligence and Research Team said in a report shared with The Hacker News. The name "SlopAds" is a nod to the likely mass-produced nature of the apps and the use of artificial intelligence (AI)-themed services like StableDiffusion, AIGuide, and ChatGLM hosted by the threat actor on the command-and-control (C2) server. The company said the campaign accounted for 2.3 billion bid requests a day at its peak, with traffic from SlopAds apps mainly originating from the U.S. (30%), India (10%), and Brazil (7%). Google has since removed all the offending apps from the Play Store, effectively di...

Google on Thursday revealed it's pursuing legal action in New York federal court against 25 unnamed individuals or entities in China for allegedly operating BADBOX 2.0 botnet and residential proxy infrastructure. "The BADBOX 2.0 botnet compromised over 10 million uncertified devices running Android's open-source software (Android Open Source Project), which lacks Google's security protections," the tech giant said . "Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes." The company said it immediately took steps to update Google Play Protect, a malware and unwanted software protection mechanism built into Android, to automatically thwart BADBOX-related apps. The development comes a little over a month after the U.S. Federal Bureau of Investigation (FBI) issued a warning about the BADBOX 2.0 botnet. BADBOX, first detected in late 2022, is known to spread via ...

Cybersecurity researchers have discovered a new, sophisticated variant of a known Android malware referred to as Konfety that leverages the evil twin technique to enable ad fraud. The sneaky approach essentially involves a scenario wherein two variants of an application share the same package name: A benign "decoy" app that's hosted on the Google Play Store and its evil twin, which is distributed via third-party sources. It's worth pointing out that the decoy apps don't have to be necessarily published by threat actors themselves and could be legitimate. The only caveat is that the malicious apps share the exact same package names as their real counterparts already available on the Play Store.  "The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection," Zimperium zLabs researcher Fernando Ortega said . "This latest variant demonstrates their sophisticat...

A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries. These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial brands, all claiming to back new ways to earn passive income. The goal? Build trust quickly and steer readers toward professional-looking scam platforms like Trap10, Solara Vynex, or Eclipse Earn. Scammers use sponsored ads on Google, Meta, and blog networks to push traffic to these sites. Ads often carry clickbait headlines—"You won't believe what a prominent public figure just revealed"—paired with official photos or national flags to make them feel legit. Clicking the ad directs users to a fake article, which then redirects them to a fraudulent trading platform. Many of these scams follow a...

A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN. The identified apps were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company's Satori Threat Intelligence and Research Team. The apps have since been removed from the Play Store by Google. The ad fraud scheme accounted for 1.2 billion bid requests a day, at the height of its activity. The vast majority of IconAds-associated traffic originated from Brazil, Mexico, and the United States. It's worth noting that IconAds is a variant of a threat that's also tracked by other cybersecurity vendors under the names HiddenAds and Vapor , with the malicious apps repeatedly slipping past the Google Play Store since at least 2019 . Some of the common characteristics of these apps include the use of obfuscation to conceal...

Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code. "Pinging functionality that can report back to a command-and-control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads," Wordfence's Marco Wotschka said in a report. First discovered during a site cleanup effort in late January 2025, the malware has since been detected in the wild with new variants. Some of the other names used for the plugin are listed below - addons.php wpconsole.php wp-performance-booster.php scr.php Once installed and activated, it provides threat actors administrator access to the dashboard and makes use of the REST API...

Google on Wednesday revealed that it suspended over 39.2 million advertiser accounts in 2024, with a majority of them identified and blocked by its systems before it could serve harmful ads to users. In all, the tech giant said it stopped 5.1 billion bad ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages last year. It also suspended over 5 million accounts for scam-related violations. In comparison, Google suspended over 12.7 million advertiser accounts, stopped 5.5 billion bad ads, restricted 6.9 billion ads, and blocked or restricted ads on 2.1 billion pages in 2023. The top six ad policy violations included ad network abuse (793.1 million), trademark misuse (503.1 million), personalized ads (491.3 million), legal requirements (280.3 million), financial services (193.7 million), and misrepresentation (146.9 million), among others. Most of the pages on which its ads were blocked or restricted include sexual content, dangerous or derogatory con...

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn't the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons. Meanwhile, ransomware gangs are getting smarter—using stolen drivers to shut down defenses—and threat groups are quietly shifting from activism to profit. Even browser extensions are changing hands, turning trusted tools into silent threats. AI is adding fuel to the fire—used by both attackers and defenders—while critical bugs, cloud loopholes, and privacy shakeups are keeping teams on edge. Let's dive into the threats making noise behind the scenes. ⚡ Threat of the Week Coinbase the Initial Target of GitHub Action Supply Chain Breach — The supply chain compromise...

Cybersecurity researchers have warned about a large-scale ad fraud campaign that has leveraged hundreds of malicious apps published on the Google Play Store to serve full-screen ads and conduct phishing attacks. "The apps display out-of-context ads and even try to persuade victims to give away credentials and credit card information in phishing attacks," Bitdefender said in a report shared with The Hacker News. Details of the activity were first disclosed by Integral Ad Science (IAS) earlier this month, documenting the discovery of over 180 apps that were engineered to deploy endless and intrusive full-screen interstitial video ads. The ad fraud scheme was codenamed Vapor. These apps, which have since been taken down by Google, masqueraded as legitimate apps and collectively amassed more than 56 million downloads between them, generating over 200 million bid requests daily. "Fraudsters behind the Vapor operation have created multiple developer accounts, each host...

At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX , painting a picture of an interconnected cybercrime ecosystem. This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in collaboration with Google, Trend Micro, Shadowserver, and other partners. The "complex and expansive fraud operation" has been codenamed BADBOX 2.0. It has been described as the largest botnet of infected connected TV (CTV) devices ever uncovered. "BADBOX 2.0, like its predecessor, begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely," the company said . "These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors." The threat actors ar...

Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country. In a statement published earlier this week, authorities said they severed the communications between the devices and their command-and-control (C2) servers by sinkholing the domains in question. Impacted devices include digital picture frames, media players, and streamers, and likely phones and tablets. "What all of these devices have in common is that they have outdated Android versions and were delivered with pre-installed malware," the BSI said in a press release. BADBOX was first documented by HUMAN's Satori Threat Intelligence and Research team in October 2023, describing it as a "complex threat actor scheme" that involves deploying the Triada Android malware on low-cost, off-brand Android devices by exploiting weak supply chain links...

Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities. The campaign has been codenamed Konfety – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds . "Konfety represents a new form of fraud and obfuscation, in which threat actors operate 'evil twin' versions of 'decoy twin' apps available on major marketplaces," HUMAN's Satori Threat Intelligence Team said in a technical report shared with The Hacker News. While the decoy apps, totaling more than 250 in number, are harmless and distributed via the Google Play Store, their respective "evil twins" are disseminated through a malvertising campaign designed to facilitate ad fraud, monitor web searches, install browser extensions, and sideload APK files code onto users' d...