Saturday, June 14, 2025
HomeAdwareNew Malware Framework Generated More Than one Billion Fraudulent ad Impression Via...

New Malware Framework Generated More Than one Billion Fraudulent ad Impression Via Browser Extension

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new malware framework that developed to perform fraudulent Google AdSense impressions by installing a malicious browser extension.

In the past 3 months, This Malware framework gained more than one billion fraudulent ad impressions and generated a significant Google AdSense revenue every month.

Threat actors behind this malvertising campaign abusing the content and advertising platforms by deploying the malware and generating a huge amount of revenue.

- Advertisement - Google News

Malware framework is designed to pad statistics on social sites and ad impressions by including Google Chrome, Mozilla Firefox, and Yandex’s browser and install a malicious browser extension.

Malicious browser extension not only designed to gain ad impression but also generate likes on YouTube videos and watch hidden Twitch streams. 

“Flashpoint researchers found the malicious code that searches for YouTube referrers and then injects a new script tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia.”

Stages to Install Browser Extension

Threat actors are using three separate stages such as Installer, Finder and Patcher to install the malicious browser extension.

Once malware framework infecting the victim’s browsers, the Installer component set up a new browsers extension and it make sure the extension was successfully installed.

Next component Dubbed Finder is ultimately designed to steal browser logins and cookies which is later package in .zip files and send it to the attacker via command and control server.

It also retrieves update binaries instructing from separate C2 panel that check-in with compromised bots and send back stolen credentials and cookie data.

Final Module Patcher component is responsible for installing the browser extension.

Malicious Extension Behaviour

After the successful installation in the browser, the extension begins injecting ads and generating the hidden traffic.

Most of the code written in this framework intended to commit ad fraud and the scripts also used to search and replace the ad-related code on web pages and eventually report the ad clicks to the C2 server.

According to Flashpoint report, the scripts do not inject every website, and most carry large blacklists of domains that are mostly Google domains and Russian websites. In addition, the scripts also attempt to avoid injects into pornographic sites, as these may throw off the impressions. The malware is concentrated in a few geographic locations, led by Russia, Ukraine, and Kazakhstan.

You can download the complete Indicators of Compromise in both CSV and MISP JSON format

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

Malwarebytes New Browser Extension That Protects you From Visiting Malicious Websites

PythonBot- Dangerous Adware Install on Browser Extension & Bypass Security System

Malicious Chrome and Edge Browser Extension Deliver Powerful Backdoor & RAT to Spy Victims PC

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

6 Best Ad Blockers for Android Devices in 2024 to Stop Annoying Ads

Ad-blocking software is one of the most convenient types of software available, helping users...

How does an ad blocker apk work & How does it protect your information?

Did you know that the average Internet user sees about 7,000 advertisements per day?...

Beware!! New Ad-Blocking Chrome Extension That Injects Malicious Ads

A new malicious browser extension, known as AllBlock has been detected to be injecting...