Security researchers have uncovered a massive malvertising campaign that successfully victimized over 500,000 people. The operation, dubbed MasquerAds by the Guardio Labs team that discovered it, leveraged fraudulent advertisements on major search engines, including Google and Microsoft Bing, to distribute information-stealing malware.

The threat actors behind the campaign targeted users searching for popular software tools. Victims were tricked into downloading malicious installers that ultimately compromised their personal and financial data.

How the Malvertising Scheme Operated

The MasquerAds campaign relied on placing malicious ads at the top of search engine results for popular software queries. Brands impersonated in the scheme included Grammarly, Afterburner, Slack, OBS, Notion, Dashlane, and Malwarebytes. When a user clicked on one of these fraudulent ads, they were redirected to a meticulously crafted lookalike phishing website designed to appear legitimate.

Believing they were on the official download page, victims would then download a file disguised as a software installer. This file was actually a malicious loader. The campaign was reported to have a high click-through rate of 10-20% on its malicious ads during one particularly active weekend.

Deployment of Info-Stealing Malware

Once the user executed the fake installer, the loader would deploy an info-stealer malware onto the victim’s computer. This type of malware is designed to exfiltrate sensitive information directly from web browsers. The primary goal of the info-stealer was to harvest stored login credentials, financial details, and other personal data from the compromised device. Following the report from Guardio Labs, the malicious infrastructure associated with the campaign was taken down.