Top adult site xhamster victim of large malvertising campaign

Top adult site xhamster victim of large malvertising campaign

We are observing a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month.

In the past two days we have noted a 1500% increase in infections starting from xHamster.

Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within an apparent ad network.


Let’s take a closer look:

The main adult site links to where the malicious advertising (malvertising) happens thanks to an iframe:


hxxp:// loads the malicious Flash file (1 detection on VT) from: hxxp:// which exploits  the recent 0 day.


Upon successful exploitation, a malicious payload (Bedep) VT 2/57,  is downloaded from:



This attack looks similar than the one mentioned by Kafeine. What we see post exploitation is ad fraud as described here.

Malwarebytes Anti-Exploit protects you from this attack:


While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge.