Linux Bank Trojan 'Hand of Thief' debuts

SSL Malvertising Campaign Continues (UPDATED)

Update 08/14: The campaign has moved to another advertiser (AOL) and new Azure domain:


Malvertising URL:{redacted}pmcpmprice=0.545/{redacted}dref=
First redirection (Azure website)

Second redirection

Angler exploit kit


Our telemetry captured this malvertising on and the cost per thousand impressions (CPM) for this ad was $0.545. Visitors that were served that ad were redirected to the Angler exploit, known for dropping ransomware and ad fraud malware.

– – Original story —

The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites.

We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers.

  • 121M visits per month
  • 61.8M visits per month
  • 49.9M visits per month
  • 6M visits per month
  • 3.6M visits per month
  • 3.2M visits per month
  • 1.8M visits per month

Stats according to

The malvertising is loaded via and includes a redirection to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer.


Redirection chain

  1. Publisher’s website
  5. Angler Exploit Kit

Malwarebytes Anti-Exploit users were protected against this attack.

We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down.


Jérôme Segura

Principal Threat Researcher