{
	"id": "c13d1452-6e78-46a5-be04-26c2d2553677",
	"created_at": "2026-04-10T03:20:33.31826Z",
	"updated_at": "2026-04-10T13:11:31.198716Z",
	"deleted_at": null,
	"sha1_hash": "337fb5aee0f4a636b85c1224a4705f48a832f671",
	"title": "“DeceptionAds” — Fake Captcha Driving Infostealer Infections and a Glimpse to the Dark Side of Internet Advertising",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 8653900,
	"plain_text": "“DeceptionAds” — Fake Captcha Driving Infostealer Infections\r\nand a Glimpse to the Dark Side of Internet Advertising\r\nBy Nati TalDecember 16, 2024•17min read\r\nPublished: 2024-12-16 · Archived: 2026-04-10 03:03:42 UTC\r\nThe Fake-Captcha Lumma Stealer Campaign\r\nFor several weeks, a large-scale deceptive campaign has leveraged a cunning technique: tricking users into\r\ninstalling dangerous stealer malware via a captcha verification page. This seemingly legitimate captcha page\r\nappears unexpectedly as you browse a content site, perfectly mimicking a real verification process. It asks you to\r\nconfirm you’re human through a series of keyboard clicks, which ultimately trigger the Run dialog on your\r\nWindows system. Unknowingly, you paste and execute a cleverly crafted PowerShell command, instantly\r\ninstalling stealer malware that targets your social accounts, banking credentials, passwords, and personal files.\r\nVicious, effective, and dangerously evasive!\r\nDespite recent news coverage, the question remains: How does a fake captcha suddenly appear, tricking\r\nunsuspecting users into executing a malicious PowerShell command under the guise of verifying their human\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 1 of 22\n\nidentity? What keeps this campaign not only active but thriving?\r\nThe fake captcha flow — forcing site visitors to unknowingly execute a PowerShell command\r\nWhat are we overlooking? It’s not solely the clever disguise of captcha imitation that marks the success of this\r\ncampaign. The real concern lies in how this perilous page makes its way onto our screens. The answer is\r\nmalvertising — malvertising on steroids. This initial deceit is just the surface; the ad network underlying\r\nmechanics reveal a darker, more complex web of digital threats.\r\nAd-Networks As Enablers\r\nSince the early days of the internet, advertising has been a cornerstone, growing increasingly vital over the years.\r\nFor instance, in 2023, almost 70% of Google’s revenue stems from advertisements, highlighting the lucrative\r\nnature of this industry.\r\nHowever, the ad tech industry has also taken a darker turn, becoming a prominent channel for malicious activities.\r\nExamples abound, from fake e-commerce sites advertised on Facebook to deceptive “Download” buttons that\r\ndeliver unexpected software and even rogue sponsored results in Google.\r\nThe responsibility often falls on Ad Networks. These services form the link between advertisers seeking to sell\r\nproducts or services and website publishers looking to monetize available space. Ad networks handle the coding,\r\nanalytics, and management necessary for both parties.\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 2 of 22\n\nThe Ad-Network ecosystem — Publishers monetizing on ad zones and Advertisers seeking\r\nimpressions\r\nThe process is straightforward: website owners register with an ad network, receive code snippets to integrate into\r\ntheir sites, creating “Advertisement Zones.” These zones, when activated, direct traffic to the network’s Traffic\r\nDistribution System (TDS), which houses numerous domains and redirectors. The system then selects the most\r\noptimized advertisement to display based on visitor analysis, campaign budgets, and settings — all in\r\nmilliseconds. The advertisers focus on optimizing landing pages for conversion, while website owners collect their\r\nearnings.\r\nEvolving From Advertising to Malvertising Captchas\r\nAd networks have proven exceptionally successful; they are fine-tuned machines built from the ground up to\r\ndistribute traffic on a massive scale, from advertisers to internet users across a vast ecosystem of websites. But\r\nwhat happens when advertisers are replaced with threat actors? Yea, you’re right—we get Malvertising.\r\nMany active ad networks are raising alarms with the content they distribute today. Although they don’t have sole\r\ncontrol or responsibility for this content, the overtly malicious intent and scale of the activities exploiting their\r\nnetworks are too significant to ignore or absolve them of all responsibility.\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 3 of 22\n\nA visitor activating an ad-placement process and the ad network selecting the target creative (good\r\nor bad)\r\nThe scenario above is a real-life example of how just three simple clicks on an ostensibly benign website can lead\r\nyou down an unexpected path—perhaps when you only want to watch a movie. But will you actually get to see\r\nthat movie? Unfortunately, that’s far from guaranteed…\r\nFake-Captcha’s Malvertising: End-2-End Analysis\r\nThis Fake Captcha campaign might be the holy grail study case of how ad networks fuel the mass distribution of\r\ntoday’s malicious activity. Analysis shows that all the traffic directed to fake captcha pages came from ad clicks—\r\nthus, this entire campaign is based on malvertising! But who is behind this ad network abuse?\r\nUpon examining the ad-related scripts embedded on these sites, it became clear that they originate from a single\r\nad network service. These scripts lead to thousands of domains with odd names but share common parameters.\r\nThrough a detailed examination of DNS fingerprints, server IPs, and locations, we linked these domains to\r\n“Omnatuor/Vane Viper” — a threat actor previously discovered and since tracked by our friends at Infoblox.\r\nNotably, this isn’t the first instance of this ad network being associated with the distribution of malicious content.\r\nSurprised?\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 4 of 22\n\nExample of a full fake captcha malvertising attack flow including all services in use\r\nIn collaboration with Infoblox and through meticulous deobfuscation of JavaScript snippets responsible for\r\ntriggering ad events, we identified the ad network service responsible—Monetag. Monetag is a subsidiary of\r\nPropellerAds, a large ad network company based in Cyprus. As with Infoblox’s analysis, PropellerAds activity had\r\nalready come up on the radar of the cyber security community in the past.\r\nAnother crucial clue further in the flow is a redirect chain from a Monetag TDS domain to another unique URL\r\npattern. This is yet another TDS from a specific service called BeMob, an advertisment tracking service, as we\r\nrealized quite quickly from the DNS’s A-Records pattern ( xxxx.bmtrck.com ) that is shared to all those domains:\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 5 of 22\n\nRevealing the TDS behind the fake captcha cloaking mechanism via DNS records\r\nAd tracking, like BeMob provides, is quite a common service for ad campaigns. Although we can think the threat\r\nactor would like to track and optimize their “advertisement” campaign via a service like this — this is not the case\r\nhere. It is used solely for cloaking. By supplying a benign BeMob URL to Monetag’s ad management system\r\ninstead of the direct fake captcha page, the attackers leveraged BeMob’s reputation, complicating Monetag's\r\ncontent moderation efforts. We’ve seen this practice many times in the past and in various variants, just like\r\nMasquerAd-ing on Google.\r\nCloaking in action — Moderator sees a benign creative seemingly changed to malicious upon\r\nactivation\r\nThis BeMob TDS finally redirects to the malicious captcha page, hosted on services like Oracle Cloud, Scaleway,\r\nBunny CDN, EXOScale, and even Cloudflare’s R2 itself! What would Alanis Morissette say about that?!\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 6 of 22\n\nA Cloudflare-themed fake captcha page hosted on… Cloudflare R2 storage!\r\nThe ability to propagate in scale using an ad network and cloaking their intent using yet another ad service allows\r\nthis campaign to gain traction and keep on going. Moreover, the malicious pages are frequently updated with new\r\nvariants to evade detection. Those use different PowerShell one-liners, different script obfuscation to copy the\r\nPowerShell script to the clipboard, as well as changes in visual design:\r\nThe JS snippet on fake captcha page copying the malicious PowerShell one-liner to clipboard\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 7 of 22\n\nAnother JS snippet variant introduced later on, trying (unsuccessfully) to hide its real intent\r\nThe numbers are quite astonishing. Over just the past ten days, our analysis estimated up to 1M “ad impressions”\r\nper day, arriving from around 3000+publisher sites. Some use the popup script that creates new tabs on any click,\r\nand some are designed from the ground up to redirect users to “direct links” — a special URL provided by\r\nMonetag to trigger an ad event.\r\nAs we delve deeper into the distribution method known as malvertising, it becomes clear how intricate\r\nand complicated the fake captcha campaign truly is. Yet, the core operations heavily rely on the ad\r\nnetwork — essentially, their standard business practice is transformed for malicious use.\r\nThis investigation sets the stage for a deeper exploration of the ad network’s ecosystem. How have they cultivated\r\nsuch a robust, active network of publishers in the first place? Let’s start with analyzing what stands behind the\r\nscenes of this distribution ecosystem…\r\nThe Publishers: Pirated Content and Click-Baits\r\nAn ad network is only as effective as its funnel of users. With Monetag’s vast catalog of publishers, the “infection\r\nchain” begins with a plethora of websites. Yet, most of them share some characteristics that raise questions about\r\ntheir nature and origin.\r\nIn our analysis, we identified approximately 3,000 publisher sites actively using Monetag ad-zone scripts in the\r\nlast ten days. These scripts track visitors and trigger intrusive actions such as push notifications and new tab pop-ups. For instance, the anime site “hianime[.]to” alone garnered over 100k+ unique visits last month. Looking at\r\nthe overall list shows interesting classifications that can teach us a lot about this activity:\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 8 of 22\n\nMonetag’s Publisher sites in the past 10 days by categories perc. of total combined traffic\r\nVisitors seeking anything from streaming videos to downloading academic documents inadvertently land on these\r\nsites. A simple search like “ stream anime ” can lead directly to these cloned sites, prominently positioned in\r\nGoogle search results due to aggressive SEO (Search Engine Optimization):\r\nA real example of powerful SEO - First Google Search results pointing to a Monetag-enabled site\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 9 of 22\n\nBut the machinations don’t stop there. Monetag also promotes the use of direct links, which circumvent the need\r\nfor a website entirely. Imagine the myriad ways to deploy these links: social media posts, instant messages,\r\ndeceptive website buttons, or even ad-ware attacks that forcibly open browser windows on your system without\r\nyour acceptance.\r\nSocial click-baits on Facebook and X pointing to Monetag’s direct links\r\nVirusTotal: Monetag’s TDS domains direct link to Android/Desktop adware as well as Propeller-Ads infra\r\nSo, who operates these sites? Are they legitimate businesses or mere facades for illicit earnings? While no\r\ndefinitive evidence proves the latter, the uniformity across many sites suggests a coordinated effort. Many\r\nwebsites, appearing unique at first glance, share identical content and layouts, either translated or slightly\r\ntweaked:\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 10 of 22\n\nCopy-Paste Content Site Kits for Streaming\r\nPublic repositories on GitHub even offer ready-to-deploy website templates that require only the insertion of ad\r\nscript codes:\r\nExample of a repo providing several streaming site kits with ready-to-go Monetag integrations\r\nThere are so many streaming websites offering the latest movies — some of which have not even been released\r\nyet! And all this clickbaity content is offered to you free of charge.\r\nIf you want to get even more conspiratorial, you can argue that this entire ecosystem of publisher sites is fueled by\r\nthe ad network itself, providing site templates, SEO optimizations, and maybe even the content itself, like pirated\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 11 of 22\n\nmovies and live sports game streams. We are not saying this is the case, but one should judge for themselves:\r\nLook at this “service” offering a ready-to-use video player loaded with unlimited movies that integrate seamlessly\r\ninto any site. Under the hood, this video player iframe uses Monetag ad scripts to monetize this traffic directly\r\nfrom the ad network:\r\nOnline service providing unlimited video libraries in an iframe —with integral Monetag\r\nmonetization\r\nThis service’s ubiquity across multiple web pages (and site templates ready to deploy as mentioned above)\r\nsuggests a systematic strategy to amplify traffic and, consequently, ad revenue.\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 12 of 22\n\nDouble the fun — both video service as well as the content site monetize on Monetag\r\nHa, and what about sites that never intended to monetize their content, not to say, to infect their visitors with\r\nstealers? A branch of the publishers’ ecosystem is just compromising WordPress sites (and others, of course) to\r\ninject their Monetag scripts directly in there. Talking about passing the buck….\r\nReflecting on the broader scope, the scale of potential manipulation and malvertising becomes even more daunting\r\nif we consider all other active ad networks combined. The statistics are so against us — if you look for content,\r\nyou will probably land on a shady ad network-enabled website quite instantly…\r\nA Mind Game of Plausible Deniability\r\nIn such campaigns, responsibility is fragmented among numerous parties — each playing a role yet avoiding full\r\naccountability. From the threat actor (the ad network customer) to everyday internet users (the victims), a single\r\nad click sets off a chain reaction involving multiple service providers, domains, servers, and stakeholders — all\r\nwithin milliseconds:\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 13 of 22\n\nThe chain of responsibility — how a malvertising campaign abuses the entire ads eco-system\r\nSo, who is to blame? Who is turning a blind eye, acting irresponsibly, or perhaps even complicit? The reality is\r\nthat responsibility is widely shared, but each player in this ecosystem has a convenient excuse:\r\nThe Ad Network claims it cannot moderate the creative content because it’s cloaked behind an ad statistics\r\nservice. Yet, moderation post-approval, not just during initial configuration, is entirely possible.\r\nThe Ad Tracking Service argues it’s merely an analytics tool, leaving the advertiser and ad network\r\nresponsible for the creative. With cloaking techniques, the advertiser can swap the creative after approval,\r\navoiding detection.\r\nThe Publishers insist they’re simply monetizing their websites via third-party services like ad networks,\r\ndistancing themselves from the malicious creatives delivered to their visitors.\r\nThe Hosting Services that provide the infrastructure for these malicious pages largely claim ignorance.\r\nBut are they also part of the willful negligence that perpetuates this ecosystem?\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 14 of 22\n\nThis fragmented chain of ownership creates a perfect storm of plausible deniability, making it\r\nexceptionally difficult to pinpoint and enforce accountability. It’s a system designed to shift blame\r\nwhile allowing malicious campaigns to thrive.\r\nResponsible Disclosure\r\nWe reached out to Monetag and BeMob, disclosing all IOCs associated with their TDSs, and both acted to stop the\r\ncampaign’s propagation. Monetag, the primary propagation channel abused for this campaign, responded on\r\nNovember 28th, 2024, removing over 200 accounts linked to the threat actor. While this action effectively halted\r\nthe campaign on their platform, it took eight days from our initial disclosure to implementation. Similarly, BeMob\r\nresponded within four days, removing accounts used for cloaking. These swift actions highlight how quickly a\r\nmajor malvertising campaign can be dismantled when taken seriously.\r\nApprox. Fake Captcha page views in the past 2 weeks: Disclosure Milestones\r\nWe appreciate Monetag and BeMob’s prompt responses and willingness to act decisively. However, this campaign\r\nunderscores the need for stronger proactive measures. Ad networks must prioritize ongoing content moderation,\r\nrobust account validation to prevent fake registrations, and more accessible reporting mechanisms for the\r\ncybersecurity community. Waiting for external reports to address such abuses is not enough. These systems\r\nrequire continuous oversight to protect not just their clients but all internet users.\r\nMonetag shared valuable insights about the threat actor’s abuse of their network, including the use of falsified\r\ndocuments and hundreds of fraudulent accounts. Their official response is included below:\r\n“At Monetag, we take the security of our network, publishers, and users extremely seriously. Upon\r\nidentifying malicious activities, we acted swiftly to ban over 200 accounts linked to the abuse. We\r\nremain committed to strengthening our defenses, working collaboratively with researchers like Guardio,\r\nand refining our processes to minimize abuse on our platform. The safety and integrity of our\r\necosystem are paramount, and we will continue investing in measures to mitigate threats effectively.”\r\n(Monetag)\r\nLastly, if you noticed something curious in the activity graph above - you’re not mistaken. The campaign may\r\nhave paused for a few days, but its value to the threat actors proved too enticing to abandon. They’re back — this\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 15 of 22\n\ntime leveraging both Monetag once again as well as other ad networks. Rest assured, we’ll continue monitoring\r\nand addressing this evolving threat:\r\nApprox. Fake Captcha page views in the past 2 weeks: downtime and resurrection\r\nFinal Thoughts\r\nFrom deceptive publisher sites offering pirated or clickbait content to complex redirect chains and cloaking\r\ntechniques, this campaign underscores how ad networks, designed for legitimate purposes, can be weaponized for\r\nmalicious activities. The result is a fragmented chain of responsibilities, with ad networks, publishers, ad statistics\r\nservices, and hosting providers each playing a role yet often avoiding accountability.\r\nThis fake captcha campaign is just one example that exposes the darker side of the internet’s advertising\r\necosystem. While advertising is a cornerstone of the modern internet, the same ecosystem now faces a significant\r\nconflict of interest — creating a security gap that leaves users vulnerable.\r\nAt Guardio, we continuously reveal, track, and analyze attack vectors exploiting foundational internet traffic\r\nsystems, with ad networks being a prominent example. The takeaway is simple: be cautious of websites offering\r\nFREE content you would otherwise pay for. As we always say — there’s no such thing as a free gift on the\r\ninternet.\r\nIOCs\r\nFake Captcha Pages:\r\najmaboxanherulv1.b-cdn[.]net/JSKADull.html\r\najmaboxanherulv2.b-cdn[.]net/JSKADull.html\r\nanti-automation-v2.b-cdn[.]net/verf-v2.html\r\nanti-automation-v3.b-cdn[.]net/verf-v3.html\r\nanti-automation-v4.b-cdn[.]net/verf-v3.html\r\nanti-automation-v5.b-cdn[.]net/verf-v5.html\r\nanti-automation-v6.b-cdn[.]net/Recap-v6.html\r\narcivevaxue34.b-cdn[.]net\r\nbmy7etxgksxo.objectstorage.ca-toronto-1.oci.customer-oci[.]com/n/bmy7etxgksxo/b/...\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 16 of 22\n\nbmy7etxgksxo.objectstorage.sa-santiago-1.oci.customer-oci[.]com/n/bmy7etxgksxo/b/\r\nbot-check-v1.b-cdn[.]net\r\nbot-check-v2.b-cdn[.]net\r\nbot-systemexplorer.b-cdn[.]net/recaptcha-v4-protocol-nov23.html\r\nbotcheck-encrypted-system.b-cdn[.]net/recaptcha-verification.html\r\ncheck-cf-ver1.b-cdn[.]net/version3/cf-check.html\r\ncheck-in-cf.b-cdn[.]net/verify/cf-check.html\r\ndedicloadpgeing.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv10.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv11.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv12.b-cdn[.]net/final-step-to-continue.html\r\ndedicloadpgeingv2.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv4.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv5.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv6.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv7.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv8.b-cdn[.]net/dedicated-captcha-page.html\r\ndedicloadpgeingv9.b-cdn[.]net/dedicated-captcha-page.html\r\nencryption-code-verification.b-cdn[.]net/recaptcha-verification.html\r\nencryption-code-verification.b-cdn[.]net/verify-human-recaptcha.html\r\nencryption-module-botverify.b-cdn[.]net/recaptcha-verification.html\r\nfile-typ-botcheck-v1.b-cdn[.]net/prove-human-recaptcha.html\r\nfile-typ-botcheck.b-cdn[.]net/prove-human-recaptcha.html\r\nfull-fast-movie-downloader.b-cdn[.]net/KH6kjsdNVk4sUIEW4klsw43ep8piJHOl.html\r\nitechtics[.]com/hide-show-taskbar\r\nizmncdnboxuse01.b-cdn[.]net/final-step-to-continue.html\r\nizmncdnboxuse02.b-cdn[.]net/final-step-to-continue.html\r\nizmncdnboxuse03.b-cdn[.]net/final-step-to-continue.html\r\nizmncdnboxuse04.b-cdn[.]net/final-step-to-continue.html\r\nizmncdnboxuse05.b-cdn[.]net/final-step-to-continue.html\r\nizmncdnboxuse06.b-cdn[.]net/final-step-to-continue.html\r\nizmncdnboxuse07.b-cdn[.]net/final-step-to-continue.html\r\nnewverifyyourself-system.b-cdn[.]net/recaptcha_verification-v1.html\r\nnewverifyyourself-system1.b-cdn[.]net/recaptcha_verification-new.html\r\nnikutjyjgchr.b-cdn[.]net/RYFTGJcaptchv1.html\r\nnikutjyjgchr.b-cdn[.]net/SYNCfuzzv2.html\r\nnikutjyjgchrv21.b-cdn[.]net/SYNCfuzzv2.html\r\nnikutjyjgchrv22.b-cdn[.]net/SYNCfuzzv2.html\r\nnikutjyjgchrv23.b-cdn[.]net/SYNCfuzzv2.html\r\nnikutjyjgchrv24.b-cdn[.]net/SYNCfuzzv2.html\r\nnikutjyjgchrv25.b-cdn[.]net/SYNCfuzzv2.html\r\nobjectstorage.ap-mumbai-1.oraclecloud[.]com/n/bmy7etxgksxo/b/bucket-aws-vip/o/\r\nobjectstorage.ap-mumbai-1.oraclecloud[.]com/n/bmy7etxgksxo/b/buket-aws/o/\r\nobjectstorage.ap-mumbai-1.oraclecloud[.]com/n/bmy7etxgksxo/b/fetchbucket/o/\r\nobjectstorage.ap-mumbai-1.oraclecloud[.]com/n/bmy7etxgksxo/b/lusbucket/o/\r\nobjectstorage.sa-santiago-1.oraclecloud[.]com/n/bmy7etxgksxo/b/to-continue/o/\r\nprecious-valkyrie-cea580[.]netlify.app/recaptcha-sep-v2-1-baba.html\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 17 of 22\n\npub-7a0525921ff54f1193db83d7303c6ee8.r2[.]dev/verify-me-first-v1.html\r\nsos-at-vie-1.exo[.]io/bucketrack/dir62/final/\r\nsos-at-vie-1.exo[.]io/cloudcask/\r\nsos-at-vie-2.exo[.]io/sanbuck/\r\nsos-bg-sof-1.exo[.]io/amdbuck/\r\nsos-bg-sof-1.exo[.]io/asgbuck/verify/hcaptcha-human-check.html\r\nsos-ch-dk-2.exo[.]io/ataniya/bigot/\r\nsos-ch-dk-2.exo[.]io/bucketofbits/modi-cloudflare-update-new.html\r\nsos-ch-dk-2.exo[.]io/filebyte/\r\nsos-ch-gva-2.exo[.]io/bytebin/\r\nsos-ch-gva-2.exo[.]io/clouddesk/\r\nsos-ch-gva-2.sos-cdn[.]net/bytebin/\r\nsos-de-fra-1.exo[.]io/sandisk/step/\r\nsys-update-botcheck.b-cdn[.]net/get-this-puzzle-solved.html\r\nsystem-update-botcheck.b-cdn[.]net/security-challenge-captcha.html\r\nupgraded-botcheck-encryption.b-cdn[.]net/verify-human-recaptcha.html\r\nverification-module-v2.b-cdn[.]net/recaptcha_verification_updated.html\r\nverification-module-v3.b-cdn[.]net/recaptcha_verification_updated.html\r\nverification-module-v4.b-cdn[.]net/recaptcha_verification_updated.html\r\nverification-module-v5.b-cdn[.]net/recaptcha_verification_updated.html\r\nverification-module-v6.b-cdn[.]net/recaptcha_verification_updated.html\r\nverification-module-v7.b-cdn[.]net/recaptcha_verification_updated.html\r\nverification-module-v8.b-cdn[.]net/recaptcha_verification_updated.html\r\nverification-module-v9.b-cdn[.]net/recaptcha_verification_updated.html\r\nverifyyourself-newsystem.b-cdn[.]net/recaptcha_verification.html\r\nverifyyourself-system.b-cdn[.]net/recaptcha_verification-new.html\r\nweoidnet01.b-cdn[.]net/IQWJDolx.html\r\nweoidnet010.b-cdn[.]net/IQWJDolx.html\r\nweoidnet011.b-cdn[.]net/IQWJDolx.html\r\nweoidnet012.b-cdn[.]net/IQWJDolx.html\r\nweoidnet013.b-cdn[.]net/IQWJDolx.html\r\nweoidnet015.b-cdn[.]net/IQWJDolx.html\r\nweoidnet02.b-cdn[.]net/IQWJDolx.html\r\nweoidnet03.b-cdn[.]net/IQWJDolx.html\r\nweoidnet04.b-cdn[.]net/IQWJDolx.html\r\nweoidnet05.b-cdn[.]net/IQWJDolx.html\r\nweoidnet06.b-cdn[.]net/IQWJDolx.html\r\nweoidnet07.b-cdn[.]net/IQWJDolx.html\r\nweoidnet08.b-cdn[.]net/IQWJDolx.html\r\nweoidnet09.b-cdn[.]net/IQWJDolx.html\r\nytgvjh65archi.b-cdn[.]net/\r\ncloud-checked[.]com/cf/verify/{dddddd}/check\r\nfiare-activity[.]com/cf/verify/{dddddd}/check\r\nchromeupdates[.]com\r\nmarimarbahamas[.]me/downloads/index.html\r\ncdn-downloads-now[.]xyz\r\nfingerboarding[.]com/cha\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 18 of 22\n\nrestoindia[.]me/recaptcha/downloads\r\ntravelwithandrew[.]xyz/assets/index.html\r\nfoodrailway[.]cfd/tracker/index.php\r\nBeMob campaign URLs used for Cloaking:\r\nhttps://addonclicks[.]com/go/aa22d074-412b-41b9-ba13-7dcf967019d9\r\nhttps://addonclicks[.]com/go/b37e8c6f-ddee-4501-8a45-c5a466afee72\r\nhttps://adstrails[.]com/go/3a2f0420-aa82-403a-a04e-4df13708bc04\r\nhttps://adstrails[.]com/go/708fba2f-fbc0-45d0-831f-4e92054b1b73\r\nhttps://adstrails[.]com/go/ac3d7719-d344-478a-b3b6-06bf5461f189\r\nhttps://boltsreach[.]com/go/83afb110-50f2-4b29-a93e-15e37801c7e2\r\nhttps://camplytic[.]com/go/7110a328-a727-4c2c-9e88-3a71adf76cb1\r\nhttps://clickzstreamer[.]com/go/7110a328-a727-4c2c-9e88-3a71adf76cb1\r\nhttps://clickzstreamer[.]com/go/cdff9f96-8cbd-4c44-b679-2f612a64cd00\r\nhttps://clovixo[.]com/go/35b66391-3541-4d40-a116-52515cc39b9e\r\nhttps://editorcoms[.]com/go/49b491b8-09d0-422d-8735-275dc82a37ca\r\nhttps://editorcoms[.]com/go/dd423e06-1ace-4a1f-80be-1790bdbbe75d\r\nhttps://fineclouding[.]com/go/0160ee85-0b3d-45cf-adbd-4801966ce1dd\r\nhttps://fineclouding[.]com/go/134f0807-4dc8-4a61-895c-acf5107b611a\r\nhttps://fineclouding[.]com/go/7ffe1a51-dc79-4e3f-ac7e-ab76c4741738\r\nhttps://fineclouding[.]com/go/83a7f27f-d3ae-4935-b854-fdf492984ed3\r\nhttps://fineclouding[.]com/go/e331e010-c671-4ea5-83c7-7518b2f08b7b\r\nhttps://freeofapps[.]com/go/9f900112-9d2f-41f7-a8db-cd21dd738750\r\nhttps://gamebalri[.]com/go/6818d61d-1f2e-4bc0-a98b-c63669acc41f\r\nhttps://gawanjaneto[.]com/go/180f58b8-38df-46cb-a0d2-d6f12d8aa8a8\r\nhttps://gawanjaneto[.]com/go/7b4c672a-7787-45cc-913b-1f2f9108d002\r\nhttps://getcodavbiz[.]com/go/ce1c3e68-e155-4e87-992c-b66f1485aef9\r\nhttps://glidronix[.]com/go/8eb5d9be-98ca-42c4-8185-090a299eb3ef\r\nhttps://godagichi[.]com/go/10a84a68-b524-4885-adb2-bfbda4c17778\r\nhttps://helpmemoverand[.]com/go/26131470-304e-4f6c-b6dc-1ffd5c5a9930\r\nhttps://helpmemoverand[.]com/go/a895c485-d572-4e80-bd52-9dd3540c81d9\r\nhttps://helpmemoverand[.]com/go/dc3ae9c2-de16-4dc0-b614-b0b36b81f319\r\nhttps://impressflow[.]com/go/f7d8c7fb-c416-4972-94cd-2f1ede1bac38\r\nhttps://insigelo[.]com/go/0e94e3bf-65a0-476a-b00e-5ababc6ff856\r\nhttps://insigelo[.]com/go/96f84023-dd9d-4331-9788-5705babb7f0c\r\nhttps://insigelo[.]com/go/fecdc64b-280d-4ee1-9f28-96efb38acb15\r\nhttps://latestgadet[.]com/go/837d85a4-fda0-4b10-89c8-c840455acb25\r\nhttps://linkspans[.]com/go/7110a328-a727-4c2c-9e88-3a71adf76cb1\r\nhttps://mediamanagerverif[.]com/go/2bf025b9-52c0-4587-bf7f-9a8cdd459851\r\nhttps://mediamanagerverif[.]com/go/9626641b-871b-45e1-b360-84e2767326cc\r\nhttps://mediamanagerverif[.]com/go/d3aa1081-e2fd-4bc5-b168-5502eae928f1\r\nhttps://mytecbiz.org/go/a8b87aed-1575-4d89-b503-974f4e932152\r\nhttps://nettrilo[.]com/go/4c5443a1-ba90-487a-839a-b67a2b0317a8\r\nhttps://nettrilo[.]com/go/708fba2f-fbc0-45d0-831f-4e92054b1b73\r\nhttps://nowuseemi[.]com/go/e594bfab-e401-456c-a4fc-63d70055ff5b\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 19 of 22\n\nhttps://offerzforu[.]com/go/7a343cf8-3eb1-4b24-9534-948f237f0941\r\nhttps://offerztodayforu[.]com/go/61eba7aa-81b9-4836-9636-76b263f6f8cd\r\nhttps://privatemeld[.]com/go/014e411a-91a4-44b3-9da2-5954404438dc\r\nhttps://privatox[.]com/go/a391ee5e-c1f4-4654-90a8-f545126dc3a7\r\nhttps://provenhandshakecap[.]com/go/3442df81-6329-4d47-8594-73a9455c5363\r\nhttps://provenhandshakecap[.]com/go/c33549db-0cfb-4805-a3f6-64213cd4c3a9\r\nhttps://provenhandshakecap[.]com/go/d2ce67cc-16c8-4a3a-938e-c3389b412786\r\nhttps://purnimaali[.]com/go/b36d4019-1072-445e-8719-8fae7640ed7f\r\nhttps://reachorax[.]com/go/2f3b2ad6-8c07-4095-ad09-89abc67a495d\r\nhttps://regsigara[.]com/go/a78798ba-50d8-4cef-9a64-1bd0e917da8e\r\nhttps://satisfiedweb[.]com/go/3710d145-158f-4faa-942f-467142fd9201\r\nhttps://scrutinycheck.cash/go/180f58b8-38df-46cb-a0d2-d6f12d8aa8a8\r\nhttps://scrutinycheck.cash/go/f94e2fd6-3569-4d2d-b596-5e07f79a5818\r\nhttps://searchmegood[.]com/go/49c2dac8-63b7-46d9-a9f6-6ebdaa1ce3ee\r\nhttps://searchmegood[.]com/go/897a19a7-2e55-408c-94a6-d82617b5361f\r\nhttps://secureporter[.]com/go/c788f30c-9d6f-4fdd-96bc-1767e250f9c5\r\nhttps://servinglane[.]com/go/83864c8d-2168-4d4e-bf47-b67a99e6178a\r\nhttps://sheenglathora[.]com/go/3442df81-6329-4d47-8594-73a9455c5363\r\nhttps://smartlinkoffer[.]com/go/15ef9db0-585b-4c85-9ffc-a2b6e81c4bfa\r\nhttps://smartlinkoffer[.]com/go/6754805d-41c5-46b7-929f-6655b02fce2c\r\nhttps://smartlinkoffer[.]com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f\r\nhttps://spotconningo[.]com/go/3119e6d0-9df0-4116-816f-0ff62631557b\r\nhttps://startingdestine[.]com/go/ad3b65a2-9255-4017-a1e1-087bcca4e2ef\r\nhttps://stephighs[.]com/go/34073388-1d3a-4671-804e-036143ad82e5\r\nhttps://stephighs[.]com/go/4be1a5d1-14ab-44ae-bea7-d55de09afac0\r\nhttps://stephighs[.]com/go/a8e78df0-c0cb-4d55-b4e9-48ed33fd2a6e\r\nhttps://stephighs[.]com/go/ce1c3e68-e155-4e87-992c-b66f1485aef9\r\nhttps://streamingsplays[.]com/go/1c406539-b787-4493-a61b-f4ea31ffbd56\r\nhttps://streamingsplays[.]com/go/6754805d-41c5-46b7-929f-6655b02fce2c\r\nhttps://streamingsplays[.]com/go/b11f973d-01d4-4a5b-8af3-139daaa5443f\r\nhttps://streamingszone[.]com/go/b3ddd860-89c0-448c-937d-acf02f7a766f\r\nhttps://tagsflare[.]com/go/0c3c343a-abfa-4467-b52d-0c20711b2d7e\r\nhttps://taketheright[.]com/go/ee8430f6-c0db-4d47-95db-3fdcf5941225\r\nhttps://techstalone[.]com/go/2bf025b9-52c0-4587-bf7f-9a8cdd459851\r\nhttps://techstalone[.]com/go/9626641b-871b-45e1-b360-84e2767326cc\r\nhttps://techstalone[.]com/go/d3aa1081-e2fd-4bc5-b168-5502eae928f1\r\nhttps://tracksvista[.]com/go/b67f38ca-952b-44e3-b463-126a325e85c6\r\nhttps://trailsift[.]com/go/5c881316-6dd0-46cb-b9aa-2d72b614d026\r\nhttps://tunneloid[.]com/go/520c3874-eeb8-4f5c-bc79-849759f17715\r\nhttps://vanshitref[.]com/go/e594bfab-e401-456c-a4fc-63d70055ff5b\r\nhttps://verticbuzz[.]com/go/ca526b93-0797-4fd6-b107-fdf823a5badb\r\nhttps://westreamdaily[.]com/go/2912600c-ec64-47fd-93cd-d7172bc29206\r\nhttps://yourtruelover[.]com/go/76c79b3b-c3bd-409a-9f9d-d25f984b6ac5\r\nhttps://yourtruelover[.]com/go/d05741b5-5782-4882-b0d0-d5cbf5c14f58\r\n50 Most Active Publisher Domains Monetizing via Monetag:\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 20 of 22\n\nhianime[.]to\r\n9animetv[.]to\r\naniwatchtv[.]to\r\nsflix[.]to\r\nmyflixerz[.]to\r\nhdtodayz[.]to\r\n9minecraft[.]net\r\nchapmanganato[.]to\r\ny2mate[.]com\r\nsteamrip[.]com\r\ny2meta[.]tube\r\ntubemp4[.]is\r\nmoviesjoy[.]is\r\ngomovies[.]sx\r\nasuracomic[.]net\r\nfreek[.]to\r\nflixhq[.]to\r\nmangakakalot[.]com\r\ncoinpriceline[.]com\r\nhurawatch[.]cc\r\nmovies2watch[.]tv\r\ntheflixertv[.]to\r\nmangafire[.]to\r\nz-lib[.]io\r\nhydrahd[.]cc\r\ncinego[.]tv\r\nouo[.]io\r\nfilecrypt[.]co\r\nvipbox[.]lc\r\ntotalsportek[.]best\r\ndopebox[.]to\r\nsportshub[.]stream\r\nmanhwaclan[.]com\r\nstreameast[.]best\r\nmangareader[.]to\r\nkaido[.]to\r\nmegadb[.]net\r\nmangabuddy[.]com\r\nkisskh[.]co\r\nbato[.]to\r\nmangaread[.]org\r\nmanhuaus[.]com\r\ngostream[.]to\r\nalphatron[.]tv\r\nreadcomiconline[.]li\r\ndramacool[.]bg\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 21 of 22\n\nmixdrop[.]ps\r\ne123movieswatch[.]com\r\ntotalsportek[.]games\r\naniwatch[.]to\r\ntravelmiso[.]com\r\nSource: https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nhttps://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.guard.io/deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6"
	],
	"report_names": [
		"deceptionads-fake-captcha-driving-infostealer-infections-and-a-glimpse-to-the-dark-side-of-0c516f4dc0b6"
	],
	"threat_actors": [],
	"ts_created_at": 1775791233,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/337fb5aee0f4a636b85c1224a4705f48a832f671.pdf",
		"text": "https://archive.orkl.eu/337fb5aee0f4a636b85c1224a4705f48a832f671.txt",
		"img": "https://archive.orkl.eu/337fb5aee0f4a636b85c1224a4705f48a832f671.jpg"
	}
}