{
	"id": "1f05f2a3-c159-41d7-9e7b-dd526c39d62e",
	"created_at": "2026-04-06T00:16:31.382086Z",
	"updated_at": "2026-04-10T13:12:20.012588Z",
	"deleted_at": null,
	"sha1_hash": "67c1614bbe85930f547363e7a432135c780166c4",
	"title": "The Magala Trojan Clicker: A Hidden Advertising Threat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 262644,
	"plain_text": "The Magala Trojan Clicker: A Hidden Advertising Threat\r\nBy Sergey Yunakovsky\r\nPublished: 2017-07-12 · Archived: 2026-04-05 14:21:16 UTC\r\nOne large group will slowly conquer another large group, reduce its numbers, and thus lessen its chance\r\nof further variation and improvement. \u003c…\u003e Small and broken groups and sub-groups will finally tend\r\nto disappear.\r\nCharles Darwin. ‘On the Origin of Species’\r\nThe golden age of Trojans and viruses has long gone. Malicious programs created by enthusiasts for research\r\npurposes and for fun are now largely confined to history books and dusty computer incident reports. They have\r\nbeen replaced by programs that put a heavy emphasis on making money.\r\nIf we ignore targeted attacks prepared by professionals for very specific purposes, what sort of malware do we\r\nmost often hear about today? Encryption malware and DDoS botnets made up of IoT devices. Both types are\r\nprofitable for cybercriminals and relatively easy to implement. However, they are not the only types of malware\r\ncapable of generating cash; we mustn’t overlook a third particularly numerous borderline malware family that\r\nincludes advertising bots and modules, and partnership programs – all of which is typically referred to as\r\npotentially unwanted adware/potentially unwanted programs (PUA/PUP). They are borderline because there is a\r\nfine line between classifying a program as adware and defining the same program as an outright Trojan. In this\r\npaper, we will deal with one such renegade that has gone well beyond the limits of ‘fair play’ when it comes to\r\nadvertising.\r\nThe malware in question is detected by Kaspersky Lab products as Trojan-Clicker.Win32.Magala.\r\nOperating algorithm\r\nMagala falls into the category of Trojan Clickers that imitate a user click on a particular webpage, thus boosting\r\nadvertisement click counts. It’s worth pointing out that Magala doesn’t actually affect the user, other than\r\nconsuming some of the infected computer’s resources. The main victims are those paying for the advertising;\r\ntypically they are small business owners doing business with unscrupulous advertisers.\r\nThe first stage of infection involves the Trojan checking which version of Internet Explorer is installed and\r\nlocating it in the system. If it’s version 8 or earlier, the Trojan won’t run. So, if you still have this version on your\r\ncomputer, there’s nothing to worry about.\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 1 of 8\n\nChecking the version of Internet Explorer, virtual desktop initialization.\r\nIf the desired version of Internet Explorer is found, then, unbeknown to the user, a virtual desktop is initialized.\r\nAll further activities are performed here. After that a sequence of utility operations is run (something that is typical\r\nfor this malware family): autorun is set up, a report is sent to a hardcoded URL, and the required adware is\r\ninstalled. To interact with the content of an open page, Magala uses IHTMLDocument2, the standard Window\r\ninterface that makes it easy to use DOM tree. The Trojan uses it to load MapsGalaxy Toolbar, installs it on the\r\nsystem and adds the site hxxp://hp.myway.com to the system registry, also associated with MapsGalaxy, so that it\r\nbecomes the browser’s home page.\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 2 of 8\n\nA simple check is incorporated into the Trojan to find out if the search bar has already been installed – this is done\r\nwith the help of the appropriate registry branch.\r\nMagala then contacts the remote server and requests a list of search queries for the click counts that need to be\r\nboosted.\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 3 of 8\n\nReceiving the list of search queries\r\nThis list is sent ‘as is’, in a plain text file with lots of strings.\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 4 of 8\n\nList of search queries\r\nUsing this list, the program begins to send the requested search queries and click on each of the first 10 links in\r\nthe search results, with an interval of 10 seconds between each click.\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 5 of 8\n\nProfit margin\r\nAs far as we know, an average cost per click (CPC) in a campaign like this is 0.07 USD. The cost per thousand\r\n(CPM) comes to 2.2 USD. It should be noted that Trojan Clickers are certainly not the most popular way of selling\r\nadvertising: the method most in demand is the displaying of a set homepage, where each installation also costs\r\n0.07 USD.\r\nA botnet consisting of 1000 infected computers clicking 10 website addresses from each search result and\r\nperforming some 500 search requests with no overlaps in the search results could ideally mean the virus writer\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 6 of 8\n\nearns up to 350 USD from each infected computer. However, these cost estimates are only approximations, and\r\ndon’t typically occur in the real world. The costs of different requests may vary greatly, and the price of 0.07 USD\r\nper click is also an average value.\r\nPropagation statistics\r\nAs can be seen in the diagram below, Trojan-Clicker.Win32.Magala infections occur most often in Germany and\r\nthe US. This finding is corroborated by an analysis of the search requests for which the click numbers need to be\r\nboosted. These statistics were collected from March to early June 2017.\r\nConclusion\r\nPrograms belonging to the potentially unwanted adware class do not typically pose as much of a threat to the end\r\nuser as, say, encryption or banking malware does. However, there are two characteristic features to this malware\r\nclass which make it difficult to deal with. Firstly, there is the borderline functionality that blurs the lines between\r\nlegitimate and malicious software. It has to be clarified whether a specific program is part of a secure and legal\r\nadvertising campaign or if it is illegitimate software performing similar functions. A second important aspect of\r\nthis class – its sheer quantity – also means a fundamentally different approach to any analysis is required.\r\nMD5\r\n1EB2D932BB916D4DB7F483859EEBABF8\r\n206DD0B0E8FAA2D81AB617491F80AD0B\r\n25BC675D23C2ACD5F288856F6B91818D\r\n44A408386B983583CAEB0590433BE07B\r\n4E4FA0B8C73889E9AA028C8FD7D7B3A5\r\n6D3D80E89ABDED981AE329203F1779EB\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 7 of 8\n\n6FA035264744E9C9A30409012BAB18DE\r\n732B82A7424B60FEBB1E874B205E2D76\r\n771E742D6C110F8BD68A7304EF93B131\r\nA6B288A3B8C48A23092246FBBF6DB7C2\r\nCF5A5C45778C793477ECAB02F1B3B2C3\r\nDC16BA21BFE4838FD2A897FF13050FF4\r\nF364B043BD6E2CC9C43F86E2004D71D3\r\nF36672933F3CBACF8D8B396DFE259526\r\nSource: https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nhttps://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/"
	],
	"report_names": [
		"78920"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434591,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67c1614bbe85930f547363e7a432135c780166c4.pdf",
		"text": "https://archive.orkl.eu/67c1614bbe85930f547363e7a432135c780166c4.txt",
		"img": "https://archive.orkl.eu/67c1614bbe85930f547363e7a432135c780166c4.jpg"
	}
}