{
	"id": "5c643f59-925d-4742-9e5f-23374553b255",
	"created_at": "2026-04-06T00:08:10.873832Z",
	"updated_at": "2026-04-10T03:20:57.340585Z",
	"deleted_at": null,
	"sha1_hash": "6b9ec60c1e26f40948f1a801f666103d8c71ba52",
	"title": "Major malvertising campaign spreads Kovter Ad Fraud malware | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3205742,
	"plain_text": "Major malvertising campaign spreads Kovter Ad Fraud malware |\r\nMalwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2015-01-07 · Archived: 2026-04-05 13:33:28 UTC\r\nLast year was a busy year for malvertising with top rank ad networks such as Google’s DoubleClick caught in\r\nlarge scale attacks, and popular sites unwillingly infecting their visitors because of malicious advertisements.\r\nAnd 2015 is getting off to a rough start as well.\r\nAs Nick Bilogorskiy from Cyphort reported earlier this week, a campaign has been wreaking havoc on sites\r\ngenerating much Internet traffic.\r\nThese attacks are the work of the Kovter gang which has been busy hitting major other players (ie. YouTube)\r\nduring the past year. We tracked this particular campaign as well and have observed several high level domains\r\nbeing victim of malvertising with a combined monthly traffic of 1.5 billion visitors.\r\nPeople surfing with outdated plugins or browser get infected through a ‘drive-by download’ attack that turns their\r\nPCs into bots participating in Ad Fraud.\r\nAffected sites\r\nDomain name Alexa rank* Monthly traffic**\r\nnews.yahoo.com 65 527\r\nhuffingtonpost.com 88 248\r\naol.com 156 218\r\nweather.com 159 138\r\nsports.yahoo.com 187 188\r\ntmz.com 454 43\r\nnydailynews.com 609 46\r\ntagged.com 611 58\r\nchron.com 736 31\r\nmatch.com 826 35\r\nlegacy.com 1537 22\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/\r\nPage 1 of 5\n\nstartribune.com 3648 5\r\n123greetings.com 3854 12\r\ngaiaonline.com 4462 2\r\nbeforeitsnews.com 4553 7\r\nintellicast.com 4681 13\r\nmom.me 6515 4\r\ncenturylink.net 6580 8\r\nrent.com 12582 2\r\nentertainment.verizon.com 12667 3\r\nwindstream.net 12802 3\r\ntwincities.com 17457 2\r\nwebmail.comcast.net N/A N/A\r\nwebmaila.juno.com N/A 3\r\n* Alexa rank based on Alexa.com data. Subdomains’ rank checked against SimilarWeb.com ** Estimated monthly\r\ntraffic in millions according to data from SimilarWeb.com\r\nAd networks\r\nadvertising.com\r\nadtech.de\r\ngooglesyndication.com\r\nIntermediate site\r\nfoxbusness.com\r\n\"domain\"=\u003e\"foxbusness.com\", \"resolv\"=\u003e[\"176.9.251.252\"], \"port\"=\u003e\"443\", \"uri\"=\u003e\"/?serve\u0026id=1347\u0026log=2\r\nReferrers\r\nExamples of direct referrers (IP address: 162.247.13.70 – Canada)\r\nuhupa.econsumerproductexposed.swidnica.pl/1141843503/c5893070b1e9a472d191ceb6b65e2d472bfc0e4c choim.v\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/\r\nPage 2 of 5\n\nExploit Kit (Sweet Orange)\r\nExamples of Exploit Kit landing pages (IP address:195.138.246.17 – Germany)\r\nforex.dsantanderbillpayment.pruszkow.pl/download/page.php?vendor=228376\u0026products=105122\u0026smiles=18\u0026bac\r\nSweet Orange landing page source code\r\nThe vulnerability exploited was CVE-2014-6332 and Internet Explorer was the target.\r\nMalwarebytes Anti-Exploit blocks this attack:\r\nPayload\r\nThe payload, Kovter, gets dropped in the Temp folder:\r\n“C:Users{username}AppDataLocalTemprepfix.exe”\r\nThe payload is VM aware and also looks for debugging and other security tools. One way to know if the sample\r\nproperly ran is whether it deletes itself after execution or not.\r\nVM or security tools on a real PC:\r\nSample does not delete itself\r\nPOST request (domain may change) in this format: (a16-kite.pw/form2.php):\r\nReal machine, no security tools\r\n:\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/\r\nPage 3 of 5\n\nSample deletes itself\r\nPOST request (domain may change) in this format: a16.car.biz/11/form.php\r\nWe analyzed this in a real environment using Wireshark on an external laptop to make this completely transparent\r\nto the malware. That allowed us to see what it really is: Ad Fraud (and not ransomware as reported earlier by\r\nother sites)\r\nShortly after, the flood of ad fraud requests begins:\r\n[youtube=http://youtu.be/LlOZyyEumg4]\r\nAd fraud, or also click fraud, account for a large part of the billion dollar ad industry. Ad fraud malware essentially\r\nsimulates the user visiting pages with adverts as if they were legitimate views.\r\nAll these requests are made in the background and game the system while the victim is none the wiser.\r\nMalwarebytes Anti-Malware already detects and blocks this threat:\r\nMalvertising to remain one of the top threats in 2015\r\nAs we had said it in our end of year report, malvertising is a huge issue that affects a wide range of people. End\r\nusers, of course, but also advertisers and publishers who have to fight to defend their legitimacy.\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/\r\nPage 4 of 5\n\nCyber criminals will likely continue to hijack ad networks with malicious code and pocket the dividends from\r\nhundreds of thousands of successful infections.\r\nThis particular campaign is likely to migrate to other controllers or evolve into something else since it is now in\r\nthe public domain and affected parties are cleaning up and securing their systems.\r\nMalwarebytes Labs will continue to monitor the situation and update you on any new developments.\r\nSpecial thanks to JP Taggart for providing the external recording system.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of\r\n-1-5bn-visitors/\r\nhttps://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/"
	],
	"report_names": [
		"major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434090,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b9ec60c1e26f40948f1a801f666103d8c71ba52.pdf",
		"text": "https://archive.orkl.eu/6b9ec60c1e26f40948f1a801f666103d8c71ba52.txt",
		"img": "https://archive.orkl.eu/6b9ec60c1e26f40948f1a801f666103d8c71ba52.jpg"
	}
}