{ "id": "3a394291-bef8-4e6c-819c-5143004e3d43", "created_at": "2026-04-06T00:17:26.651722Z", "updated_at": "2026-04-10T13:12:02.637981Z", "deleted_at": null, "sha1_hash": "c5f2a6cbd58c66e1455ceedc1e74b83167e0bdee", "title": "HookAds Malvertising Installing Malware via the Fallout Exploit Kit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2236705, "plain_text": "HookAds Malvertising Installing Malware via the Fallout Exploit Kit\r\nBy Lawrence Abrams\r\nPublished: 2018-11-13 · Archived: 2026-04-05 18:58:32 UTC\r\nThe HookAds malvertising campaign has been active lately and redirecting visitors to the Fallout Exploit Kit. Once the kit is\r\nactivated, it will attempt to exploit known vulnerabilities in Windows to install different malware such as the DanaBot\r\nbanking Trojan, the Nocturnal information stealer, and GlobeImposter ransomware.\r\nHookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult\r\nweb sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of\r\ndecoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right\r\ncircumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.\r\nYou can see an example of one of the decoy sites discovered last week by exploit kit expert nao_sec below.\r\nhttps://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nExample HookAds Decoy Site\r\nAccording to nao_sec, these two campaigns were discovered last week with one campaign being on November 8th that was\r\ndistributing the DanaBot password stealing Trojan and another campaign on November 10th that was installing the\r\nNocturnal stealer and the GlobeImposter ransomware.\r\nFiddler Traffic showing Redirects from HookAds campaign\r\nIf the redirected user is running Internet Explorer, the Fallout Exploit Kit will attempt to exploit the Windows CVE-2018-\r\n8174 VBScript vulnerability to install the payload.\r\nTherefore, it is very important that users make sure to have all available Windows security updates installed in order to\r\nprotect themselves from known vulnerabilities.\r\nhttps://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/\r\nhttps://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/" ], "report_names": [ "hookads-malvertising-installing-malware-via-the-fallout-exploit-kit" ], "threat_actors": [ { "id": "4f39c998-5861-4f35-ac24-095653a8b615", "created_at": "2023-01-06T13:46:38.836253Z", "updated_at": "2026-04-10T02:00:03.116935Z", "deleted_at": null, "main_name": "HookAds", "aliases": [], "source_name": "MISPGALAXY:HookAds", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434646, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5f2a6cbd58c66e1455ceedc1e74b83167e0bdee.pdf", "text": "https://archive.orkl.eu/c5f2a6cbd58c66e1455ceedc1e74b83167e0bdee.txt", "img": "https://archive.orkl.eu/c5f2a6cbd58c66e1455ceedc1e74b83167e0bdee.jpg" } }