What is malvertising?

Malvertising is virtually impossible for ordinary web users to detect. Ad networks and website owners also struggle to track infected ads and remove them from view. It is also highly profitable as many people view malicious ads, and detection risks are low.

What is the difference between malvertising and adware?

Let's start by clarifying an important difference. Malvertising is not the same as adware, and confusing the two cybersecurity concepts can compromise prevention efforts.

Malvertising involves adding malicious code to legitimate ads, while adware involves persuading victims to download and install software tools.

In malvertising, ads run normally on search engines, ad networks, or social media platforms. Users and the original advertiser do not know that the ad is malicious, at least from the surface appearance.

With adware, software sends ads to applications, gathers data about user activity, or directs users to vendor websites.

Typically, attackers distribute adware with legitimate tools. This may not be malicious. Software vendors often bundle adware with applications to deliver ads for partners or other products. However, adware is almost always deceptive and can be linked to malware attacks.

Another way to look at the difference is this: adware targets individuals and runs continuously on infected systems. Malvertising hides in ad creatives and infects visiting browsers or devices.

How malvertising works

Malvertising works by hijacking legitimate adverts and using them to distribute malicious code. In the process, messages from trusted brands become malicious ads.

Malvertising attacks exploit vulnerabilities in the digital environment. The digital economy relies on adverts to monetize user bases and traffic. However, ad exchanges often fail to secure servers or protect website visitors. With so many ads delivered yearly, small failures create significant security risks.

Cyber-attackers realize that ads are a critical vulnerability, using malicious advertising to capitalize on security flaws.

Many attacks begin when threat actors purchase or inject malicious ads via legitimate networks, without breaching servers.

Users clicking these ads are not directed to the brand's website. Instead, redirects send victims to a malicious website where hackers can implant malware or harvest user credentials.

If the redirect succeeds, attackers may persuade users to download infected files, or they can automate delivery via drive-by-download techniques.

Ads can also automatically deliver exploit kits. These kits scan user devices and networks to find ways to exploit vulnerabilities, opening the way to further attacks.

Examples of malvertising

Malvertising is an urgent real-world threat. A few quick examples of malvertising show that many high-profile companies have discovered this to their cost.

Yahoo

For example, in 2014, Yahoo experienced a malvertising campaign. Attackers injected malicious code into banner ads on the company's search and email services, delivering potentially harmful content to hundreds of millions of website visitors. Ad malware redirected users to fake web pages, which used the Neutrino exploit kit to deliver additional threats.

Storm-0408

More recently, Microsoft disclosed in 2025 that it was tracking a malvertising campaign known as Storm-0408.

According to Microsoft, Storm-0408 uses redirects embedded in streaming websites. These redirects send viewers to intermediary malicious websites, which forward them to GitHub. GitHub serves as the hub for delivering infostealer malware (not the legitimate software victims think they are downloading).

Sites like GitHub are increasingly popular with malvertising attackers due to their trustworthy reputations and openness. GitHub repositories pass security tests that other domains may fail, allowing redirects to work around security filters.

BatLoader

Malvertising attacks have also exploited the demand for AI-generation tools. In 2023, a collective called BatLoader ran ads on Google searches impersonating ChatGPT and Midjourney. Instead of directing to AI tools, malicious code injected the Redline Stealer onto target devices, enabling data theft attacks.

Attacks like BatLoader and Storm-0408 show that malvertising is on the rise, adaptable, and capable of exploiting changing customer trends. As long as we depend on digital ads, malicious ads will thrive, and companies will need prevention measures.

How to prevent malvertising

The size and dynamic nature of the online advertising sector make preventing malvertising attacks extremely challenging. However, drive-by malware downloads can lead to network breaches, ransomware attacks, and data theft. Companies must do whatever they can to minimize malvertising risks.

Preventing ad malware has two aspects: avoiding malvertising while using the web, and safeguarding web content against malicious ads.

From a user perspective, preventing malvertising relies on malware detection, content blocking, and secure browsing. Here are some tips to achieve those aims.

Using ad blockers to block unwanted content

Use reputable ad blockers to reduce malicious ad exposure, recognizing they cannot guarantee complete prevention. Some sites prevent the use of ad blockers (such as YouTube, for example). However, most business-oriented sites will allow you to stop ads without compromising access.

Using updated antivirus software

You may not be able to block all ads on all devices. In that case, antivirus software provides an insurance policy. Reliable antivirus tools prevent malware by detecting malicious code and blocking downloads. Scanning applies to web browsing, in-app ad delivery, and email clients.

However, remember that updating anti-malware tools is critical. Malvertising threats evolve continuously. Infrequently updated antivirus tools may fail to identify ad malware that they previously detected successfully.

Secure your web browser

Malvertising exploits weaknesses in browsers like Chrome or Firefox. Updating browsers and critical extensions regularly is essential.

Additionally, browsers should only enable click-to-play plugins that request user consent before execution. Disable pop-ups where possible, engage native ad-blocking tools and disable third-party tracking cookies where this is practical.

Browser extensions also help prevent malvertising. For example, script blockers detect and neutralize malicious code. However, a good rule of thumb is to minimize the number of installed extensions as this reduces the attack surface.

Use Web Protection to strengthen your defenses

Web Protection works alongside secure browsers, creating a layered defense against malvertising attacks. For example, NordLayer's Threatblock tools automatically block malicious content, including pop-ups or self-executing files.

Threat Protection also draws on global threat intelligence databases, detecting websites listed as known threats. Security teams can implement threat protection centrally, extending security policies to all network devices.

With these security technologies, companies can block malvertising threats even if users click on unsafe ads or initiate malware downloads.

Train staff to understand how malvertising works

Malvertising is a deceptive threat, but many incidents are avoidable if your workforce understands the risks. Integrating malvertising into routine cybersecurity training is critically important. Moreover, it does not need to be complicated. For example, anti-malvertising training could include:

• Teaching users to avoid pop-up and banner ads.
• Hovering over links in ads to verify the redirect is legitimate.
• Following acceptable web content policies and avoiding unapproved websites when using company devices.
• Exercising caution when redirected to third-party websites and rejecting unwanted downloads.
• Reporting suspicious redirects to security teams.

Protecting web assets against malvertising attacks

The second dimension of preventing malvertising involves the websites or ad exchanges that publish infected ads. Companies that deliver ads to users need robust measures to protect online ads against corruption. Here are some best practices to achieve this critical goal.

Assess third-party ad providers before accepting their services

Never accept advertising without screening ad networks first. Check ad providers have content screening systems to detect tampering and server intrusions. Prioritize providers that use ad tagging and threat intelligence to proactively counter malvertising. Avoid ad providers that don't have a robust policy to protect their assets.

Scan online ads before serving them

Companies can also scan ads served to their websites before providing them to site visitors. Use scanning tools to detect malicious scripts, unauthorized redirects, or malware signatures from known threat databases.

Employ sandboxing to quarantine suspicious ads for further testing. This helps you contain malvertising threats before malware spreads to hundreds or thousands of customers.

Sanitize ads by removing vulnerable code

If you create advertising content for syndication or use on your web assets, employ secure coding practices and security controls to protect ad code. Avoid self-executing elements, use updated libraries without known exploit vulnerabilities, and automate ad testing to ensure consistency.

Protect your online assets against malvertising threats

Malvertising attacks turn harmless ads into dangerous criminal threats. And they often do so with little warning. As the Yahoo example shows, companies can serve malware-infected ads to thousands of customers before detecting a problem. Prevention strategies are essential.

As we have seen, companies serving ads should verify the security measures ad providers use and scan for malware regularly. Companies should also protect employees browsing the web via antivirus software, ad blockers, and other threat protection tools. That way, even if you click on compromised ads, protective measures should prevent security incidents.