Guardio Labs tracked and analyzed a large-scale fake captcha campaign distributing a disastrous Lumma info-stealer malware that circumvents general security measures like Safe Browsing. Entirely reliant on a single ad network for propagation, this campaign showcases the core mechanisms of malvertising — delivering over 1 million daily “ad impressions” and causing thousands of daily victims to lose their accounts and money through a network of 3,000+ content sites funneling traffic. Our research dissects this campaign and provides insights into the malvertising industry’s infrastructure, tactics, and key players.

Through a detailed analysis of redirect chains, obfuscated scripts, and Traffic Distribution Systems (TDS) — in collaboration with our friends at Infoblox — we traced the campaign’s origins to Monetag, a part of ProepllerAds’ network previously tracked by Infoblox under the name “Vane Viper.” Further investigation reveals how threat actors leveraged services like BeMob ad-tracking to cloak their malicious intent, showcasing the fragmented accountability in the ad ecosystem. This lack of oversight leaves internet users vulnerable and enables malvertising campaigns to flourish at scale.