Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Windows Server Netlogon Exploit Code Publicly Exposed

Windows Server Netlogon Exploit Code Publicly Exposed

Evilnum hackers targeting financial firms with a new Python-based RAT

Evilnum hackers targeting financial firms with a new Python-based RAT

Try challenges

Register & Join The Game

Break It

Welcome to Exploit Zone

Become a ninja in the shadow !

  • Welcome To Exploit Zone
  • The kingdom of knowledge sharing in hacking
  • New Updates ! Stay Tunned !
  • Share your knowledge here !
  • unlash your power on our challenges !
  • Become a ninja in the Shadow !
Sign in to follow this  

Fake JQuery Campaign On the Rise For Ad Fraud And Malvertising

Sign in to follow this  


Fake JQuery Campaign For Ad Fraud

Some malware campaigns seemingly never stop, rather they keep coming back again and again to prey on users. One such malware campaign involving fake jQuery has returned. This fake jQuery campaign now runs for ad fraud schemes and malvertising.

Fake JQuery Campaign For Ad Fraud

Researchers from Malwarebytes have spotted another fake jQuery campaign in the wild. The fake jQuery campaign that dates back to 2016, has once again gained momentum. Nonetheless, this time, the campaign aims at malvertising and ad fraud.

Elaborating on their findings in a blog post, the researchers stated that the payload here focuses at monetizing through ads.

The matter caught the attention of Malwarebytes after another researcher with alias ‘Placebo’ highlighted it in his tweet.


By searching the domains mentioned in this tweet on PublicWWW, the researchers could find thousands of domains infected with malicious script. When LHN attempted to cross-check this claim, we could also see at least over 1000 domains running the scripts for every domain listed by Placebo. The least results were found for “lib0[.]org” only, which were made up of a few hundred.

Digging further into the matter further Malwarebytes to establish that the fake jQuery domains basically redirect to other websites. They could see “12js.org” redirecting to financeleader[.]co, to which other fake domains also redirect.

fake jquery domains

However, if someone tries to directly visit the malicious website “financeleader[.]co”, the user will not succeed. The link redirects to Google.com, as Malwarebytes explained and LHN can verify.

Even if a visitor reaches the malicious domain with special identifiers via desktop, the user would only see a bogus website when on a US IP address. With a non-US IP address, the link would redirect to a site advertising VPNs. This depicts some kind of geotargeting behind this campaign.

Upon further research, they could also see another domain “afflink[.]org”, besides “financeleader[.]org”, as redirect link.

Mobile Phone Users Are Main Targets

According to Malwarebytes, the main target of this campaign seems mobile phone users. Where the payload will display full-screen ads on devices at regular intervals.

Explaining about this behavior, the researchers stated,


Once we switch to a mobile User-Agent and Android in particular, we can see a lot more activity and a variety of redirects.

In one case, when visiting the site on an Android phone, the researchers could see a malicious adult app asking for download. Upon analysis, this malicious app was found to generate full-screen ads at intervals.

While the researchers could not precisely determine the scale of this malware campaign for now, they fear that it will trigger massive ad fraud.


We weren’t able to get an idea of the scale at play, especially considering that the domain initiating the redirects really only became active in late May. However, given the number of websites that have been compromised, this campaign is quite likely funneling a significant amount of traffic leading to ad fraud.

Mobile phone users must stay vigilant when browsing different sites and downloading apps. Moreover, they will benefit from using a robust antimalware app running on their devices.

Let us know your thoughts in the comments.

Sign in to follow this  


Recommended Comments

There are no comments to display.

Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...