A newly identified cloaking-as-a-service platform called 1Campaign enables threat actors to persistently run malicious Google Ads by filtering out security researchers and automated scanners, serving them benign pages while directing only targeted, real users to phishing or crypto-drainer sites. The service uses a sophisticated real-time filtering system that blocks visitors based on infrastructure details like cloud providers, VPNs, and geographic location, allowing malicious ads to evade Google's screening and remain active for extended periods. This represents a significant evolution in malvertising tactics, directly exploiting the digital advertising ecosystem's trust and scale.
1Campaign platform helps malicious Google ads evade detection By Bill Toulas February 24, 2026 04:45 PM 0 A newly identified cybercrime service known as 1Campaign is enabling threat actors to run malicious Google Ads that remain online for extended periods while evading scrutiny from security researchers. 1Campaign is a cloaking service that passes Google’s screening process and shows malicious content only to real potential victims. Security researchers and automated scanners are served benign white pages. The operation has been active for at least three years and is managed by a developer using the name ‘DuppyMeister,’ according to a report from data security company Varonis. “The tool passes Google's screening, filters out security researchers, and keeps phishing and crypto drainer pages online for as long as possible, funneling real users to attacker-controlled sites,” the researchers say. 1Campaign provides “customers” with a user-friendly dashboard where they can get an overview of their operations and set the parameters for their campaigns. 1Campaign dashboard Source: Varonis The platform can filter visitors in real time, directing traffic to landing pages based on predefined criteria, including geography, internet service provider (ISP), and device characteristics. The researchers say that this targeted approach allows attackers to concentrate on users in regions where the phishing lure is relevant, while filtering out traffic from countries with a higher likelihood of security scrutiny or scanning activity. In one instance, Varonis observed aggressive filtering that blocked 99.4% of 1,676 visitors accessing the malicious ads. This translates into a success rate of just 0.6%, or 10 visitors. Fraud scores assigned to visitors Source: Varonis The system evaluates each visitor and assigns a fraud risk score between 0 and 100. This reflects the likelihood of non-genuine visitors, and is derived from checking infrastructure details such as cloud providers, data centers, VPNs, and security vendors. "Visitors from Microsoft Corporation, Google, Tencent Cloud Computing, OVH Hosting, and other cloud providers are automatically flagged with high fraud scores and blocked," Varonis says in a report today. Based on IP address ranges, ISP, and behavioral patterns, the system can also determine if the malicious ads are accessed by security scanners. Varonis has observed traffic linked to 1Campaign being distributed in the United States, Canada, the Netherlands, China, Germany, France, Japan, Hungary, and Albania. The cybercrime platform also offers a Google Ads launcher tool that helps operators launch both malicious and benign campaigns. The developer claims that this tool enables bypassing Google’s policy limitations and impersonating legitimate brands in ads. Source: Varonis Despite Google introducing multiple safeguards, its ad platform is still used to promote fraud, malware, and crypto-drainers. 1Campaign stands out, though, as it is designed specifically to launch malicious ads that pass Google's automatic inspection and likely survive until victims report them or the campaign is reported manually. Such a cloaking system makes static URL scanning less effective. Varonis says that using realistic browser fingerprints and patterns that mimic human interaction would render better analysis and detection results. For automated detection, Varonis recommends rotating through a diverse IP pool and user-agent configurations to avoid consistent fingerprinting. Users are advised to avoid promoted search results, or at least treat them with suspicion, and bookmark official software distribution channels. Double-checking the URL in the address bar is also recommended before entering account credentials or other sensitive information. The future of IT infrastructure is here Modern IT infrastructure moves faster than manual workflows can handle. In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use. Get the guide Related Articles: Police arrests 651 suspects in African cybercrime crackdown Police arrests 300 suspects linked to African cybercrime rings Telegram channels expose rapid weaponization of SmarterMail flaws Google says hackers are abusing Gemini AI for all attacks stages Hugging Face abused to spread thousands of Android malware variants