Skip to main content

Millions exposed to ads that use images infected by malicious scripts

Antivirus provider ESET released a report on Tuesday stating that its researchers have discovered malicious code residing within advertisements that are currently in rotation on many “reputable” news websites. Since the beginning of October, these malicious ads have been exposed to millions of web surfers who still use Microsoft’s Internet Explorer browser.

According to the report, the ads promote applications called “Browser Defense” and “Broxu.” What’s scary is that the actual graphic used in these ads contains malicious code buried within the parameters of their alpha channel, which is used to define the transparency of each pixel in images. By way of explanation, an alpha channel is what makes the background color of an image transparent so that the focused object can reside as an overlay against any backdrop image or color.

Recommended Videos

Adding the malicious script to an image’s alpha channel is only a minor modification. The resulting image has a slightly different tone than the original, but if web surfers have no idea what the originating image looks like, then they have no clue the altered, malicious version is on their screen. The sample provided by the ESET researchers is barely indistinguishable from the “clean” original.

Once the advertisement is displayed on the visitor’s screen, the embedded code uses the CVE-2016-0162 vulnerability in Internet Explorer to scan the target PC to see if it’s running on a malware analyst’s machine. If the coast is clear, it will then load a landing page that includes a Flash file built for exploiting three vulnerabilities in Flash Player: CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117.

“Upon successful exploitation, the executed shell code collects information on installed security products and performs — [in a manner] as paranoid as the cybercriminals behind this attack — yet another check to verify that it is not being monitored,” the antivirus firm reports. “If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a GIF image.”

When the encrypted payload is downloaded to the target PC, it is then decrypted and launched through regsvr32.exe or rundll32.exe in Microsoft Windows. The payloads detected thus far have included various trojan downloaders, banking trojans, backdoors, spyware, and “file stealers.”

The attack is based on the Stegano exploit kit, which uses steganography to hide malware out in plain sight. The term is typically used when hiding messages or information within public text and data. However, in this case, the method throws a malicious script within the alpha channel information of an image. The kit was first used in 2014 to target Dutch customers, and moved on to residents in the Czech Republic. New attacks are targeting web surfers in Australia, Britain, Canada, Italy, and Spain.

ESET senior malware researcher Robert Lipovsky pointed out in an interview that web surfers aren’t required to do anything to trigger the malicious script: all they have to do is visit a website displaying the infected ad. The payloads aren’t random either: attackers choose what to download to the target PCs.

Lipovsky added that the firm didn’t release a list of websites affected by the malicious ads because the information didn’t add any value to the warning. Even more, the firm didn’t want to inflict reputational harm to the websites given that they had no clue or control over displaying the ads. Naturally, web surfers can stay safe by keeping their browser, Flash Player, and security software updated regularly.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
The new Reachy Mini robot can let kids turn play into innovation
The Reachy Mini robot.

The Reachy Mini is an exciting new desktop robot aimed primarily at developers, educators, students, and enthusiasts, or basically anyone interested in creative coding.

There are actually two of them -- Reachy Mini Lite ($299) and Reachy Mini Wireless ($449) -- and both were developed by the prominent AI platform Hugging Face following its recent acquisition of Pollen Robotics. 

Read more
If you’re itching for an HP OMEN MAX gaming laptop, this deal will save you $500
The HP Omen Max gaming laptop with Valorant on the screen.

We've recently published a stunningly positive review of the HP OMEN Max 16. It's got a list of "Pros" a mile long. The single, obligatory con is "Thick and heavy." Considering that it's a gaming laptop, that's practically the equivalent of saying a flashlight is too bright to look at. Thick, and a bit heavy, just comes with the territory. All of this is to say that the review was great and we're fans of the HP OMEN Max 16. As a deal hunter it made me want to go and see if I could find a deal on the HP OMEN Max 16 and I did, sort of. Right now you can get a customizable HP OMEN Max 16t — a laptop that, if it didn't have a separate store page, I would think is identical to the one we reviewed — with a $500 discount, no matter what settings you choose. With the base settings of the laptop, that discount brings it from $2,100 to just $1,600, but you're free to upgrade to your heart's content. Tap the button below to start customizing to your whimsy or keep reading for some advice on how to do so and what to expect from the 16t.

Buy Now

Read more
Google’s AI agent ‘Big Sleep’ just stopped a cyberattack before it started
Sundar Pichai

Google's AI agent, dubbed Big Sleep, has achieved a cybersecurity milestone by detecting and blocking an imminent exploit in the wild—marking the first time an AI has proactively foiled a cyber threat. Developed by Google DeepMind and Project Zero, Big Sleep identified a critical vulnerability in SQLite (CVE-2025-6965), an open-source database engine, that was on the verge of being exploited by malicious actors, allowing Google to patch it before damage occurred. “We believe this is the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild,” the company said.

Why it matters: As cyberattacks surge—costing businesses trillions annually—this breakthrough shifts defense from reactive patching to AI-driven prediction and prevention. It gives security teams a powerful new tool to stay ahead of hackers, potentially saving devices and data worldwide. CEO Sundar Pichai called it "a first for an AI agent—definitely not the last" according to Live Mint.

Read more