In what researchers are calling a first, a massive malvertising campaign that infected thousands of people per day was relying on steganography – the art of hiding code in images – to conceal malware that was delivered to the victims in drive-by fashion. 

Discovered in 2015 by Proofpoint, the campaign – dubbed AdGholas – was recruiting as many as one million client machines on a daily basis to conduct its operations until ceasing operations this month after the cybersecurity firm alerted affected advertising network operators.

Not all users who clicked on an AdGholas-delivered malicious ads were redirected to a malicious webpage and infected, according to a Proofpoint blog post. Indeed, AdGholas was cleverly designed to be highly discriminating, weeding out any machines on which it might be discovered, especially by a researcher, explained Patrick Wheeler, director of threat intelligence at ProofPoint, in an interview with

To go after the average, less tech-savvy user, the perpetrators behind AdGholas used highly sophisticated filtering technologies to either eliminate or select prospective victims based on language settings, time zones, and browser configuration. The filtering mechanisms also sought out machines that contained specific software or drivers typically associated with certain computer brands that the attackers wanted to specifically target.

Those who fit the profile received a cookie programmed to redirect them to fraudulent websites containing JavaScript-based ad banners with malicious code hidden within the images to avoid forensic detection. Trend Micro assisted Proofpoint in the dissection of the steganography technique.

Of the 1-5 million hits AdGholas generated on a daily basis, 10-20 percent were redirected to these fake webpages, which closely impersonated legitimate sites, including one belonging to a French hotel. These pages delivered exploit kits – first Angler, then Neutrino – that automatically infected users with malware.

Specifically, Proofpoint observed exploit kits dropping location-specific banking Trojans, including Gozi ISFB in Canada, Godzilla-loaded Terdot.A in Australia and Gootkit in Spain.

Wheeler said that the online advertisement networks that delivered the malicious advertisements “did nothing wrong,” and were merely taken advantage of by a highly sophisticated actor.

Christopher Budd, global threat communications manager at Trend Micro, told that partnerships like the one formed with Proofpoint on this investigation “are a key thing in this industry…Working together is critical. This latest [partnership] is a great example of that.”