Malwarebytes said in a Thursday blog post that the xHamster attack leveraged free cloud-based platforms – Microsoft Azure, RedHat and IBM's Bluemix – and that ads were served via TrafficHaus. Users were ultimately pushed to the Angler Exploit Kit, which infected their systems with malware.
The Angler Exploit Kit has previously been observed exploiting Adobe Flash, Internet Explorer, and other vulnerabilities. Checks done at the exploit kit landing page level verify the user is genuine and running Internet Explorer to ensure "only real users will get to see the exploit kit landing page," the post said. This helps exclude honeypots and security researchers.
TrafficHaus stopped the initial attack, but days later the team observed more malvertising on xHamster where browlock, a browser-based ransomware, was distributed.