Threat Research

1Campaign: A New Cloaking Platform Helping Attackers Abuse Google Ads

Varonis
1Campaign: A New Cloaking Platform Helping Attackers Abuse Google Ads

1Campaign is a full-service cloaking platform that helps threat actors run malicious Google Ads at scale by showing benign content to reviewers and scanners while funneling real users to phishing and crypto-drainer pages. The platform, maintained by developer DuppyMeister, combines real-time visitor filtering, fraud scoring, geographic/device targeting, and ad-launching tools to keep malicious ads online longer. #1Campaign #DuppyMeister

Keypoints

  • 1Campaign is a cloaking platform designed to help malicious Google Ads evade review by showing harmless pages to reviewers and scanners while delivering phishing content to real users.
  • The developer, using the handle DuppyMeister, has maintained the platform for over three years and provides support via Telegram channels.
  • The dashboard provides real-time visitor filtering, per-visitor fraud scoring, and detailed logs that include IP, location, ISP/company, device type, fraud score, and actions taken.
  • Operators can block traffic from known cloud providers, security vendors, VPNs, and specific countries or device types to evade detection and prioritize victim traffic.
  • The platform includes a Google Ads assistant enabling operators to launch malicious โ€œblackโ€ campaigns and impersonate legitimate brands to increase ad fraud at scale.
  • 1Campaign enables malvertising-driven distribution of phishing, fake downloads, and crypto drainers, undermining traditional URL scanning and automated crawlers.

MITRE Techniques

  • [T1566.004] Search Engine Ads โ€“ Used to deliver malicious phishing content through paid search ads: โ€˜1Campaign โ€ฆ built to help threat actors run malicious Google Ads at scale.โ€™
  • [T1566] Phishing โ€“ Platform funnels real users to attacker-controlled phishing and crypto drainer pages: โ€˜keeps phishing and crypto drainer pages online for as long as possible, funneling real users to attacker-controlled sites.โ€™
  • [T1036] Masquerading โ€“ Operators impersonate legitimate brands and services in ad copy to evade policy enforcement: โ€˜impersonate legitimate brands and services in their Google Ads campaigns while evading automated policy enforcement.โ€™
  • [T1497] Virtualization/Sandbox Evasion โ€“ Cloaking detects and serves benign content to scanners and automated reviewers to avoid sandbox analysis: โ€˜Security researchers, ad platform reviewers, and automated scanners see a harmless โ€œwhite page,โ€ while real victims see the actual phishing or scam content.โ€™

Indicators of Compromise

  • [Domain ] Phishing domain observed in campaign โ€“ bitcoinhorizon.pro
  • [Username ] Developer/operator handle tied to the platform โ€“ DuppyMeister
  • [ASN/Provider ] Blocked or flagged visitors in campaign logs โ€“ Microsoft Corporation (Amsterdam), Tencent Cloud Computing, and other providers (OVH Hosting, Level 3 Communications)

Read more: https://www.varonis.com/blog/1campaign