Booby trapped! Malvertising campaign hit Adult Site xHamster Again

A New malvertising campaign hit adult website xHamster by abusing ad provider TrafficHaus and exploiting the Google’s URL shortener service.

Malversting campaigns are becoming a serious problem for web users, cyber criminals are exploiting this practice to infect wide audience of users that visit most popular websites. In January security experts at Cyphort firm discovered a malvertising campaign hit numerous websites, including the Huffington Post and LA Weekly, the attackers exploited the AOL ad network to run the attack.

This time cyber criminals served the malicious advertisement through the ad provider TrafficHaus, the attack was discovered by Malwarebytes last Friday and promptly taken down in more or less 24 hours.

“We identified a malvertising campaign taking place on adult site xHamster (Alexa rank #68, est. 514 million visitors/month according to SimilarWeb) that abused ad provider TrafficHaus and Google’s URL shortener service” states a blog post published by Malwarebytes.

The attack chain starts a malicious advertisement using a shortened Google URL that redirect victims to the a domain serving the popular Angler Exploit Kit, in the following image is visible the source code behind a legitimate advertising (in blue) and the malicious code (in red).


The threat actors exploited the URL shortener to generate new links and evade blacklists, they used Google URL due to its reputation. The page hosting the malicious Bedep malware.

“The Trojan may arrive through a website hosting the Angler exploit kit. The exploit kit takes advantage of Flash vulnerabilities and loads the Trojan into memory. As a result, the Trojan may not create files or registry entries on the computer. ” as explained by the experts at Symantec.

Bedep acts as a backdoor on the infected machine that is used to download further malicious payload, including the Magnitude Exploit Kit.

“With most [exploit kits] the user browses to a site and gets exploited via a drive by download,” said Jerome Segura, senior security researcher at Malwarebytes. “In this case, Bedep is generating traffic only visible via network traffic tools like Fiddler or Wireshark (no browser is open or visible to the end user). Despite that there is no visible GUI, Bedep loads malicious URLs that trigger the [exploit kit] exploitation.”

There is no official news regarding the number of visitors of the xHamster affected by the malversting campaign.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase