• 1Campaign platform helps malicious Google ads evade detection February 24, 2026 04:45 PM 0 A newly identified cybercrime service known as 1Campaign is enabling threat actors to run malicious Google Ads that remain online for extended periods while evading scrutiny from security researchers. • 1Campaign is a cloaking service that passes Google’s screening process and shows malicious content only to real potential victims. • Security researchers and automated scanners are served benign white pages. • The operation has been active for at least three years and is managed by a developer using the name ‘DuppyMeister,’ according to a report from data security company Varonis. • “The tool passes Google’s screening, filters out security researchers, and keeps phishing and crypto drainer pages online for as long as possible, funneling real users to attacker-controlled sites,” the researchers say. • 1Campaign provides “customers” with a user-friendly dashboard where they can get an overview of their operations and set the parameters for their campaigns.

Article Summaries:

  • A new cyber‑crime service called 1Campaign lets threat actors run malicious Google Ads that slip past Google’s automated screening and remain online for extended periods. According to a Varonis report, the platform cloaks phishing and crypto‑drainer pages from security researchers while delivering them to real users. Operators use a dashboard to set targeting rules-geography, ISP, device-and the system assigns fraud‑risk scores to filter out traffic from cloud providers and known scanners. The service has been active for at least three years and is used in the U.S., Canada, Europe, China, and Japan. Varonis warns that the cloaking makes static URL scanning ineffective and recommends diverse IP pools and user‑agent rotation for detection.

Sources: