A sophisticated cloaking platform called 1Campaign, designed to help attackers run malicious Google Ads campaigns while evading detection.
The service acts as a full‑service infrastructure for malvertising, filtering out researchers and automated scanners to keep phishing and cryptocurrency drainer sites online for extended periods.
Operated by a developer using the alias DuppyMeister, 1Campaign has been active for over three years and provides Telegram-based customer support.
The platform offers attackers an integrated dashboard with real-time visitor filtering, fraud scoring, geographic and device targeting, and a bot guard script generator making it a one-stop tool for large-scale ad abuse.
At its core, 1Campaign functions as a cloaking engine, a method that allows visitors to see different web content depending on who they are.
Google review systems, brand-protection bots, and security scanners encounter harmless “white” webpages, while real users are served malicious or phishing content.
This technique allows fraudulent Google Ads campaigns to pass initial screenings and stay active longer before takedowns occur.
But 1Campaign goes further than typical cloakers. The platform provides advanced analytics, visitor tracking, and dynamic blocking of known cloud IPs, VPN traffic, and cybersecurity vendor infrastructure.
According to Varonis research observed that operators can use this integrated tool to craft advertisements using any text or keywords, effectively bypassing Google Ads policy enforcement.
Operators can fine-tune access rules to ensure only real human victims reach the phishing destination.
A screenshot analyzed by researchers showed a campaign named “Blockbyblockchain”, which processed 1,676 visitors but allowed only 10 to reach the malicious site a blocking rate of 99.4%.
Each visitor is assigned a fraud score (0–100) based on IP reputation, ISP ownership, geographic location, and behavioral signals. Traffic from Microsoft, Google, OVH, and Tencent was automatically flagged and excluded.
Targeting and Traffic Control
1Campaign enables operators to target users geographically and by device type. Campaign analytics observed traffic from the U.S., Netherlands, Canada, China, Germany, and France, with attackers able to prioritize specific regions relevant to their phishing content.
This geo‑filtering also helps avoid areas where researchers frequently operate, increasing campaign longevity.
The system’s device breakdown allows selective delivery to mobile or desktop users, aligning with the increasing number of phishing attacks delivered via smartphone advertisements.
A separate module within 1Campaign assists attackers in launching both “white” (benign) and “black” (malicious) Google Ads campaigns.
This feature directly enables brand impersonation and large‑scale ad fraud, letting attackers mimic trusted organizations while directing users to fake sites designed for credential theft or crypto drainers.
1Campaign reflects a growing evolution in phishing‑as‑a‑service ecosystems. Similar tools identified by Varonis like Spiderman and FishXProxy use IP allowlisting, geo‑blocking, and CDNs to evade detection, but 1Campaign distinguishes itself by focusing specifically on Google Ads abuse.
Merging phishing protection and ad fraud automation represents a significant escalation in attack sophistication.
Implications
Platforms like 1Campaign expose a core weakness in traditional phishing detection systems. Automated URL scanners and brand monitoring tools are now routinely detected and filtered before seeing any malicious code.
The platform’s 99% block rate demonstrates how effectively attackers can isolate genuine users from defender visibility.
To counter this, analysts require more advanced detection systems capable of mimicking real human behavior. Varonis highlights its Interceptor tool, which tracks user interaction through forms, CAPTCHAs, and redirects revealing what traditional scanners miss.
This behavioral analysis approach is key to exposing cloaked pages and uncovering the malicious infrastructure behind 1Campaign-powered threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
