Adex, the anti-fraud and traffic-quality platform operating under AdTech Holding, has successfully identified and neutralized a sophisticated, multi-year malware operation linked to the infamous Triada Trojan.
This campaign, which has persistently targeted the mobile advertising ecosystem, underscores the evolving dangers of supply-chain attacks in the digital ad space.
According to industry data released alongside the findings, Triada remains a potent threat, accounting for 15.78% of all detected Android malware infections in the third quarter of 2025.
The investigation by Adex analysts uncovered a disturbing trend: over the past five years, threat actors behind Triada have systematically attempted to infiltrate legitimate advertising networks.
Rather than relying solely on traditional infection vectors, these attackers have pivoted to abusing high-trust infrastructure.
By compromising advertiser accounts and leveraging reputable platforms such as GitHub and Discord Content Delivery Networks (CDNs), hackers have distributed malicious APK files through cloaked redirects, making detection increasingly difficult for standard security protocols.
Ad Networks Exploited by Hackers
Adex documented three distinct waves of activity that illustrate the rapid adaptation of modern fraud tactics.
During the initial phase between 2020 and 2021, attackers focused on bypassing Know Your Customer (KYC) protocols using low-quality forged identity documents.
These accounts were funded through repeated top-ups matching known carding patterns. The malware was subsequently distributed via Discord CDNs and URL shorteners, with landing pages masked to resemble official online service platforms to feign legitimacy.
The tactics shifted significantly from 2022 to 2024, moving toward direct account takeovers. Attackers aggressively targeted advertiser accounts that lacked two-factor authentication (2FA).
Once access was secured, these compromised profiles were used to launch cloaked campaigns redirecting users to payloads hosted on GitHub.
This method effectively weaponized the trust users and security systems place in established code repositories.
By 2025, the campaign evolved into a third wave characterized by high complexity. This latest iteration utilized phishing pre-landers designed to mimic urgent Chrome browser updates, employing intricate multi-step redirect chains to obfuscate the final malicious destination.
VirusTotal data correlated this activity with suspicious login patterns originating from Turkey and India, suggesting a coordinated effort to harvest and groom compromised accounts for large-scale malware distribution.
In total, Adex identified and permanently banned over 500 accounts linked to this operation.
The investigation underscores a critical reality for the ad tech industry: a “clean” domain is no longer a guarantee of clean intent.
Security Implications
Triada’s evolution from using stolen identities to hijacking legitimate accounts and cloaking payloads behind trusted platforms demonstrates how easily ad networks can become unintended vectors for distribution.
In response to these findings, Adex specialists developed a comprehensive business-protection strategy, which has since been implemented by the PropellerAds team.
This strengthened, zero-trust security model mandates stricter KYC procedures via Sumsub to prevent identity fraud and enforces mandatory two-factor authentication and login anomaly monitoring for all advertiser accounts by default.
Furthermore, the new protocol requires full redirect and domain verification, even for campaigns pointing to trusted services like GitHub and Discord.
These measures have significantly raised the barrier for entry, securing the ecosystem against future distribution attempts through compromised infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.