T1583.008: Malvertising
Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.[1] Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.
Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.[2][3] Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.[4]
Malvertising may be used to support Drive-by Target and Drive-by Compromise, potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.[5]
Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.[2] Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.[1]
Analyst context for executives and security teams
Malvertising matters because it moves attacker preparation into places users already trust: search results, popular websites, and online ad networks. A victim may believe they are clicking a legitimate software or brand advertisement while being routed to a malicious domain or cloned site. For leaders, the key issue is not only endpoint malware risk, but whether the organization can recognize brand impersonation, suspicious ad-driven traffic, and early-stage infrastructure before it becomes an incident.
Executive priority
Treat this as a pre-compromise and initial-access risk indicator tied to resource development. It should influence budget and control decisions around brand/search monitoring, web and DNS visibility, safe software acquisition practices, and incident response readiness for ad-driven infection paths. Because ATT&CK links this behavior to Drive-by Target and Drive-by Compromise, executives should ask whether the organization can prove how users reach software downloads and whether SOC teams can investigate suspicious redirects that originate from ads or search results.
Technical view
This is a PRE-platform resource-development sub-technique under Acquire Infrastructure. The official ATT&CK object provides no detection text, but a related detection strategy, DET0836 Detection of Malvertising, is mapped to it. SOC and IR teams should validate visibility into ad referrals, search-result clicks, redirect chains, DNS lookups, newly observed domains, browser downloads, and endpoint execution following web activity. Detection engineering should account for evasion described by ATT&CK: benign routing for crawlers or policy enforcers, victim-only routing based on valid ad-click identifiers, brand spoofing, and typo-based impersonation.
Likely telemetry
- Web proxy or secure web gateway logs showing search/ad referrals and redirect chains
- DNS resolution logs for newly observed, lookalike, or suspicious domains reached after ad clicks
- Browser and endpoint telemetry for downloads, script activity, and execution following web navigation
- Network logs connecting ad-click referrers to malicious or cloned domains
- Brand, domain, and search-result monitoring for spoofed advertisements or typo-based impersonation
Detection direction
- Confirm whether DET0836 or an equivalent local analytic exists and what telemetry it depends on; ATT&CK does not provide detailed detection logic for this object.
- Tune for sequences rather than single events: search/ad referral, redirect, suspicious domain, download, and endpoint execution.
- Include false-positive handling for legitimate advertising, affiliate redirects, software download mirrors, and marketing campaigns.
- Test blind spots where ad networks, privacy controls, or encrypted traffic obscure referrers and redirect chains.
- Use relationship context to prioritize investigations that resemble Drive-by Target or Drive-by Compromise paths, without assuming exploitation unless local evidence supports it.
Mitigation priorities
- Prioritize M1056 Pre-compromise measures: reduce exposure before adversaries can use acquired advertising and related infrastructure effectively.
- Establish monitoring for brand impersonation, spoofed ads, typo domains, and cloned software download pages where business-critical brands or software are involved.
- Make approved software acquisition paths clear and auditable so users and responders can distinguish legitimate downloads from ad-driven lookalikes.
- Ensure web, DNS, and endpoint logs are retained long enough to reconstruct ad-click-to-download chains during incident response.
- Coordinate security, legal, communications, and fraud/brand teams for takedown and evidence collection when spoofed advertisements are found.
Analyst notes and limits
MITRE associates this technique with Mustard Tempest and Raspberry Robin through use relationships, and with DET0836 as a detection strategy. Those relationships justify prioritizing detection and response validation, but they do not by themselves prove current exposure or activity in any environment.
The official ATT&CK object has no detection narrative and the supplied mitigation description is general pre-compromise guidance. Local telemetry, user reports, brand monitoring results, and incident evidence are required to determine actual risk, coverage, and response actions.
Malvertising
Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.[1] Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites.
Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.[2][3] Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.[4]
Malvertising may be used to support Drive-by Target and Drive-by Compromise, potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.[5]
Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.[2] Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583 | Acquire Infrastructure | This object subtechnique of Acquire Infrastructure. |
Groups, software, and campaigns
G1020: Mustard Tempest
Mustard Tempest is an initial access broker that has operated the SocGholish distribution network since at least 2017. Mustard Tempest has partnered with Indrik Spider to provide access for the download of additional malware including LockBit, WastedLocker, and remote access tools.[1][2][3][4]
S1130: Raspberry Robin
Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 630a439f47b0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
spamhaus-malvertising
Miller, Sarah. (2023, February 2). A surge of malvertising across Google Ads is distributing dangerous malware. Retrieved February 21, 2023.
Open source URL -
[2]
Masquerads-Guardio
Tal, Nati. (2022, December 28). “MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto Wallets. Retrieved February 21, 2023.
Open source URL -
[3]
FBI-search
FBI. (2022, December 21). Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users. Retrieved February 21, 2023.
Open source URL -
[4]
sentinelone-malvertising
Hegel, Tom. (2023, January 19). Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results. Retrieved February 21, 2023.
Open source URL -
[5]
BBC-malvertising
BBC. (2011, March 29). Spotify ads hit by malware attack. Retrieved February 21, 2023.
Open source URL -
[6]
mitre-attack T1583.008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.