- NordVPN Discovered Adware Campaign Operating on 50,000 Websites
- Malware collects data from very specific devices to profile and track you
- Adware can detect and avoid ad blockers with domains that change daily.
Who doesn’t love a free movie? Unfortunately, a recently discovered cyber threat is proving the old saying to be true: if the product is free, you are the product. NordVPN’s Threat Intelligence team has exposed a highly sophisticated adware campaign that has successfully infected at least 50,000 active websites, turning the search for free content into a cybersecurity minefield.
The campaign specifically targets high-risk corners of the internet, including illegal streaming platforms, torrent portals, underground forums, and adult websites.
Once a user lands on an infected page, the adware (a type of malware that hides behind online ads) deploys invasive tracking scripts to create a persistent profile of the user’s device, collecting data ranging from their hardware specifications to whether they use a crypto wallet.
“If you’re not paying for a product, you are often the product,” says Marijus Briedis, CTO at NordVPN, explaining that what seems like a free stream or download can quickly become a gateway to tracking, scams, and malware.
According to NordVPN, the magnitude of the threat is immense. Every month, hundreds of thousands of enterprise users encounter infection attempts directly related to this specific adware kit.
How the adware campaign works
The operation works by loading a hidden JavaScript tag the moment a real person visits an infected website. To ensure maximum benefit, the adware uses a fingerprint module to create a persistent visitor ID stored directly on your device, allowing operators to track you even without using traditional cookies.
The sheer volume of data collected by this script is astonishing. Analyzes your CPU cores, RAM, operating system and installed plugins.
But it goes beyond standard tracking. The adware actively looks for browser-injected crypto wallet tools such as MetaMask, checks for motion signals such as accelerometer and gyroscope availability, and even uses favicon checks to determine if you are logged into YouTube.
This very specific profile is likely to be sold to third parties or used to target you with personalized scams.
“This campaign shows how cybercriminals turn user attention, personal data and risky browsing habits into revenue on an industrial scale,” Briedis said.
Perhaps the most alarming aspect of this adware is the aggressiveness with which it hijacks your browsing experience.
You don’t even have to click on a visible ad to be a victim. Simply clicking on a common, non-advertising part of the infected web page can trigger a redirect, immediately sending you to phishing campaigns, malware download sites, or auto-subscription traps.
If you think your current ad blocker is enough to keep you safe, think again. The adware actively detects when filtering protections are running on your browser. If it detects an ad blocker, it switches to a proxy bypass mechanism, called “adblock-proxy-super-secret” by its creators, which generates at least three new domains every 24 hours.
This constant change allows malware to effortlessly bypass standard security block lists. It even hides its malicious behavior if it detects a search engine bot, ensuring that infected pirate sites appear completely harmless to Google.
How to stay safe
To protect your digital life, NordVPN CTO Marijus Briedis recommends taking the following precautions:
- Avoid “free” premium content: Stay away from piracy and illegal streaming sites, as these environments are hotbeds for advertising and phishing.
- Use tracking protections: Using reputable tracker and ad blockers limits the execution of malicious scripts in your browser.
- Reject push notifications: If a dubious website requests permission to send you notifications, reject the request immediately.
- Update your software: Keep your browser and security tools updated to ensure they can detect the latest malicious scripts and deceptive redirects.
