New 3 Step Malvertising Chain Abusing Facebook Paid Ads to Push

A sophisticated new cyber threat has emerged within the digital advertising ecosystem, specifically targeting users through Facebook’s paid advertising platform.

Malicious actors are increasingly weaponizing social media ads to bypass traditional security filters and deliver harmful content to unsuspecting victims.

This latest campaign orchestrates a complex, three-step malvertising chain designed to deceive users and funnel them into a technical support scam (TSS) kit, posing a significant risk to individual cybersecurity.

The attack vector initiates innocuously when a user interacts with a paid advertisement while browsing their social feed. Rather than directing traffic to a legitimate business, the ad triggers a redirection sequence.

The victim is first routed to a decoy website—specifically designed to look like an Italian restaurant page—which serves as a crucial buffer.

This intermediate step is calculated to evade automated detection scanners that might otherwise flag a direct link to a malicious site.

Once the filter is passed, the user is forwarded to the final destination: a fraudulent landing page designed to panic the user.

Gen Threat Labs analysts identified this specific activity, highlighting its highly targeted nature and the attackers’ rapid infrastructure rotation.

The researchers noted that the campaign is exclusively targeting users in the United States and operates with a distinct temporal pattern.

To maintain persistence and avoid blacklisting, the threat actors rotated through more than 100 unique domains in just seven days.

Notably, this activity was observed primarily on weekdays, suggesting the attackers are operating on a professional schedule to maximize their reach during peak usage hours.

The final stage of this chain deposits the victim onto a landing page hosted on Microsoft Azure’s cloud infrastructure.

By leveraging legitimate subdomains such as web.core.windows.net, the scammers lend a veneer of authenticity to their fraudulent alerts.

These pages typically mimic official system warnings, falsely claiming the device is compromised to coerce victims into calling a fake support hotline.

Evasion Through Legitimate Infrastructure

The most defining characteristic of this campaign is its abuse of trusted cloud services to mask malicious intent.

By hosting the TSS landing pages on Azure, the attackers complicate mitigation efforts, as broad blocking of the core Windows domain would disrupt valid services.

The use of the simplydeliciouspairing[.]com decoy site further obfuscates the attack flow, ensuring that only real browser interactions reach the scam kit.

This “living off the land” strategy, combined with the high volume of domain rotation, allows the campaign to slip past static blocklists and signature-based detection effectively.

Users are strongly advised to exercise caution when clicking on social media advertisements . Verify URL destinations before interacting with content and be wary of unexpected redirects.

Security teams should implement blocks for the identified indicators of compromise (IOCs) and monitor for similar anomalous traffic patterns involving Azure subdomains.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.