Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Hackers use AI-generated content to push malicious notifications via Google Discover
Threats

Hackers use AI-generated content to push malicious notifications via Google Discover

Key Takeaways A new threat operation, dubbed “Pushpaganda,” exploited Google Discover feeds to push malicious browser notifications. The attackers utilized AI-generated content, including...

Sarah simpson
Sarah simpson
April 16, 2026 4 Min Read
36 0

Key Takeaways

  • A new threat operation, dubbed “Pushpaganda,” exploited Google Discover feeds to push malicious browser notifications.
  • The attackers utilized AI-generated content, including sensational headlines and imagery, across 113 controlled domains to lure users.
  • Once clicked, users were prompted to enable browser notifications, leading to a persistent stream of deceptive, fear-inducing alerts that bypassed ad blockers.
  • HUMAN’s Satori Threat Intelligence and Research Team uncovered the campaign, which initially targeted India before expanding globally.
  • Google has since deployed a fix to prevent such manipulative content from appearing in Discovery feeds.

Sophisticated Campaign Leverages AI and Google Discover for Malicious Notifications

A sophisticated new threat operation, identified as “Pushpaganda” by security researchers, has been actively manipulating Google Discover feeds to trick users into subscribing to harmful browser notifications. This campaign combines artificial intelligence-generated content, aggressive social engineering tactics, and deceptive browser behaviors to achieve its objectives, as detailed by analysts at HUMAN’s Satori Threat Intelligence and Research Team.

Table Of Content

  • Key Takeaways
  • Sophisticated Campaign Leverages AI and Google Discover for Malicious Notifications
  • The Deceptive User Journey
  • How the Deceptive UI and JavaScript Rotation Worked
  • What You Should Do

The Pushpaganda operation infiltrated users’ personalized Google Discovery feeds, which are visible on Android home screens and new Chrome browser tabs. Threat actors established a network of 113 domains, leveraging AI to produce sensationalist headlines and compelling imagery. These fabricated news articles were designed to instantly capture attention, often focusing on emotionally charged topics such as fake government deposit announcements, alarming tax notices, or implausibly cheap smartphone deals, exemplified by headlines like “$1390 IRS Deposit Approved” or “$100 phones with 300MP cameras.”

The malicious content appeared in Discovery feeds through a combination of paid placements and advanced search engine optimization (SEO) techniques. This made it challenging for users to differentiate the deceptive articles from legitimate news sources, contributing to the campaign’s effectiveness.

The Deceptive User Journey

Upon clicking one of these misleading articles, users were redirected to an actor-controlled domain. Immediately, a browser notification subscription prompt appeared. Many users inadvertently clicked “Allow,” either to dismiss the pop-up or under the mistaken belief that it was necessary to view the article they had selected. This single click initiated a persistent, operating system-level notification stream that bypassed conventional ad blockers.

The subsequent notifications bore no relation to the original article. Instead, they delivered a barrage of fear-mongering alerts, including fabricated police arrest warrants, fake missed calls from family members, and spurious bank alerts. Each notification was meticulously crafted to provoke alarm and coerce users into further clicks, perpetuating the malicious cycle.

The Satori Threat Intelligence and Research Team, led by researchers Louisa Abel, Vikas Parthasarathy, João Santos, and Adam Sell, identified this extensive operation. At its peak, Pushpaganda generated approximately 240 million bid requests across its associated domains within a single week. The campaign initially focused on users in India but later expanded its reach to Australia, the United States, and other regions.

Following the discovery, the research team shared all 113 identified Pushpaganda-associated domains with Google. Google subsequently confirmed that a fix has been implemented to prevent this type of low-quality, manipulative content from appearing in Discovery feeds. The scale of this operation underscores a growing trend where threat actors exploit trusted content distribution platforms.

Given that Google’s Discovery feed is an integrated system feature rather than a downloadable application, users have limited control over its content, making it a particularly effective vector for social engineering attacks of this nature.

How the Deceptive UI and JavaScript Rotation Worked

A notable technical aspect of Pushpaganda involved its use of deceptive interface buttons and a sophisticated JavaScript-based tab rotation mechanism. When users landed on an actor-controlled domain, they encountered buttons labeled with enticing calls to action such as “Apply Now,” “Claim Now,” or “Join WhatsApp.” These labels were designed to imply legitimate functionality.

Instead of performing the advertised action, these buttons executed JavaScript to open new browser tabs, redirecting users to additional Pushpaganda-linked domains. Simultaneously, a separate JavaScript algorithm in the original background tab began rotating the inactive tab through a predetermined sequence of actor-owned pages. This mechanism quietly loaded advertisements and extended session durations on those pages, artificially inflating their perceived quality to advertising networks. This generated substantial ad revenue for the threat actors from users who never intended to interact with these pages.

Satori researchers also observed the use of deepfake videos and images embedded in ads on these domains. Some of these deepfakes falsely depicted well-known celebrities and medical professionals, further exploiting user trust on a large scale.

What You Should Do

  • Review Browser Notification Permissions: Users who suspect they may have subscribed to Pushpaganda-linked notifications should immediately review their browser notification permissions. Revoke access for any unfamiliar or suspicious domains. For Chrome on Android, this can be done via Settings → Site Settings → Notifications.
  • Exercise Caution with Prompts: Avoid clicking “Allow” on notification prompts from websites you do not recognize or trust, especially those accessed through news feed links.
  • Organizational Monitoring: Security teams should monitor for unusual push notification subscription activity on managed devices. Treat any operating system-level alerts mimicking legal or financial authorities as strong indicators of a social engineering attempt.
  • Maintain Ad Fraud Detection: Keep ad fraud and click fraud detection measures active across all web-facing environments, as threat actors continue to adapt their tactics.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical PHP Composer Vulnerability Lets Attackers Execute Commands

Next Post

Russian C2 Servers Mapped Across 165 Hosting Providers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us