Security & Infrastructure Tools
1Campaign platform helps malicious Google ads evade detection
A new cybercrime tool called 1Campaign lets attackers run malicious Google ads that pass the platform’s automated checks and stay online for long periods while hiding from security scanners. The cloaking service filters visitors in real time—only showing phishing or crypto‑drainer pages to genuine users, blocking traffic from cloud providers, VPNs, and other suspicious sources—and allows operators to target specific regions, ISPs, and device types. By manipulating browser fingerprints and routing through a diverse IP pool, the platform evades static URL scanning and can impersonate legitimate brands in ads, making it difficult for security researchers to detect and stop these malicious campaigns.

The cyber‑crime community has uncovered a new tool called 1Campaign that allows attackers to launch malicious Google ads and keep them running for months without detection by security researchers or automated scanners.
This cloaking service passes Google’s automated screening process and serves benign white pages to bots, while showing phishing and crypto‑drainer content only to real potential victims. The platform is operated by a developer who uses the pseudonym “DuppyMeister” according to data‑security firm Varonis. 1Campaign has been active for at least three years.
A key feature of 1Campaign is its real‑time visitor filtering. It can redirect traffic to specific landing pages based on geographic location, ISP, device characteristics, and other criteria. In one observation, the system blocked 99.4 % of visitors from a sample set of 1,676 users, leaving only about ten genuine victims.
The platform assigns each visitor a fraud risk score between 0 and 100 by evaluating infrastructure details such as cloud providers, VPNs, and security vendors. Visitors coming from major cloud services—Microsoft, Google, Tencent Cloud, OVH Hosting, among others—receive high fraud scores and are automatically blocked.
Varonis reports that traffic associated with 1Campaign originates from the United States, Canada, the Netherlands, China, Germany, France, Japan, Hungary, and Albania. The tool also includes a Google Ads launcher that helps operators bypass Google’s policy limitations and impersonate legitimate brands in ads.
Despite Google’s numerous safeguards, its ad platform remains vulnerable to fraud, malware, and crypto‑drainer campaigns. 1Campaign stands out because it is specifically designed to launch malicious ads that pass automated inspection and can survive until victims report them or the campaign is manually flagged.
The cloaking system makes static URL scanning ineffective; realistic browser fingerprints and human‑like interaction patterns are required for better detection. Varonis recommends rotating IP pools and user‑agent configurations to avoid consistent fingerprinting.
Users should remain cautious of promoted search results, double‑check URLs before entering sensitive information, and prefer official distribution channels when accessing software or services.
}}