Adex, an anti-fraud platform under AdTech Holding, has uncovered and shut down a long-running malware scheme tied to the Triada Trojan. The operation had been active for several years and was quietly abusing the digital advertising ecosystem to infect Android users.
Triada is still one of the most common Android threats. Data from Q3 2025 shows it accounts for nearly 16% of all detected Android malware — proving it’s far from fading.
Adex’s investigation revealed that the Triada group spent the last five years trying to slip into legitimate ad networks. Instead of using typical malware delivery methods, the attackers went after trusted systems and platforms. They hijacked advertiser accounts, uploaded malicious APKs to places like GitHub and Discord CDNs, and used hidden redirects to avoid detection.
How the attackers operated
The campaign evolved in three major stages:
2020–2021:
Attackers created fake advertiser accounts using poorly forged IDs and ran ads pointing to malware hosted on Discord CDNs and short links. Their landing pages imitated real service websites to look legitimate.
2022–2024:
The strategy shifted to taking over real advertiser accounts that did not have two-factor authentication enabled. Once inside, the attackers launched hidden ad campaigns that redirected users to malicious files hosted on trusted sources like GitHub.
2025:
The latest wave became even more advanced. Hackers used phishing pages pretending to be urgent Chrome updates and layered multiple redirects to hide the final malicious download. VirusTotal logs linked suspicious account activity to Turkey and India, pointing to a coordinated operation. In total, Adex discovered and banned more than 500 accounts tied to the scheme.
The case shows that even reputable domains and platforms can be misused for malware delivery. A clean domain no longer guarantees clean behavior.
How Adex responded
To protect ad networks moving forward, Adex and PropellerAds rolled out stronger security measures. These include stricter KYC checks through Sumsub, mandatory 2FA for all advertiser accounts, login monitoring to catch anomalies, and full verification of redirects and domains — even when campaigns use well-known services like GitHub or Discord.
These steps have made it much harder for attackers to exploit ad infrastructure and helped secure the ecosystem against similar threats in the future.
Leave A Comment