Adex Uncover and Block Large-Scale Triada Malware Campaign Spanning Multiple Ad Networks

LIMASSOL, Cyprus, Dec. 4, 2025 /PRNewswire/ -- Adex, the anti-fraud and traffic-quality platform within AdTech Holding, has identified and blocked a multi-year malware operation linked to the Triada Trojan – one of the most persistent mobile threats of the last decade.

According to industry data, Triada accounted for 15.78% of all detected Android malware infections in Q3 2025. Over the past five years, attackers behind Triada have repeatedly attempted to infiltrate ad networks and distribute malicious APK files through compromised advertiser accounts, cloaked redirects, and trusted platforms such as GitHub and Discord CDN.

Adex analysts documented three major waves of Triada activity since 2020:

• 2020–2021: Attempts to bypass KYC with low-quality forged identity documents and repeated top-ups that matched known carding patterns, distributing malware through Discord CDN and URL-shorteners, masking their pages to resemble official online-service platforms in an effort to appear legitimate.
  
  
• 2022–2024: A shift toward account takeovers. Attackers attempted to break into advertiser accounts lacking 2FA protection and used the compromised profiles to launch cloaked campaigns that redirected users through GitHub-hosted payloads.
  
  
• 2025: A new wave built on phishing pre-landers styled as Chrome updates and complex multi-step redirect chains, with VirusTotal data indicating suspicious login activity pointing to Turkey and India, suggesting that compromised accounts were being prepared to push malware at scale.

In total, over 500 compromised accounts were identified and permanently banned.

The investigation shows that malware groups increasingly abuse reputable domains and high-trust infrastructure – meaning a "clean" domain no longer guarantees clean intent. Triada's evolution from stolen IDs to hijacked accounts and trusted-platform cloaking highlights how quickly modern fraud tactics adapt and how easily ad networks across the industry can become unintended distribution vectors.

Following the investigation, Adex specialists developed a comprehensive business-protection strategy, which the PropellerAds team then implemented, resulting in a strengthened, zero-trust security model:

• Stricter KYC procedures via Sumsub to prevent identity fraud.
  
  
• Mandatory two-factor authentication and login anomaly monitoring by default for all advertiser accounts.
  
  
• Full redirect and domain verification, including campaigns that lead to trusted services such as GitHub and Discord.

These measures significantly increase the barrier for attackers and reduce the risk of malware distribution through compromised accounts.

Media Contact:
Michael Gor
97767568
[email protected]

SOURCE AdTech Holding