Cybersecurity, MXDR

Preventing malvertising attacks with CloudGuard Managed XDR [real-world examples]

Table of Contents

You’re at work, rushing to edit a PDF. You Google “PDF editor”, click the first link, and download what looks like the perfect tool.

But what if that simple search just opened the door to a cyberattack?

A screenshot of a Google search for a PDF editor, one is real one is malvertising in the search results.

That’s exactly what happened here. A user thought they were downloading a harmless PDF editor.

Instead, they unknowingly installed malware, and just like that, attackers had remote access to their machine.

This is called malvertising (malware, advertising).

What is malvertising?

Malvertising is a technique used by cybercriminals to embed malicious content, such as code or programs, within online advertisements. These ads often appear on well-known websites, making them seem trustworthy. Once a user interacts with the ad, it can trigger the download of malware, spyware, or ransomware without their knowledge.

Let’s break it down attack and how you can prevent malvertising:

Step 1: The setup – A malicious Google ad

Cybercriminals don’t need to send phishing emails anymore, they just buy ads on Google and wait for you to come to them.

That’s what happened in this case.

  1. The user searched for “PDF editor”
  2. Clicked on a malvertising link
  3. Downloaded an EXE file posing as a legit PDF tool
  4. Ran the installer, unknowingly executing a trojanized program
A screenshot of a Google search for a PDF editor, one is real one is malvertising in the search results. The malicious ad is highlighted in red and the real ad in green.
An example of a malicious sponsored advert and legitimate sponsored advert

At first, everything looked fine. No red flags. No warnings. Just a seemingly normal PDF editor. But behind the scenes? The malware had already made itself at home.

Step 2: The silent infection – What the malware did

Once executed, the EXE did exactly what the attackers designed it to do:

  1. Created a scheduled task that launched the malware on every startup
  2. Ran in hidden mode, so the user never noticed it running
  3. Maintained persistence, surviving reboots
  4. Established a backdoor, giving attackers remote access

Because the malware didn’t require admin privileges to install, even restricted users were vulnerable. It slipped past basic security measures without a hitch.

Traditional antiviruses can’t catch these types of attacks. Why? Because AV relies on known threats, and this EXE had never been flagged before.

A screen shot of the back end of CloudGuard MXDR showing 24/7 SOC team view of malvertising attack.
How CloudGuard’s SOC team is able to prevent malvertising in your environment

Step 3: The attack meets a 24/7 SOC

This is where things took a turn…for the attackers.

When this file executed, it triggered a behavioural detection in our MXDR (Managed Extended Detection & Response) platform. Unlike traditional antivirus, MXDR looks at behaviour, not just known malware signatures, and something about this EXE didn’t add up.

How fast did we shut it down?

✅ 0 min → Indicators of Compromise (IOCs) are automatically analysed, enriched, and triaged using Threat Intelligence sources like Recorded Future
✅ 5 min → Identified the EXE launching command prompt activity
✅ 3 min → Traced the infection back to a malvertising download
✅ 10 sec → Isolated the machine, cutting off attacker access instantly

Total time to neutralise? Less than 10 minutes.

If this attack had gone unnoticed, it could have escalated quickly spreading across the network, stealing credentials, or deploying ransomware.

But our 24/7 SOC was on it, stopping the attack before it could do real damage.

Why this attack matters (and why you should care)

Attacks like this aren’t rare, they’re the new norm. Cybercriminals don’t rely on hacking in anymore. They’re using SEO poisoning, Google Ads, and social engineering to let users download the malware themselves.

And if you’re only relying on antivirus or don’t have a dedicated SOC team, these threats will slip through.

Here’s how you can prevent malvertising attacks:

  1. Be cautious with Google Ads: malvertising is on the rise.
  2. Monitor scheduled tasks: unexpected ones could be a red flag.
  3. Restrict software installation permissions to prevent unauthorised installs.
  4. Deploy MDR or MXDR (not just antivirus!) to catch behavioural threats.

But most importantly? You need a team that can catch and stop these attacks before they escalate.

Screenshot of how the malvertising attack on Homebrew was conducted.
The malicious Homebrew attack: A normal looking Google ad leads to a malicious website, which then prompts the user to enter their admin password to install harmful software.

Real-world examples of malvertising

This isn’t just a one-off incident. 1 in every 100 ads comes with malicious content . Here are some recent examples:

  • January 2025 – Cybercriminals used fake Google ads mimicking the Homebrew website to target Mac users. Clicking the ad led to an infostealer malware that harvested credentials, browser data, and even cryptocurrency wallets. (Bleeping Computer)
  • December 2024 – A large-scale malvertising campaign spread the Lumma Stealer malware through fake CAPTCHA verification pages. Users were tricked into running PowerShell commands, unknowingly installing malware. (Bleeping Computer)

These attacks prove that traditional antivirus alone isn’t enough.

Attackers are changing up their tactics, and businesses need real-time detection, behavioural analysis, and round-the-clock monitoring to ensure they’re preventing malvertising attacks.

Frequently Asked Questions

Where does malvertising typically appear?

Malvertising typically appears on well-known websites, social media platforms, and search engines. Cybercriminals purchase ad space on these trusted platforms, making the malicious ads seem legitimate. Once clicked, these ads can trigger malware downloads or redirect users to harmful sites.

What’s the difference between malvertising and ad malware?

Malvertising is the use of online advertisements to distribute malicious content, often through trusted ad networks. Ad malware, on the other hand, is a broader term referring to any type of malware that specifically targets advertising platforms, potentially manipulating ads or ad networks themselves to deliver harmful content.

Is malvertising a form of phishing?

Malvertising and phishing are related, but they’re not the same. While phishing involves tricking users into revealing personal information through deceptive emails or websites, malvertising uses online ads to deliver malware or direct users to fake sites. Both techniques are forms of social engineering, but malvertising primarily involves spreading malware rather than stealing sensitive data directly.

Stay Ahead of Cyber Threats with 24/7 Managed XDR

Don’t wait until an attack happens, stop threats in real time with proactive monitoring, behavioural detection, and expert SOC analysts. Learn more about CloudGuard Managed XDR here.

Author: Atif Chaudry
Share:
Author: Atif Chaudry
Share:

Related Resources

two men talking on a podcast posted on linkedin with a red arrow pointing towards a deepfake
Why Social Engineering Always Works: How Hackers Use Phishing & Deepfakes
We’ve all done the training, so why are attackers still getting through? Attackers no longer rely on bad spelling or suspicious links, they use AI-generated deepfakes and psychological profiling to manipulate people with astonishing precision. By exploiting the brain’s emergency response system, they trigger fear, urgency, or authority to override...
Dark purple background with claude logo and words pro, team and enterprise.
Claude Business Security: Choosing the Right Account for SMBs
When I shared my last article, a few people got in touch asking for a more practical follow-up, specifically around how small teams can use Claude Pro without putting business data at risk. This piece goes step by step through exactly that. Understand what you’re actually adopting Claude Pro is...
Two analysts looking surprised. Purple cyber background with phishing hook.
What Happens After a Phishing Attack? A Real Microsoft 365 Incident Walkthrough
If your organisation thinks a password reset or MFA alone are enough, think again. In this phishing attack breakdown by CloudGuard’s SOC team, Conor and Jon reveal the reality behind an actual breach involving a UK law firm, exposing how hackers use four methods to regain access long after initial...
purple background with computer that says threat from the field in cartoon like design
Cyber Threat Trends Q1 2026: Data Theft, AI Attacks and Emerging Risks
Executive Summary Every 90 days, we review the latest cyber threat trends to identify what IT leaders should learn, where resilience gaps are widening, and what practical actions organisations should take next.  The first quarter of 2026 has been intense. The UK threat picture is not defined by one single...
Microsoft Defender for Cloud
Microsoft Defender for Cloud Cloud environments change fast. New workloads, new services and new risks appear daily, often without full visibility or clear ownership. Microsoft Defender for Cloud provides continuous assessment across Azure, hybrid and multi-cloud environments to help organisations understand and reduce cloud security risk. CloudGuard ensures your cloud...
Woman looking at tablet with cyber imagery across the top.
The Limitations of External Penetration Testing (And What to Do About Them)
Core argument  Traditional internal penetration tests gives executives false confidence because it’s typically scope-limited, scheduled, doesn’t reflect real attacker behaviour and ignores the AI threats with user access. Would you feel comfortable boarding a plane if the pilot had practised emergency landings but had never actually simulated an engine failure?  So, why do businesses specifically exclude their...
CloudGuard logo and Stonewater Housing logo on a pastel purple background
Stonewater Housing Achieves 24/7 Security Monitoring Without Expanding Its IT Team
Image of man with half blue face on left and half red face on right. ÂŁ20 notes falling in the background.
Date | Time: 24/03/2026 | 12:00 pm
[On Demand] The AI-Enabled Insider Threat: When Trusted Access Becomes Competitive Advantage
Your most trusted employees can now distil years of institutional knowledge in days, sometimes without realising the risk they’re creating. Insider risk has fundamentally changed. We’re past the days of someone copying files onto a USB stick. Today, trusted employees are using AI tools to summarise reports, analyse strategy documents,...
Continuous Security Validation: How to Prove Your Cybersecurity Controls Actually Work
Core argument CISOs are increasingly measured not by the security they implement, but by the breaches they fail to prevent. Most cybersecurity investments create a false sense of protection because they’re never truly tested under realistic conditions.  Zero trust applied new controls but the new wave of Agentic AI solutions will fundamentally...
Get In Touch

Our Cybersecurity Services Can Instantly Improve Your Business’ Security Posture

Complete the form to find out more about any of our one-off or managed cybersecurity services. Not seeing what you’re looking for? Our cybersecurity consultants and MXDR experts are always on-hand to provide the guidance and support you need.