UrsaClimb Logo

1Campaign platform helps malicious Google ads evade detection

Bleeping Computer
by Bill Toulas
February 24, 2026
AI-Generated Deep Dive Summary
A newly identified cybercrime service called 1Campaign is enabling threat actors to run malicious Google Ads that evade detection and remain online for extended periods. This platform uses cloaking techniques to display benign content to security researchers and automated scanners while redirecting real users to attacker-controlled sites. Operated by a developer known as "DuppyMeister," 1Campaign has been active for at least three years and is designed to bypass Google's ad screening process, allowing phishing and crypto-drainer campaigns to persist undetected until reported manually. The platform offers a user-friendly dashboard where operators can manage their campaigns, filter traffic based on geography, ISP, device characteristics, and even assign fraud risk scores to visitors. This targeted approach ensures that malicious ads are delivered to users in regions where the content is most relevant while blocking traffic from areas with higher security scrutiny. For example, Varonis researchers observed that 99.4% of visitors accessing malicious ads were blocked due to aggressive filtering, resulting in a low success rate of just 0.6%. 1Campaign's ability to mimic legitimate campaigns and bypass Google's safeguards makes it particularly dangerous. By using realistic browser fingerprints and patterns that emulate human interaction, the platform can avoid detection by static URL scanning tools. Varonis recommends rotating through diverse IP pools and user-agent configurations for better automated detection. Users are advised to exercise caution when clicking on promoted search results, double-checking URLs before entering sensitive information, and bookmarking official software distribution channels. This cybercrime service highlights a significant flaw in Google's ad platform, which continues to be exploited despite multiple security measures. The use of cloaking techniques makes it difficult for security researchers to identify and mitigate malicious campaigns promptly. As cybercriminals become
Verticals
securitytech
Originally published on Bleeping Computer on 2/24/2026