1Campaign-DuppyMeister ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
1Campaign is a long-running cloaking service that helps operators keep malicious Google Ads online while evading researcher scrutiny and automated inspection. The service matters because it supports phishing and crypto-drainer delivery at scale, extending the life of fraudulent ads. Its filtering model lets customers target real users while suppressing scanners, cloud infrastructure, and other non-genuine traffic. That shifts the underground ad-fraud ecosystem toward more durable, harder-to-analyze abuse infrastructure.
Related Happenings
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Google civil lawsuit against Outsider Enterprise
Regulatory/Legal Action
H score55
First: 14.06.2026 17:36
Last: 14.06.2026 17:36
Sources 1
About this happening:
**Google** filed a **civil lawsuit** against **Outsider Enterprise**, adding legal pressure to a major **phishing infrastructure** operation that sent fraudulent texts at scale. T...
Google civil lawsuit against Outsider Enterprise
Regulatory/Legal ActionAbout this happening: **Google** filed a **civil lawsuit** against **Outsider Enterprise**, adding legal pressure to a major **phishing infrastructure** operation that sent fraudulent texts at scale. T...
Magecart Stripe and Google Tag Manager card-skimming campaign
Campaign
H score36
First: 04.06.2026 23:47
Last: 04.06.2026 23:47
Sources 1
About this happening:
The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Magecart Stripe and Google Tag Manager card-skimming campaign
CampaignAbout this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans
Threat Actor Meta
H score20
First: 29.05.2026 17:32
Last: 29.05.2026 17:32
Sources 1
About this happening:
Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...
Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans
Threat Actor MetaAbout this happening: Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/Service
H score56
First: 16.04.2026 18:24
Last: 16.04.2026 18:24
Sources 1
About this happening:
**Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/ServiceAbout this happening: **Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
Timeline
-
24.02.2026 23:45 2 articles · 4mo ago
1Campaign cloaking service exposed as a malicious Google Ads enabler
Initial Disclosure1Campaign is a cloaking service used to keep malicious Google Ads online by filtering visitors in real time by geography, ISP, and device characteristics, showing benign white pages to security researchers and automated scanners while routing real users to attacker-controlled sites. The operation has been active for at least three years, is managed by a developer using the name DuppyMeister, provides a customer dashboard and Google Ads launcher tool, and can assign fraud-risk scores that block infrastructure associated with cloud providers such as Microsoft Corporation, Google, Tencent Cloud Computing, and OVH Hosting.
Show sources
- 1Campaign platform helps malicious Google ads evade detection — www.bleepingcomputer.com — 24.02.2026 23:45
- 1Campaign platform helps malicious Google ads evade detection — www.bleepingcomputer.com — 24.02.2026 23:45