1Campaign-DuppyMeister ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
1Campaign is a long-running cloaking service that helps operators keep malicious Google Ads online while evading researcher scrutiny and automated inspection. The service matters because it supports phishing and crypto-drainer delivery at scale, extending the life of fraudulent ads. Its filtering model lets customers target real users while suppressing scanners, cloud infrastructure, and other non-genuine traffic. That shifts the underground ad-fraud ecosystem toward more durable, harder-to-analyze abuse infrastructure.
Related Happenings
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/Service
First: 16.04.2026 18:24
Last: 16.04.2026 18:24
Sources 1
About this happening:
**Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/ServiceAbout this happening: **Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
CrowdStrike Microsoft Marketplace listing
Commercial Activity
First: 03.04.2026 14:53
Last: 03.04.2026 14:53
Sources 1
About this happening:
CrowdStrike made **its offerings** available in the **Microsoft Marketplace**, expanding how enterprise buyers can procure **cybersecurity products**. Eligible customers with **Mi...
CrowdStrike Microsoft Marketplace listing
Commercial ActivityAbout this happening: CrowdStrike made **its offerings** available in the **Microsoft Marketplace**, expanding how enterprise buyers can procure **cybersecurity products**. Eligible customers with **Mi...
TikTok for Business phishing campaign using Turnstile and reverse proxy
Campaign
First: 26.03.2026 16:09
Last: 26.03.2026 16:09
Sources 1
About this happening:
A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
TikTok for Business phishing campaign using Turnstile and reverse proxy
CampaignAbout this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...
Coruna watering-hole and fake-site exploitation campaign
Campaign
First: 26.03.2026 13:07
Last: 26.03.2026 13:07
Sources 1
About this happening:
A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
Coruna watering-hole and fake-site exploitation campaign
CampaignAbout this happening: A suspected **Russia-aligned nation-state actor** is using **Coruna** in **watering-hole attacks in Ukraine** and a **mass exploitation campaign**, expanding the kit’s abuse beyon...
ClickFix MacSync social-engineering campaign targeting macOS users
Campaign
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
ClickFix MacSync social-engineering campaign targeting macOS users
CampaignAbout this happening: A **ClickFix** campaign is using **fake Cloudflare CAPTCHA verification challenges**, **embedded video tutorials**, and **automatic OS detection** to trick victims into pasting an...
Timeline
-
24.02.2026 23:45 2 articles · 3mo ago
1Campaign cloaking service exposed as a malicious Google Ads enabler
Initial Disclosure1Campaign is a cloaking service used to keep malicious Google Ads online by filtering visitors in real time by geography, ISP, and device characteristics, showing benign white pages to security researchers and automated scanners while routing real users to attacker-controlled sites. The operation has been active for at least three years, is managed by a developer using the name DuppyMeister, provides a customer dashboard and Google Ads launcher tool, and can assign fraud-risk scores that block infrastructure associated with cloud providers such as Microsoft Corporation, Google, Tencent Cloud Computing, and OVH Hosting.
Show sources
- 1Campaign platform helps malicious Google ads evade detection — www.bleepingcomputer.com — 24.02.2026 23:45
- 1Campaign platform helps malicious Google ads evade detection — www.bleepingcomputer.com — 24.02.2026 23:45