Malsmoke Campaign Delivers ZLoader Malware via Popups on High Traffic Adult Websites

A malware distribution campaign identified by security researchers at Malwarebytes is now distributing a ZLoader malware variant via popups on popular adult websites.

The campaign – named Malsmoke by Malwarebytes – has been active since at least August 2020. Initially, the threat actors were using exploit kits to deliver the Smoke Loader malware dropper; however, in October they changed tactics and switched to fake Java update popups on adult websites to deliver ZLoader. ZLoader is a banking Trojan cum information stealer that steals credentials and other information and targets a range of financial institutions.

Some of the adult site websites used in this campaign have extremely high visitor numbers. For instance, the popups were found on the adult website xhamster, which has almost 975 million visits a month, as well as other adult websites with monthly visitor numbers in the millions.

Malvertising is a commonly used tactic for distributing malware. Malicious adverts are served through questionable third-party ad networks that are used by many legitimate sites for boosting website revenues; however, the malicious adverts are typically displayed on low traffic websites.

According to Malwarebytes, there was a spike in malvertising activity in the second half of 2020 with the Malsmoke campaign standing out as the threat actors were targeting extremely high traffic websites to maximize the chances of delivering their malware payload. While malvertising campaigns that redirect visitors to exploit kits can be effective, one problem with this approach is the dearth of suitable vulnerabilities to exploit. The campaigns often rely on exploits for old vulnerabilities in Internet Explorer and the browser is fast becoming obsolete.

The new campaign is not dependent on users with out of date Internet Explorer versions. Users of other browsers, including Google Chrome, can now be infected. Since the popups are displayed on high traffic websites, there is much greater potential for infecting large numbers of individuals.

The Malsmoke campaign uses a decoy page containing a range of adult images that appear to be movies to lure visitors into clicking. When a user attempts to play a video, a new browser window is launched that displays a pixelated MPEG-4 clip. The video plays for a few seconds when clicked, then a message is displayed advising the user that Java Plug-in 8.0 was not found. In order to play the video, the user is required to download a fake Java update – named JavaPlug-in.msi – that installs ZLoader. The file is digitally signed as a Microsoft installer, so anyone who gets to this point in the process would be unlikely to realize the file is not genuine.

“The choice of Java is a bit odd, though, considering it is not typically associated with video streaming. However, those who click and download the so-called update may not be aware of that, and that’s really all that matters,” explained the researchers.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of