Menu
Browse

Cyber Threat Actor: AdGholas

Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

AdGholas is a threat actor known by that alias and has been associated with operations originating from Russia. The actor’s public profile is limited to a handful of reported incidents, the most detailed of which describes a malvertising campaign that leveraged compromised social‑media infrastructure to distribute malware. No additional aliases, organizational ties, or state sponsorship have been publicly confirmed for AdGholas in the available sources.

The actor’s observed targeting focuses on social‑media platforms, exemplified by the compromise of LiveJournal and another unnamed social network in 2016. By exploiting these services, AdGholas sought to reach broad audiences of everyday internet users rather than specific industrial or governmental sectors. The campaign’s design indicates an intent to maximize exposure to vulnerable endpoints, suggesting a financially motivated approach typical of ad‑fraud operations, although the source material does not explicitly state the actor’s strategic objectives.

Technically, AdGholas employed a chain of tactics that began with the theft of legitimate credentials to create fraudulent subdomains within the affected platforms. These subdomains hosted malicious advertisements delivered through a legitimate ad network, a classic malvertising initial‑access vector. To evade detection, the actor used domain shadowing techniques and performed client‑side fingerprinting to identify systems running outdated software or lacking security defenses, thereby avoiding protected environments. The malicious ads utilized Google open redirects to steer victims toward the Angler exploit kit, which then exploited a vulnerability in Internet Explorer to scan local machines for security products and research environments. This sequence allowed the deployment of malware without requiring any interaction with the advertisement itself, highlighting a stealthy, automated infection strategy. The 2016 LiveJournal incident remains the primary publicly reported operation that illustrates AdGholas’s reliance on credential abuse, ad‑infrastructure manipulation, fingerprinting, and exploit‑kit delivery to achieve its effects.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources