Over the past few months a hacker group dubbed Malsmoke has been infecting popular porn sites with malicious ads and then using them to deliver malware to victims.

According to Malwarebytes’ researchers, who have been tracking this campaign, the Malsmoke gang has managed to abuse “practically all adult ad networks”, but this is the first time when the threat actor has hit a top publisher - the group placed malicious ads on the xHamster, one of the most popular adult sites in the world.

The Malsmoke attacks only target users running vulnerable versions of Internet Explorer and Adobe Flash. The malicious ads use JavaScript to redirect visitors of adult portals to malicious sites hosting exploit kit designed to exploit the CVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) vulnerabilities in order to install malware (such as Smoke Loader, Raccoon Stealer, and ZLoader) on victims’ machines.

“The redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some client-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP addresses,” the researchers note.

“Malsmoke is probably the most persistent malvertising campaigns we have seen this year. Unlike other threat actors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted,” they added.