A highly structured malvertising campaign has been identified that leverages Facebook’s paid advertising platform to deliver a tech support scam (TSS) kit via a multi-stage redirection chain. Security researchers from GenThreatLabs first flagged this activity, noting that the threat actors behind the campaign are exploiting trusted ad delivery mechanisms and legitimate cloud hosting to evade traditional security filtering.

We're tracking a 3-step #malvertising chain abusing paid @Facebook ads to push a tech support #scam kit:

FB ad → Italian-restaurant decoy site that redirects to an Azure-hosted TSS landing page (*.web.core.windows.net).

🇺🇸US-targeted: attacker rotated >100 domains in 7 days… pic.twitter.com/zY5F7BLSSs

— Gen Threat Labs (@GenThreatLabs) February 4, 2026

How the Malvertising Chain Operates

The attack consists of a three-step chain that begins with a maliciously crafted paid ad on Facebook. When a user clicks the ad in their social feed, they are not taken to a legitimate product or service. Instead, the following sequence unfolds:

1. Paid Facebook Ad Delivery
   The user interacts with a seemingly ordinary paid advertisement on Facebook. However, the ad’s destination URL is part of a malicious redirect sequence rather than a legitimate business page.
2. Intermediate Decoy Website
   After clicking, the victim is routed to a staged “decoy” page engineered to imitate an innocuous site — in this case, a site designed to resemble an Italian restaurant. This intermediate step serves as a buffer to bypass automated scanning and URL filtering systems that might flag malicious URLs if they were linked directly in the ad.
3. Final Scam Landing Page
   Upon passing through the decoy, users are forwarded to the final fraudulent landing page. These pages are typically hosted on Microsoft Azure infrastructure using subdomains under web.core.windows.net. By operating within the scope of a legitimate cloud service provider domain, the threat actors gain an appearance of authenticity and make automated blocking more difficult.

On this landing page, visitors are confronted with fake security alerts falsely claiming that their device has been compromised. These alerts are designed to instill panic and pressure users into calling a fraudulent tech support hotline, where the attackers’ real objective is to extract money or further access.

Tactics for Evasion and Persistence

Several characteristics of this campaign stand out from more trivial ad abuse:

• Living-Off-the-Land Hosting: By using Azure’s cloud infrastructure, specifically web.core.windows.net, the attackers conceal malicious content beneath the umbrella of a widely trusted domain. Security teams are hesitant to block such domains broadly because they host legitimate services, giving the attackers a form of operational camouflage.
• High Domain Rotation: To avoid detection and blacklisting, the campaign rapidly cycles through large numbers of unique domains. Analysts observed over 100 different domains in use within just one week, with new infrastructure introduced frequently. This heavy rotation means that static blocklists quickly become outdated.
• Targeting Patterns: The activity appears to be geographically focused on U.S. users, and the timing of the campaign suggests a deliberate cadence, with the foreign infrastructure activation mostly on weekdays — likely intended to coincide with peak usage patterns and operational hours.
• Decoy Strategy to Evade Scanners: The initial Italian restaurant themed decoy site (for example, simplydeliciouspairing[.]com) is not merely a distraction. It acts as an intent filter to confuse automated scanners. Because the decoy looks benign, traditional security tooling often fails to flag the user’s true destination until they pass through this intermediate step.

Threat Implications

This campaign underscores the evolution of malvertising tactics, where cybercriminals blend legitimate services with malicious intent to bypass both platform and endpoint defenses:

• The use of trusted ad networks such as Facebook’s paid ad system allows attackers to deliver harmful payloads under the guise of legitimate commerce or promotion.
• By interposing benign-looking intermediate pages, they divert simple URL scanning and reputation checks.
• Leveraging widely trusted cloud infrastructure (Microsoft Azure) for the final exploit hosting further complicates defensive response.

Collectively, these tactics illustrate a sophisticated chain that abuses the supply paths of digital ads and cloud hosting to widen reach while evading detection.

Recommendations for Defense

To mitigate this emerging threat, security professionals and end users should consider the following measures:

• Vigilance with Paid Ads: Treat unexpected redirects from social media ads with suspicion, especially when they lead to unfamiliar or off-brand landing pages.
• Inspect Ad URLs Before Clicking: Whenever possible, preview the final destination of advertisement links rather than clicking through immediately.
• Monitor Redirection Patterns: Security systems and analysts should watch for anomalous redirection sequences that involve reputable ad platforms coupled with suspicious intermediate domains.
• Block IOCs: Implement blocks for known indicators of compromise related to these campaigns, and constantly update these lists to account for high-frequency domain rotation.
• Heuristic and Behavior-Based Detection: Rely on dynamic detection mechanisms rather than static blocking lists where possible, because of the rapid infrastructure changes inherent in this abuse vector.

By recognizing how threat actors are shifting toward legitimate channels for malicious delivery, defenders can better align their detection and remediation strategies to counter these complex, multi-stage attacks.