Unmasking 1Campaign: The Professionalized ‘Cloaking’ Service Powering Global Malvertising Scams

Varonis Threat Labs recently highlights a comprehensive toolkit designed to weaponize search engine advertising. Researchers uncovered 1Campaign, a full-service cloaking platform built to help threat actors run malicious Google Ads at scale. For over three years, a developer operating under the pseudonym ‘DuppyMeister’ has maintained this platform, seamlessly combining real-time visitor filtering, geographic targeting, and advanced fraud scoring into a single, user-friendly dashboard.

At its foundation, 1Campaign operates as a highly sophisticated cloaker. As the Varonis report details, “Cloaking is a technique where malicious actors show different content to different visitors”. When Google’s ad reviewers, automated security scanners, or researchers inspect a link, they are presented with a benign, harmless “white page”. However, real human victims are seamlessly redirected to the actual scam content, such as a phishing site or a crypto drainer.

This platform goes far beyond basic redirection, utilizing detailed real-time analytics to profile every click. Each visitor is dynamically assigned a “fraud score from 0 to 100”. To evade detection, the platform automatically flags and blocks visitors originating from known cloud providers and security vendors, such as Microsoft Corporation, Google, and Tencent Cloud Computing.

The filtering is incredibly ruthless. In one observed campaign dubbed “Blockbyblockchain,” the system processed 1,676 total visitors but only approved 10—a mere 0.6% success rate. The remaining 99.4% of traffic was systematically blocked, ensuring that scanners and researchers were kept entirely in the dark.

What sets this tool apart from the rest of the cybercriminal underground is its “explicit focus on Google Ads abuse”. To facilitate large-scale operations, 1Campaign includes a built-in assistant platform to help cybercriminals launch both benign (“white”) and malicious (“black”) search campaigns.

According to the developer’s own forum advertisements, this feature provides users with “the ability to bypass Google Ads’ policy limitations and launch your ads as anyone using any text or words in your advertisement heading and description”.

This platform represents a highly “dangerous convergence” of ad fraud tooling and phishing protection. By heavily enabling “malvertising,” attackers can confidently purchase legitimate ad placements on major platforms like Google or Bing to drive traffic to their fake software downloads and malware droppers.

Because 1Campaign’s cloaking mechanism successfully filters out the security scanners, “the malicious ads pass inspection and run until victims report them or the campaign is manually flagged”. Unfortunately, by the time these ads are finally taken offline, the threat actors have often already captured credentials, distributed malware, or drained victims’ crypto wallets.