Malicious Ads vs. Brand Safety: A 2026 Guide for Performance Marketers
Spend ten minutes in any ad-fraud conversation in 2026 and you’ll hear “malicious ads” and “brand safety” used as if they mean the same thing. They don’t. The defenses are different, the failure modes are different, and the people who pay the bill when each one goes wrong are different too.
Here’s the cleanest way to keep them apart. Malicious ads are a problem with the ad itself – it carries a malware payload, a phishing trap, or a scam funnel. Brand safety is a problem with what’s around the ad – the page it lands on, what sits next to it, what association that creates for the brand. Treat them as one thing and you’ll end up with the wrong protection on the wrong layer, feeling safe anyway.
This guide is the version we’d hand to a buyer launching a campaign through PropellerAds tomorrow morning.
We’ll define both problems in a way that survives operational pressure, walk through what they actually look like in 2026: with real cases from Adex, project inside AdTech Holding, and lay out what a performance marketer should actually do about each one.
Key takeaways before the long version:
- Malicious ads are a problem with the ad. Brand safety is a problem with the environment. Different defenses, different consequences.
- Cloaking is no longer a single redirect. It’s layered infrastructure built to defeat moderation. Across PropellerAds’ confirmed suspensions, cloaking went from about 45% in 2022–2024 to around 78% in 2025, and stayed near 68% in Q1 2026.
- AI-driven automated traffic is now growing about eight times faster than human traffic (HUMAN Security 2026), and benign and malicious bots are getting harder to tell apart.
- The worst 2026 campaigns hide payloads behind high-reputation infrastructure: GitHub URLs, Discord CDNs, .gov and .edu subdomains.
- A clean-looking domain no longer means clean intent. Brand safety in 2026 isn’t mostly about adjacency to violent content anymore. It’s about AI-generated junk, made-for-advertising sites, and “news” sites that look professional but aren’t. A serious performance marketer needs two separate playbooks. Both are below.
What Each Term Actually Means
Vendor marketing has stretched these terms in every direction, so it’s worth pinning them down.
Malicious ads exist to harm the user who sees or interacts with them. The harm can be technical (malware install, credential theft, device compromise) or social (scam funnels, fake subscriptions, account hijacking via phishing). The advertiser is either a bad actor directly or a legitimate account that’s been hijacked. The point of the ad isn’t to sell – it’s to extract something from the user.
Brand safety is the discipline of protecting your brand’s reputation by controlling where your ads run and what content surrounds them. “Safe placement” isn’t just “no malware.” It’s also not running next to extremist content, graphic news, AI-generated junk, or anything else your logo doesn’t belong near. The focus is the editorial environment, not the ad itself.
The two problems often show up together: a site hosting malicious ads is also a brand safety problem for any legitimate advertiser whose ad lands there.
But the mechanisms and defenses are different. A network with strong anti-fraud filtering but weak contextual controls will still put your ad next to objectionable content. A network with strong category exclusions but weak fraud detection will still expose your users to malware. The right question is never “is this network safe?” but “is this network handling both problems explicitly, and how?”
What Malicious Ads Look Like in Practice
This is where most vendor reports wave their hands. Real malicious campaigns have specific domains, specific IPs, and specific actors with the patience to probe defenses over years, not weeks. We can show you a few, because Adex and our security teams keep catching them.
The Triada Story: A Five-Year Fight
The clearest example of how malicious ads have evolved is a single Android Trojan called Triada, which the Adex team has been tracking since 2020. The full case study walks through three distinct rounds of attack and platform response.
The short version is that the technique has matured from crude fake-document KYC attempts to hijacked legitimate accounts to multi-stage cloaking chains hiding behind GitHub and Discord URLs.
What makes Triada notable is not its technical sophistication, but its persistence. Across five years, more than 500 compromised advertiser accounts have been banned on our platform alone, and the same actor cluster keeps adapting. According to Kaspersky’s Securelist mobile threat tracking, Triada accounted for 15.78% of all detected mobile infections in Q3 2025 alone. This is not a fringe Android problem.
Each round forced a specific platform upgrade. After the first wave of fake-document KYC attempts, we tightened identity verification through Sumsub. After legitimate accounts started getting hijacked because advertisers reused passwords without 2FA, we made two-factor authentication mandatory by default. After the latest round started hiding payloads behind GitHub URLs, we applied a zero-trust policy to all redirects regardless of how trusted the destination domain looks. On December 8, 2025, GitHub officially confirmed the malicious account we reported and removed it.
“Many of these cases appear to exploit user trust. Addressing this requires action from both sides: improving cybersecurity awareness among users and greater responsibility from platforms. Companies like Meta and Google should play a stronger role in ensuring the safety of the ecosystems built around their advertising products,” notes Farukh Rakhimov, Information Security Manager at PropellerAds.
Triada’s five-year evolution and PropellerAds’ defensive response
Each round of the attack forced a specific platform upgrade. Read each lane top-to-bottom: technique first, response below.
Sumsub KYC integration — advertiser identity verification at onboarding.
2FA mandatory by default; login anomaly monitoring across geographies.
Zero-trust inspection on all redirect chains; takedown collaboration with GitHub.
The Malicious Redirect Pattern: Compromise Anywhere in the Chain
Not every malicious campaign needs five years of evolution. Some happen in a single redirect chain that takes milliseconds to execute. A 2023 Adex case study walks through one where an advertiser’s clean-looking campaign was rejected because his redirect chain passed through a domain running an infected jQuery library that injected a malware-loading script. The advertiser’s creative was clean. The tracker infrastructure he had bolted on was compromised.
“This is not entirely unexpected,” an Adex anti-fraud expert noted at the time. “We know that fraudsters can strike at any moment, so our only weapon is careful monitoring.”
The recurring lesson is that your ad is not the whole attack surface. Anything in your tracker, pre-lander, or post-conversion chain is part of it, and a compromise anywhere along that path will surface as a malware violation on your campaign.
The Trust-Domain Abuse Pattern: When .gov and .edu Become Attack Surfaces
A 2025 investigation Adex published in February 2026 caught Indonesian government and university domains hosting iGaming landing pages. Real examples included a library subdomain of Universitas Islam Majapahit, a library subdomain of Indramayu State Polytechnic, and an Italian groceries CRM subdomain. None of these institutions intended to run iGaming ads.
The mechanism, classified by OWASP under A05: Security Misconfiguration, is subdomain takeover. A legitimate domain owner forgets a DNS record pointing to a deleted cloud bucket. An attacker claims the same bucket name and now controls a subdomain that inherits the parent domain’s trust.
For a performance marketer, the lesson is the same one the Triada case made: a clean-looking domain does not mean a clean intent.
When Trusted Platforms Become the Delivery Channel
The same trust-inversion pattern shows up across the four largest malvertising campaigns we documented in 2025.
Our Biggest Malware Scandals of 2025 breakdown covered them in detail: Microsoft’s Storm-0408 campaign delivered infostealers through ads whose downloads came from GitHub, Dropbox, or Discord.
The Rhysida campaign led corporate users to spoofed Microsoft Teams installers signed with valid-looking certificates. The YouTube Ghost Network distributed malware through videos that looked like ordinary software tutorials.
The technical innovation in all of these is not in the malware. It is in social engineering, and the social engineering exploits trust in the platforms users already use.
“Attackers are increasingly using highly trusted platforms to distribute malware. We take this into account in our risk models and during the evaluation of advertising campaigns. For us, a combination of signals is critical: redirect structures, detections triggered during redirects, and activity anomalies,” explains an Adex expert who reviewed the campaigns.
What Performance Marketers Actually Experience
The case studies above are from our side of the wall. The view from a media buyer’s side has its own texture.
The most common complaint thread you can find on practitioner forums in 2025 and 2026 is some version of the same story.
A buyer launches a campaign. The platform rejects it for “malicious code” or “compromised site” or “circumventing systems.” The buyer is confused. They did not write any malicious code. They have no idea what compromised what. A typical post title from a 2025 thread reads, “New to CPA marketing, trying to use self-serve popunder ads. Every campaign rejected for ‘malicious code.’ What are my options?”
This is what malicious ads look like from inside the buyer’s account: a rejection notice with no obvious cause.
The compromise is somewhere in their stack, in the tracker, the pre-lander, a plugin running on their WordPress install, or a redirect the offer owner inserted without telling them. The platform sees the malware signal; the buyer sees a rejection and starts looking for someone to blame.
The 2025 Google ban wave on grayhat niches gave the broader community a sharper version of this experience. Practitioner forums tracked the pattern in detail: accounts that had run cleanly for months were getting suspended in days, sometimes after careful warm-ups.
A Cloudflare community thread on cloaking suspensions captured the broader frustration. Detection had become much harder to anticipate, and appeals were resolving less often.
This is not specific to any one platform. It is what happens when ad networks tighten enforcement in response to an adversarial threat landscape. The honest framing is that networks have to keep tightening, because the people running the worst campaigns keep getting better.
The uncomfortable but useful posture is to assume your campaign will be inspected as if it were potentially malicious, and design your campaign infrastructure to pass that inspection cleanly. The campaigns least likely to be rejected are the ones with the least to hide.
What Brand Safety Looks Like in 2026
Brand safety is the easier of the two problems to define and the harder one to fully solve.
The visible part is what most people picture: making sure your ads do not appear next to violent content, hate speech, terrorism, illegal activity, or the other categories on the Global Alliance for Responsible Media (GARM) brand safety floor.
Most modern ad platforms support category exclusions, contextual filters, and inventory tier controls. If a buyer enables them, the worst cases get filtered out.
The harder part is brand suitability — and that’s where 2026 has changed the most. Brand suitability covers everything that doesn’t technically break the safety rules but still isn’t where your brand wants to show up. Three shifts have pushed it in new directions.
- AI-generated content. In a 2026 industry survey reported by eMarketer, 53% of US digital media experts said having ads run in proximity to GenAI content was a top media challenge of the year. The question is not whether AI content is automatically unsafe. It is that adjacency to certain kinds of AI content (low-effort, mass-produced, factually unreliable) reads as a brand quality problem even when nothing on the page is technically a violation. Made-for-advertising sites scaled by AI are now a recognizable category.
- Misinformation environments. News and current-affairs context has always carried brand safety risk, but in 2026 the boundary between “credible news” and “low-quality syndicated content masquerading as news” has blurred. Algorithmic placement does not always tell the difference.
- Creator and influencer ecosystems. Performance marketing budgets have moved into creator content in ways that mainstream brand safety vendors have only partially caught up with. A creator’s archive of past content is part of the suitability surface in a way that does not exist for traditional inventory.
Independent ad-quality measurement gives a sense of how broad the surface is. According to MGID’s Ad Security Report 2026, the UK flagged roughly 1 in every 40 ad impressions as malicious or low-quality in 2025; in Canada the rate was 1 in 35. Confiant’s Mid-Year 2025 Malvertising & Ad Quality Index put the global figure at 1 in 78. The variation depends on methodology and market, but the baseline is the same: meaningful risk exists in every market, and it is not concentrated in obscure inventory.
A performance marketer treating brand safety as “I ticked the basic exclusion list” is solving the 2018 version of the problem. The 2026 version requires attention to context that the universal GARM baseline does not capture.
What To Do About Each One
The point of separating the two problems is that the response to each one is different.
What To Do About Malicious Ads
The broader anti-fraud work – domain hygiene, journey audit, anomaly escalation, platform-side filtering – is covered in our companion piece on protecting ad campaigns from malware traffic.
What follows is what specifically helps against malicious ads: three habits that map directly to the three patterns above.
- Account hygiene and login monitoring. The Triada Round Two case started with a single advertiser who reused a password across services and skipped 2FA. That single gap put a verified, long-trusted account into the hands of a fraud ring distributing Android malware.
Use unique passwords on every platform, enable two-factor authentication everywhere it is offered (not only where it is mandatory), and check your account’s login history periodically. A login from a country you have never used is the same warning sign that flags the account on the platform side.
- Watch the signals your platform already gives you. The infected jQuery library case showed that a clean creative and a clean landing page do not guarantee a clean redirect chain. But most affiliates cannot audit every redirect hop comprehensively, and most cloaking is built to slip past casual checks anyway.
What you can do is read the signals the platform surfaces for free. A campaign that gets rejected for “malicious code” or “compromised site” when nothing on your end changed is pointing at something in your stack, usually your tracker, your pre-lander, or a redirect your offer owner inserted without telling you.
- A browser antivirus warning on a domain you own is the cleanest possible signal of compromise.
- Check your own domains in a clean browser before launch and again periodically.
What To Do About Brand Safety
Brand safety on a performance network looks different from brand safety on a open programmatic supply path. The distinction matters for which controls a buyer should reach for.
- Define your suitability tolerance before launch. Write down explicitly what categories your brand will not appear next to. The act of writing it down forces decisions you would otherwise make ad hoc. The GARM brand safety floor (terrorism, hate speech, illegal activity, adult content, graphic violence) is the universal baseline. Above that floor, every brand has its own suitability tolerance. A children’s app advertiser and a horror-film advertiser sit on opposite sides of most categories.
- Use the network’s available controls actively. Most performance networks support vertical, format, audience-tier, and zone-level exclusions even when they do not expose individual placement URLs. Set these deliberately rather than relying on defaults, which are tuned for the average buyer rather than yours. On PropellerAds specifically, the targeting layer covers GEO, platform, browser, mobile carrier, user activity tier, and interests, and zone-level blacklists can be applied where you see consistent underperformance.
- Vet the network’s published quality framework. A network that publishes quarterly safety reports, names its moderation criteria, and discloses confirmed-violation data is operating differently from one that does not. The audit you do on the network’s transparency posture is itself a brand safety control. If the data does not exist or is not shared, that is also an answer.
- Build a creator and partner vetting process. If your buys include influencer or creator content, treat the archive review as part of brand safety, not just the upcoming post. The contexts you do not directly control are still adjacencies you accept.
The two playbooks are complementary. A buyer who runs both is materially safer than a buyer running either one in isolation, and a buyer running neither is exposed to roughly everything.
What We Are Doing on Our Side
The platform layer carries a meaningful share of the load, and the specifics matter for any buyer trying to evaluate whether the network they buy through is doing its job.
In Q1 2026, we rejected 36,085 ad campaigns in moderation for non-compliance with platform rules. The breakdown from our Q1 2026 Ads Safety Report:
- About 48% were tied to adult content, the single largest category.
- About 23% were tied to malware-related signals on the landing pages or campaign infrastructure. Compromised sites and unsafe destinations remain a persistent secondary risk.
- The remaining 29% were spread across copyright complaints, regional restrictions, misleading patterns, and a long tail of smaller categories.
The Traffic Quality protection layer runs pre-bid filtering, in-flight behavioral analysis, and post-bid review across all formats, because cloakers move across formats opportunistically.
“In my view, visiting unauthorized websites always involves certain risks, as the files available on such sites are often of unknown or questionable origin. The fact that malicious files may be hosted on seemingly trusted platforms does not change this general risk, which is why we reject them as a source of traffic,” says Adex expert. “This shows why it is important for users to improve their own cybersecurity awareness, and for companies to regularly educate their employees on basic security practices.”
Malicious ads vs. brand safety: two problems, two playbooks
These problems share a neighborhood but not a solution. Confusing them is how buyers end up fixing the wrong thing.
| Problem A Malicious ads | Problem B Brand safety | |
|---|---|---|
| 01 What Is at Stake | Problem A · Malicious ads Harm to the user — malware, phishing, account hijack. | Problem B · Brand safety Harm to the brand by adjacency and association. |
| 02 Who Controls Defense | Problem A · Malicious ads Ad network plus the buyer’s own infrastructure. | Problem B · Brand safety Buyer’s targeting and exclusion settings plus the network’s published quality framework. |
| 03 Primary Defenses | Problem A · Malicious ads KYC, anti-cloaking, domain reputation, redirect-chain scanning, behavioral anomaly detection. | Problem B · Brand safety Category exclusions, contextual filters, inventory tier controls, a written suitability tolerance. |
| 04 Failure Mode | Problem A · Malicious ads Malware reaches a user; ad-platform suspension; real money lost to fraud. | Problem B · Brand safety Ad appears next to objectionable content; reputation damage; partner trust erosion. |
| 05 2026 Example | Problem A · Malicious ads Cloaked redirect chain hiding behind a GitHub URL. | Problem B · Brand safety Programmatic placement next to low-quality AI-generated content. |
| 06 First Action This Week |
Problem A · Malicious ads
Do This Account hygiene audit + redirect-chain review across active campaigns. |
Problem B · Brand safety
Do This Write down your suitability tolerance + activate category exclusions. |
Limits of What Any of This Can Do
A few things deserve to be said plainly so the rest of this guide is not read with more confidence than it deserves.
No platform fully controls what happens on the open web once a user clicks through. If your tracker or post-conversion infrastructure sits outside the network’s perimeter, the network’s protection ends at the click. The buyer’s responsibility begins there.
No verification vendor catches everything. Even the largest brand-safety and ad-quality measurement firms have documented false-negative rates that move in real time as adversaries probe. Treat them as useful redundant layers, not as a binary signal of safety.
No category exclusion list keeps pace with cultural change. The brand safety floor is a useful starting point, but the suitability surface above it has to be reviewed actively, not set once and forgotten.
No anti-fraud system reaches zero incidents. As we wrote in the Triada case study, attackers continually refine their methods, which makes continued investment in security essential rather than optional.
The honest version of what good protection delivers is meaningful reduction of exposure on both axes, with calibrated false-negative rates that still benefit from human review. Anyone promising more than that is overpromising.
Where This Leaves You
The biggest practical shift in the last year and a half is that more buyers have stopped treating safety as something the network owes them and started looking at their own infrastructure too.
Your domains, your redirect logic, your suitability rules, your escalation path – none of this is something a platform can fix on your behalf. The networks worth working with are the ones that help you see that part of the picture clearly, not the ones that pretend it doesn’t exist.
That’s also the relationship that works best in practice. Buyer and network on the same side, with a shared view of where the risk actually sits.
Frequently Asked Questions
What is the difference between malicious ads and ad fraud?
Malicious ads are a subset of ad fraud. Ad fraud is the broader category that includes click fraud, impression fraud, bot traffic, attribution manipulation, and a number of other behaviors that extract value from advertisers without delivering genuine outcomes. Malicious ads specifically deliver harm to the user behind the impression (malware, phishing, scams). All malicious ads are a form of ad fraud, but not all ad fraud is malicious in this sense.
Is brand safety the same as brand suitability?
They are related but not identical. Brand safety usually refers to a floor of universally objectionable categories (terrorism, hate speech, illegal activity, adult content, graphic violence). Brand suitability is the broader, brand-specific judgment about everything above that floor: what additional contexts your specific brand wants to avoid based on its own values and audience. The Global Alliance for Responsible Media (GARM) uses this distinction explicitly.
How does a performance marketer know if their tracker has been compromised?
Indirect signals first. A sudden disapproval or restriction on a campaign whose creative has not changed is a strong indicator. Browser-level antivirus warnings on your tracker domain when you visit it directly are another. Periodic checks against Google Safe Browsing and similar reputation services catch slower compromises. The 2023 Adex malicious redirects case walked through one where an infected jQuery library was the entry point. A tracker behaving differently than it did last week is worth investigating.
What is the single highest-leverage habit for a performance marketer this week?
For malicious ads: enable two-factor authentication on every advertiser account you own, change any reused passwords, and audit the full redirect chain in your campaign stack. For brand safety: write down your suitability tolerance in plain language, and activate the category and zone-level exclusions on your ad platform that match it.
Join our Telegram for more insights and share your ideas with fellow-affiliates!
This article reflects observations and data current at the time of writing. Threat patterns and platform defenses evolve continuously. For the most recent figures and ongoing updates, see the quarterly Ads Safety Report series.
Trends
View more posts
