How to Protect Ad Campaigns from Malware Traffic in 2026

Confiant’s Mid-Year 2025 Malvertising & Ad Quality Index reports that during the first half of 2025, roughly one in every 78 ads delivered carried verifiable risk to the user who saw it: exposure to scams, malware, or AI-generated deception.

This counts impressions actually seen by real users across tens of thousands of mainstream sites, not the volume of bad ads someone tried to submit. So the number tells you how often a risky ad really reached someone, which is the metric that matters.

Either way, that figure tells the story of 2025: ad fraud and malware traffic did not just continue, they organized.

We covered the broader market dynamics: how the criminal infrastructure now resembles a SaaS economy, in a separate piece on how the fraud economy actually works.

---

Key takeaways before the long version:

• Cloaking is no longer a simple redirect. It is multi-layered infrastructure designed to defeat moderation. Across PropellerAds’ confirmed suspensions, it grew from around 45% in 2022–2024 to over 80% in 2025. That tells us the violations getting through early-stage moderation are now the engineered ones.
• AI-driven automated traffic now grows roughly eight times faster than human traffic (HUMAN Security 2026). The signal margin between benign and malicious bots is now under one percentage point.
• Verification vendors help, but no single one catches everything. Adalytics research reported by AdExchanger documented measurable miss rates among the largest players, even though those vendors pushed back on the methodology. The safe move is to layer protection, not rely on a single tool.
• The strongest buyer-side protections are domain hygiene, end-to-end journey awareness, no cloaking-style workarounds, anomaly escalation before optimization algorithms train on contaminated signals, and active use of the platform’s own filtering layer.
• IVT and malware traffic overlap, but they are not the same thing. Both deserve their own checks.

The rest of this article works through each of these in detail and ends with an FAQ covering the most common questions.

---

What’s Actually Different About Malware Traffic in 2026

Three shifts changed the shape of the threat, and each one matters for a different reason.

Volume changed first

According to HUMAN Security’s 2026 State of AI Traffic & Cyberthreat Benchmark Report, automated traffic now grows roughly eight times faster than human traffic across the open web.

AI-driven traffic climbed 187% over 2025.

Agentic AI, meaning software that browses, transacts, and clicks on its own, grew nearly 8000% year-over-year.

---

The market got more professional

Confiant’s mid-year report documents a market where social-engineering toolkits, ClickFix being the canonical 2025 example, are now sold, rented, and updated by criminal vendors like SaaS products.

Microsoft’s Threat Intelligence team describes ClickFix as a technique that tricks users into pasting malicious commands through fake CAPTCHA prompts. ESET’s reporting, summarized by Infosecurity Magazine, puts ClickFix attack growth at 517% across 2025, now second only to phishing as an initial access method.

Alongside ClickFix, Confiant tracks AI-generated deepfakes used in scam creatives and Cloaking-as-a-Service, where operators rent cloaking infrastructure to other criminals on a subscription model. The bar to launch a credible malicious campaign dropped a lot.

---

The watchers turned out to have blind spots

The third shift was about the verification side, not the bad actors. The Adalytics investigation reported by AdExchanger and the Wall Street Journal found that the three largest verification vendors regularly served ads to bots present on the IAB Tech Lab’s public spiders-and-bots list.

The reported figure was that DoubleVerify missed 21% of documented bot visits in the dataset Adalytics reviewed.

DoubleVerify pushed back in its public response. The company argued that in the specific cases Adalytics shared before publishing, the bot traffic had been correctly identified, and the impressions were removed from billable counts later in the process. Their point: pre-bid blocking is only one of several layers, and post-bid measurement does a lot of the cleanup work.

For a buyer, the practical takeaway is simple: any single layer has a measurable miss rate, and the safe position is to assume it will miss something.

The combined effect is that malware traffic in 2026 is harder to detect, cheaper to launch, and more economically rational for the people running it. This is what happens as a digital market scales: black-market layers grow alongside the legitimate ones, and treating it as a problem unique to a specific platform or format gets the framing wrong.

---

Defining the Terms, So You Know The Difference

Three definitions worth pinning down so you get an exact idea of what they mean:

• Malware traffic means visits or clicks generated by, routed through, or used to deliver malicious software. Examples include drive-by downloads, infected files served through ad funnels, and traffic that leads users to credential-harvesting or remote-access infrastructure. Malware traffic is one specific subset of ad fraud and bad ads. It is not the same as bot traffic, though bots are often used to deliver it.

• IVT (Invalid Traffic) is the industry-standard term for non-human or otherwise non-legitimate ad traffic. The Media Rating Council splits it into two layers:

1. GIVT (General Invalid Traffic) covers obvious, easy-to-detect non-human activity: known bots, declared crawlers, data-center IPs on public lists.
2. SIVT (Sophisticated Invalid Traffic) is the harder category: hijacked devices, residential-proxy botnets, browser-automation that mimics human session shape.

Malware traffic frequently sits in the SIVT bucket because the malware itself is what makes the traffic look human. A clean understanding of the GIVT/SIVT split helps a buyerunderstand about which defenses catch which problems.

• Cloaking is the practice of showing different content to moderation systems and to end users. Typically, that means a clean landing page for scanners and a malicious or non-compliant page for real visitors. Cloaking is not itself malware. It is a delivery technique that lets bad content reach users despite a network’s content checks. It is the most common mechanism that PropellerAds’ security review confirms in suspended advertiser accounts.

---

How Malware Traffic Actually Reaches an Ad Campaign

The mechanics matter, because the defenses only make sense once you can see where they are applied.

Cloaking

Most malicious ad campaigns now arrive on a platform looking clean. The creative passes content checks. The landing page URL looks completely harmless when checked. Only when the campaign is approved and live does the infrastructure underneath shift behavior.

That can mean different content served to moderation systems versus end users. Different payloads for desktop versus mobile. Different responses depending on whether a request looks like a verification scanner or a real user.

---

File Distribution

A second route is direct file distribution. Instead of redirecting a user to an infected landing page, the campaign delivers an executable or document. Sometimes through a multi-step interaction designed to look like a legitimate download flow. The malware payload is the destination, not a side effect of it.

Our Policy team flagged this as one of the bigger shifts of 2025. The older detection assumption that “the landing page is the threat surface” no longer holds end-to-end.

---

Messenger Account Hijacking

A third route is messenger account hijacking. Campaigns that look like login pages for Telegram or WhatsApp, dressed up as account-recovery prompts or contest entries, target personal communication channels and rely on user trust. These attacks are mobile-first and lean heavily on social proof.

---

Compromised Infrastructure

A fourth, increasingly common route is compromised infrastructure. Landing pages get hosted on expired or abandoned domains where the original registrant has stopped paying attention. Or on the servers of legitimate companies that have been breached and don’t yet know it.

The reputational signals that domain-level filtering depends on look fine from the outside. They stay that way until the behavioral signal exposes the breach.

Threat Flow

How malware traffic enters an ad campaign — and where defenses intercept

Modern malicious campaigns span five stages. No single layer covers all of them.

Pre-Bid Filtering

In-Flight Monitoring

Post-Bid Remediation

01 · Out of View

Bad-Actor Preparation

AI-generated creatives

Cloaking infrastructure

Hijacked / expired domains

→

02 · Out of View

Campaign Submission

Ad creative

Declared landing page

KYC documents

→

03 · Platform

Network Moderation

Content checks

Antivirus on declared LP

KYC verification

Infra reputation lookup

→

04 · Platform

Live Delivery

Cloaking: scanners vs. users

Conditional payloads by device / GEO

→

05 · End User

User Impact

Malware drop

Credential harvesting

Messenger hijack

Scam funnel

---

What PropellerAds Saw Across 2025

We published the full breakdown in our Ads Safety Report 2025 and the most recent figures in the Q1 2026 update. A few patterns are worth pulling forward here, because they say something about where the broader market is moving, not just what one platform caught.

A short methodology note before the numbers, because methodology is what makes a figure honest.

Comparisons across years use relative distribution, not absolute volume, because traffic and moderation coverage both expanded year-over-year, and absolute counts would distort the picture.

The shape of what we caught in 2025:

• Adult content remained the single largest category at 60% of restrictions.
• Antivirus or malware signals detected on campaign-related domains came in second at 26%, or 191,103 enforcement events in absolute terms. This is the malware-traffic story in numerical form: most malicious campaigns are caught not on the creative itself, but on what sits behind it.
• Automatic file downloads (3.4%), restricted regional content (2.1%), copyright violations (1.7%), unreachable URLs (1.1%), prohibited products (1%), malware-related claims like “device infected” pop-ups (0.7%), and unrealistic financial promises (0.5%) round out the rest.

The more telling number comes from confirmed suspensions, which only happen after a security review identifies a high-risk or repeated violation.

This is not because cloaking suddenly became more popular. It is because the violations that survived early-stage moderation and reached security review were overwhelmingly the engineered ones. Simpler frauds got caught earlier. The ones that made it through were the infrastructure-heavy attempts. The shape of what gets caught changed, even though the underlying volume of attempts kept moving with the market.

Pattern Shift

How violation patterns shifted between 2022 and 2025

The percentages move, but the structure moves more. What used to be opportunistic is now engineered.

Dimension	2022	2025	What It Means
Dominant cloaking style	2022 Simple redirect or conditional delivery.	2025 Multi-layer infrastructure with distributed hosting.	What It Means Defenses need to inspect infrastructure, not just content.
Malware delivery method	2022 Redirect to an infected landing page.	2025 Direct file distribution and multi-step download flows.	What It Means LP scanning is necessary, but no longer sufficient.
Use of AI by bad actors	2022 Limited — mostly content rephrasing.	2025 Generated KYC documents, regional creative adaptation.	What It Means Identity verification has to assume forged inputs by default.

On geography, the pattern aligns with broader market economics. Tier-1 markets with high purchasing power continue to attract higher concentrations of fraudulent activity, because the payoff per successful action is higher.

In 2025, we observed activity originating from Turkey targeting Spain and Turkey itself, primarily through cloaking-based malware delivery.

We also saw a recurring pattern of Spanish-speaking regions appearing as targets for specific schemes. Roughly 80% of detected attempts targeted Windows and Android users, which tracks the global installed base of those platforms rather than any platform-specific vulnerability.

From a Trust & Safety perspective, the lesson from 2025 is that the moderation surface has to deepen, not just widen. Catching more requires looking further down the stack: at hosting, behavior, reputation, and infrastructure, not just at the surface of the ad.

---

What a Buyer Can Actually Do This Week

Most of the protective work happens at the platform layer, but a meaningful share lives in the hands of the people running the campaigns.

Buyers can lose budget to malware-adjacent quality problems even when the platform’s enforcement is doing its job.

The five habits below are the ones that will help you prevent malware from ruining your ad campaigns.

---

1. Domain Hygiene on Every Asset You Control

Treat tracker domains, pre-lander domains, and any owned redirect host as production infrastructure, not throwaway assets. Specifically:

• Run each domain through a public reputation check before launch. Google Safe Browsing is the free baseline. URLVoid and VirusTotal aggregate multiple blocklists at no cost. Established commercial vendors like McAfee SiteAdvisor add coverage on top.
• Avoid shared hosting where neighboring sites have unknown reputation. Dedicated IPs or vetted shared hosts reduce the risk of being flagged for someone else’s behavior.
• Check the registration date of your domain. Brand-new domains are statistically more likely to be used in malicious campaigns, which means ad platforms and verification systems automatically apply more scrutiny to freshly registered hosts. A domain registered just before launch may be flagged or restricted even when your own use is fully legitimate.
• Respond to browser-level antivirus alerts on your own domain immediately.

---

2. End-to-End User Journey Awareness

Most compliance issues we suspend in security review do not originate in the creative the buyer designed. They originate further down the funnel: a redirect chain, a tracker behavior change, a post-conversion step the buyer never reviewed.

Before launch, walk the entire user journey on at least two devices (desktop and mobile) and two GEOs that match your campaign targeting.

Document every URL the user touches between the click and the conversion. If the offer owner or the tracker provider can change behavior on their side without notifying you, and many can, set a calendar reminder to re-test the journey every two weeks.

---

3. No Cloaking & No Cloaking-Style Workarounds

We treat any cloaking technique as a high-risk violation, regardless of intent, because cloaking by definition breaks the moderation contract. The platform sees one thing; the user sees another.

Some buyers use cloaking-style tools for what feels like reasonable purposes: hiding the landing page from competitors, or showing different geographies different copy. The cloaking infrastructure that makes these tactics work is the same infrastructure that bad actors use to hide malicious payloads, and detection systems cannot reliably tell the difference at scan time.

The clean path is to use the platform’s native targeting features for any geo, device, or audience differentiation. Most of what a cloaking workaround would attempt to do has a sanctioned, compliant equivalent.

---

4. Anomaly Escalation Before Optimization Trains on It

This is the most under-practiced habit on the buyer side, and the one where the conflict between optimization algorithms and adversarial traffic shows up most clearly.

When traffic from a single zone or sub-source suddenly spikes in CTR while CR collapses, the right interpretation is rarely “the audience changed.” It is usually that an automation layer, friendly or hostile, is interacting with your campaign in a way the optimization model is happy to chase. The model does not know the difference.

If you let it run for 24–48 hours, it will keep pushing the budget toward whatever pattern is producing the high CTR, and your conversion economics quietly deteriorate.

There is no single universal threshold, because every campaign has a different baseline. What works in practice is to define, before launch, a personal alert threshold against your own campaign baseline. For example: a single zone showing CTR more than 2–3x your campaign average alongside a CR drop greater than 50% over a rolling six-to-eight-hour window is worth investigating manually.

Pause the zone, sample the click logs if your tracker exposes them, and escalate to your account manager if the pattern persists. The cost of pausing one zone is far smaller than the cost of letting the optimizer train on contaminated signals.

---

5. Use the Platform’s Filtering Layer Deliberately

The Traffic Quality protection layer in PropellerAds runs pre-bid filtering, in-flight behavioral analysis, and post-bid review across all formats, not selectively, because cloakers move across formats opportunistically.

A buyer who understands which signals the platform already filters can stop double-paying for the same protection through third-party tools, and focus their own due diligence on what the platform cannot see directly, most importantly the integrity of the offer’s post-conversion flow.

If you are running across multiple ad networks, understanding the filtering posture of each is not optional. Ask the questions described in the next section.

---

What the Platform Layer Does, and Where It Stops

A responsible ad network’s job on the platform side is to make the surface where malware traffic can land as small as possible. That means moderation that combines several layers:

A note on AI specifically, because the question comes up constantly. From a Trust & Safety perspective, machine learning is genuinely useful for detecting behavioral anomalies, scoring infrastructure reputation, and ranking high-risk signals so human reviewers can focus their attention where it matters.

But it is not a stand-alone decision-maker. Cloaking and social-engineering campaigns are explicitly designed to defeat automated classifiers, and the bad actors are running their own ML to do it. We use AI as a force multiplier on expert review, not a replacement for it.

Independent industry sources, including HUMAN Security’s 2026 report, describe similar architectures across the major defense vendors.

The Adalytics finding about verification vendors missing bot traffic deserves to be carried into this layer honestly. No protection system catches everything. Every detection model has a false-negative rate, and adversarial pressure means the rate moves in real time as bad actors test what gets through.

The right response is to layer detection, staff it with people, and stay realistic about what any single tool can do. Platform-side protection delivers meaningful reduction of exposure, with calibrated false-negative rates that still benefit from human review. Anyone promising more than that is overpromising.

---

What No Defense Layer Can Fully Fix

No platform can fully control the open web your campaign touches once a user clicks through. If your tracker, offer page, or post-conversion flow sits on infrastructure outside the network’s perimeter, the network’s protection ends at the click. Your responsibility begins there.

No verification vendor catches everything. The Adalytics dataset documented measurable miss rates across the three largest players, and the trajectory of AI-driven bot traffic suggests miss rates will get harder, not easier, to keep stable. Treat verification vendors as useful redundant layers, not as a binary signal of safety.

No domain reputation system can react instantly to a freshly compromised but previously legitimate host. By the time the reputation signal updates, the campaign may already be live. The answer to this is behavioral detection: anomalies on a domain that scored clean, not better blocklists alone.

No checklist published in May 2026 will fully describe the threat landscape of November 2026. This guidance will need to be re-validated against the next quarterly Ads Safety Report and against current public research from MRC, TAG, IAB Tech Lab, HUMAN, Confiant, and others.

---

Where This Leaves You

Malware traffic in 2026 is not a threat you defend against once, and then forget about it, thinking you are fully protected.

It’s a baseline risk level you keep low by combining three things: protection from the platform side, clean domains and user journeys on your end, and the habit of catching anomalies early, before optimization algorithms start learning from bad data.

Two takeaways for the rest of 2026.

The first is to stop treating moderation as someone else’s job. Buyers who keep a clean safety record treat their own infrastructure as part of the campaign, not as a passive backdrop. Domains, trackers, post-conversion flows, KYC inputs — all of it is part of the attack surface, and most of it is in your hands.

The second is to expect layered, transparent defense from the networks you buy through. A network that can clearly explain its moderation, security review, traffic-quality checks, and human-review process, and share data on what it actually catches – is a very different proposition from one that just says “we have anti-fraud” and leaves it there. Ask the question. The answer shows you how seriously the protection layer is staffed.

---

Frequently Asked Questions

What is malware traffic?

Visits or clicks generated by, routed through, or used to deliver malicious software. Examples include drive-by downloads from infected landing pages, infected files delivered directly through ad funnels, and traffic that leads users to credential-harvesting or remote-access infrastructure. It is one specific subset of ad fraud. Not all bad traffic is malware traffic, and not all malware reaches the user through advertising.

---

How is malware traffic different from IVT?

IVT (Invalid Traffic) is the broader industry category for non-human or otherwise non-legitimate ad traffic. It splits into GIVT (general: known bots, declared crawlers, data-center IPs) and SIVT (sophisticated: hijacked devices, residential-proxy botnets, browser-automation mimicking human behavior). Malware traffic frequently sits in SIVT, because the malware itself is what makes the traffic look human. The two overlap heavily, but they are not the same thing. IVT includes scraping bots and click-farm fraud that may have nothing to do with malware, while some malware traffic appears in legitimate-looking sessions and is not classified as IVT until behavioral signals identify it.

---

Can verification vendors catch all malware traffic?

No. Even the largest verification vendors have documented false-negative rates, and the rate moves in real time under adversarial pressure. Vendors remain a useful layer in a defense stack, particularly for post-bid measurement and billing remediation, but a buyer treating any single vendor as an absolute safety is exposed.

---

Is cloaking ever legitimate?

The technical infrastructure used for cloaking can sometimes be defended on benign grounds, for example geo-segmentation or device-specific landing pages. The problem is that ad platforms cannot reliably tell benign cloaking from malicious cloaking at detection time, and the upside of using a cloaking-style workaround is far smaller than the downside of a permanent account suspension. The clean path is to use the platform’s native targeting features for any geo, device, or audience differentiation.

---

What does Cloaking-as-a-Service mean?

A 2025 development documented by Confiant: criminal operators now offer cloaking infrastructure as a subscription product to other bad actors, dropping the technical barrier to launching a credible malicious campaign. The model parallels how legitimate SaaS works, which is why Confiant uses the term. The implication for defenders is that cloaking sophistication scales independently of any individual operator’s capability.

---

What is ClickFix and why does it matter for advertising?

A social-engineering technique that tricks users into pasting and running malicious commands via fake CAPTCHA or verification prompts. Microsoft Threat Intelligence tracks it as one of the most common access vectors of the year, and Infosecurity Magazine reports 517% growth across 2025. It is delivered through several channels, including malvertising, which is why a 2026 ad-fraud article cannot ignore it even though the vector itself is not unique to advertising.

---

What’s the single highest-leverage thing a buyer can do this week?

Run a domain reputation check on every owned asset in your campaign (tracker, pre-lander, post-conversion) and walk the full user journey on at least two devices and two GEOs that match your targeting. In our 2025 data, antivirus-flagged campaign domains were the single largest avoidable cause of mid-flight campaign restrictions.