Security researchers at Adex have uncovered a sophisticated five-year malware distribution campaign leveraging the Triada Trojan to compromise Android devices through compromised advertising networks. The operation demonstrates remarkable tactical evolution, progressing from forged identity documents and carding fraud in 2020-2021 to sophisticated account takeovers and phishing campaigns in 2025. Triada now accounts for 15.78% of all detected Android malware infections in Q3 2025, establishing it as one of the mobile ecosystem's most persistent threats.
Triada began as a relatively simple Android trojan capable of injecting malicious code into system processes and intercepting communications. The malware has evolved into a modular backdoor framework supporting financial fraud, credential theft, SMS interception, and stealthy payload delivery. Its integration into legitimate advertising networks creates a supply chain attack vector that bypasses traditional antivirus detection, allowing malicious payloads to reach millions of users through trusted distribution channels.
The malware's persistence across nearly a decade reflects adversary commitment and continuous tactical innovation, adapting evasion techniques faster than the security industry can establish defensive baselines.
The initial operation phase exploited weaknesses in Know Your Customer (KYC) verification procedures. Attackers submitted forged identity documents to advertising networks, establishing fraudulent advertiser accounts with low barrier to entry. These accounts were funded through repeated small-value top-ups matching known credit card fraud patterns, suggesting organized carding operations supporting the campaign.
From these compromised accounts, attackers distributed Triada through Discord Content Delivery Networks and URL shortening services. Landing pages were meticulously designed to mimic popular online service interfaces, deceiving both platform moderators and target users into clicking malicious links. This social engineering approach combined with legitimate infrastructure abuse created deceptive user experience indistinguishable from authentic promotions.
The campaign's tactics shifted dramatically toward direct account takeover operations. Rather than establishing new fraudulent accounts, attackers systematically targeted existing advertiser profiles lacking two-factor authentication (2FA) protection. This pivot significantly reduced operational friction—compromised legitimate accounts inherently possessed established reputation, trust relationships, and campaign history.
Once account access was achieved, attackers launched cloaked advertising campaigns redirecting unsuspecting users to malware payloads hosted on GitHub. This infrastructure abuse was particularly insidious: GitHub's reputation as a trusted code repository and developer platform meant users and security systems inherently trusted GitHub-hosted content. Attackers weaponized this institutional trust, effectively transforming legitimate repositories into malware distribution vectors.
The 2025 campaign represents a qualitative escalation in sophistication. Attackers deployed phishing pre-landing pages designed to mimic Chrome browser update notifications—exploiting user familiarity with legitimate security update patterns. These pages employed multi-stage redirect chains designed to obfuscate the final malicious payload's origin, complicating forensic analysis and attribution.
VirusTotal telemetry correlation identified suspicious login activities originating from Turkey and India, suggesting organized threat actor coordination. This geographic concentration indicates either a centralized credential harvesting operation or distributed team supporting credential procurement and account management across multiple ad networks.
Adex analysts documented over 500 compromised advertiser accounts identified and permanently banned as part of this wave. The scale of account compromise suggests either massive credential harvesting campaigns or systematic exploitation of password reuse vulnerabilities across advertiser populations.
This campaign exemplifies a critical vulnerability in modern digital advertising: legitimate, high-trust infrastructure becomes weaponized when account security controls prove inadequate. GitHub, Discord, and advertising networks inherently deserve user trust due to their legitimate business functions and security investments. However, when account compromise occurs, this institutional trust becomes an attacker asset rather than a defense mechanism.
The attack chain's success depended on users' rational trust in Chrome update notifications, GitHub repositories, and Discord CDN content. Attackers exploited cognitive shortcuts that normally serve users well but fail when underlying infrastructure becomes compromised.
In response to these findings, Adex implemented enhanced security measures in partnership with PropellerAds, establishing zero-trust architecture principles within advertising networks:
Stricter KYC Procedures: Implemented Sumsub verification to prevent identity document forgery and reduce account fraud barriers.
Mandatory Two-Factor Authentication: Enforced 2FA by default across all advertiser accounts, eliminating the account takeover vector that enabled 2022-2024 campaigns.
Login Anomaly Detection: Continuous monitoring of login patterns identifies suspicious activities, flagging access from unusual geographic locations or device profiles.
Comprehensive Redirect Verification: Verification now applies even to trusted platforms like GitHub and Discord, closing common abuse pathways that attackers exploited.
These measures have significantly raised operational barriers for attackers attempting malware distribution through compromised advertising infrastructure, though persistent adversaries will likely continue evolving tactics in response.