Full Report
Over the past year, Bitdefender researchers have been monitoring a persistent malicious campaign that initially spread via Facebook Ads, promising “free access” to TradingView Premium and other trading or financial platforms. According to researchers at Bitdefender Labs, this campaign has now expanded beyond Meta platforms, infiltrating both YouTube and Google Ads, exposing content creators and regular users alike to increased risks. Unlike legitimate ads, these malicious campaigns redirect us
Analysis Summary
# Tool/Technique: TradingView Premium Impersonation Malvertising Campaign
## Overview
A persistent malvertising campaign, initially tracked on Meta platforms, has expanded to utilize Google Ads and YouTube to promote malicious redirects disguised as offers for "free TradingView Premium." The actors impersonate the legitimate trading platform to lure users into downloading malware or visiting phishing pages aimed at stealing credentials and compromising accounts.
## Technical Details
- Type: Malvertising Campaign / Impersonation Scheme
- Platform: Meta (Facebook/Instagram), Google Ads, YouTube (Windows/Android users are implied targets due to previous campaigns mentioned in context)
- Capabilities: Malicious ad distribution, website impersonation, redirection to malware downloads, credential harvesting via phishing.
- First Seen: Monitoring has occurred over the past year (prior to September 25, 2025).
## MITRE ATT&CK Mapping
This campaign primarily focuses on initial access and deception through advertising platforms.
- **TA0001 - Initial Access**
- **T1566 - Phishing**
- T1566.001 - Spearphishing Attachment (If malware is delivered via an attachment/download)
- T1566.002 - Spearphishing Link (Via malicious ads or description links)
- **T1583.001 - Domains** (Likely used for hosting landing pages)
- **T1583.004 - Advertising** (Directly using malicious ads)
- **TA0009 - Collection**
- **T1555 - Credentials from Files** (If downloaded malware steals local credentials)
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel** (If malware exfiltrates stolen data)
## Functionality
### Core Capabilities
- **Malicious Ad Deployment:** Utilizing hijacked advertiser accounts (specifically a compromised design agency's Google advertiser account) to place ads across Google and YouTube targeting specific users.
- **Impersonation:** Highly effective impersonation of TradingView, using official logos, banners, and branding on compromised YouTube channels.
- **Redirection:** Directing users from ads to download sites hosting malware or phishing pages.
### Advanced Features
- **YouTube Channel Hijacking:** Threat actors take over previously verified Google/YouTube accounts, wipe original content, and rebrand them completely as the target platform (TradingView).
- **Ad-Only Distribution:** Using *unlisted* YouTube videos exclusively delivered through paid advertising placements. This avoids public scrutiny, casual reporting, and standard platform moderation checks on public video content.
- **Deceptive Trust Building:** A previously verified badge on YouTube is leveraged to create an assumption of authenticity, even when the channel handle differs from the official one.
- **Evading Detection:** The unlisted video status hides the malicious payload/link from public searching and general moderation, as content is only served via paid ad slots.
## Indicators of Compromise
*Note: Specific hashes, exact URLs, or C2 IPs are not provided in the text, only behavioral and structural indicators.*
- File Hashes: [Not specified in the text]
- File Names: Malicious executable downloads (Targeted download via link in video description).
- Registry Keys: [Not specified in the text]
- Network Indicators: Links embedded in the description of unlisted YouTube ad videos leading to download sites or phishing pages. The compromised domain structure/landing pages used for redirection.
- Behavioral Indicators:
- YouTube channels with official branding/verified status but lacking original content (only showing views via paid ads).
- Ad videos titled similar to: _“Free TradingView Premium – Secret Method They Don’t Want You to Know”_.
- Channels that mirror official playlists but contain no direct video uploads.
## Associated Threat Actors
[Not explicitly named in this snippet, but associated with persistent malvertising campaigns previously tracking on Meta platforms related to crypto/trading.]
## Detection Methods
- Signature-based detection: [Not specified, but executable malware signatures would apply upon download.]
- Behavioral detection: Monitoring for sudden spikes in views on unlisted YouTube video ads, or traffic originating from new, unassociated accounts targeting TradingView keywords. Checking YouTube channel metrics for verified status combined with zero public uploads.
- YARA rules: [Not specified in the text]
## Mitigation Strategies
- **Platform Security:** Google/YouTube must improve processes for investigating rapid rebranding and content alteration of established, verified accounts.
- **User Caution:** Users should verify the channel handle (@name) on YouTube, check for original content, and be skeptical of "too good to be true" offers delivered via advertising platforms.
- **Endpoint Protection:** Ensure robust security software is active to detect and block the download or execution of malicious executables linked from advertisements.
## Related Tools/Techniques
- Previous iterations of this campaign targeting Meta/Facebook Ads.
- Campaigns mentioned in referenced articles that delivered advanced crypto-stealing malware on Android.
- General Ad Fraud/Malvertising techniques.