Watch out — this fake ad blocker might actually end up infecting your device with malware

HotPage is a lot more than just a piece of adware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Imagine installing an ad blocker that ends up displaying even more adware. To make matters worse, this “ad blocker” also steals sensitive data from the device it’s installed on, and even allows other malicious actors to run code with elevated privileges.

This is exactly what HotPage, a new adware module recently discovered by cybersecurity researchers ESET, can apparently do. In its analysis, ESET said it first spotted HotPage in late 2023 masquerading as an ad blocker, but during the installation, it “deploys a driver capable of injecting code into remote processes, and two libraries capable of intercepting and tampering with browsers' network traffic.”

As a result, themalwarecan modify, or fully replace, the contents of a page the victim is trying to visit. It can redirect them to an entirely different page, or open a new page in a new tab, if needed.

Displaying ads, grabbing data, deploying malware

The core goal of HotPage is to display game-related ads, the researchers said. However, it can also grab system information, and send it to a remote server registered to a Chinese company Hubei Dunwang Network Technology Co., Ltd, which suggests that the campaign is of Chinese origin. Ultimately, the malware also allows non-privileged account holders to elevate their privileges and run code as the NT AUTHORITY\System account.

“This kernel component unintentionally leaves the door open for other threats to run code at the highest privilege level available in the Windowsoperating system: the System account,” the researchers said in their writeup. “Due to improper access restrictions to this kernel component, any processes can communicate with it and leverage its code injection capability to target any non-protected processes.”

ESET concluded its writeup by saying that HotPage looks generic enough, but is in fact quite sophisticated.

More from TechRadar Pro

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics