Kyle and Stan Malvertising Infects Thousands of Computers

A malvertising network called ‘Kyle and Stan’ has been used to attack millions of users via several websites including YouTube, Yahoo and Amazon, according to an investigation carried out by Cisco.

kyle and stan

Three security researchers at Cisco, David McDaniel, Shaun Hurley and Armin Pelkmann, shared their findings about the malware attacks in a blog post.

Kyle and Stan, named after the characters in South Park evidently, show up in the domain names of more than 700 websites that the network uses to serve ads. The malware first determines whether users are on a Mac or a Windows system, then redirects their browser to a website that is serving executable files for the preferred operating system.

In the blog, the researchers say:

“The network leverages the enormous reach of well-placed malicious advertisements on very well-known websites in order to potentially reach millions of users.”

“The goal is to infect Windows and Mac users alike with spyware, adware and browser hijackers. It is not too far-fetched that other kinds of malware are being used as well.”

The malware ads want users to install a file that’s a “bundle of legitimate software, like a media-player”, featuring a “unique-to-every-user configuration” that accumulates in the downloaded file. There’s no ‘drive-by’ present, but the post notes the attackers are using social engineering to trick users into installing the malicious file.

One of the researchers Pelkmann said that the real size of the malware is likely to be larger than the 700-plus domains it has affected. All the domains the researchers discovered were hosted on Amazon, and there seem to be certain domains in the network that are specifically for redirection and others that are serving only as landing pages. Once the attack successfully places the malware on a victim’s machine, the real attack begins.

The larger size is allowing the hackers to use a certain domain for a limited amount of time, burn it and then move to another one for further attacks. This helps them avoid reputation and blacklist-based security implementations.

“We are facing a very robust and well-engineered malware delivery network that won’t be taken down until the minds behind this are identified.”

However, Cisco discovered just 10,000 users connecting to the network’s domains. The company says malvertising targets the small number of firms supplying online ads to thousands of domains.

“If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.”

Mac users are prompted a legitimate MPlayerX app bundled with Conduit and VSearch – two popular browser hijackers. Windows users are prompted a malware dropper that installs spyware applications. According to Cisco, the dropper “has an interesting way of retrieving its various payloads through a GET request. The dropper is a 32-bit executable written in C++”.

The researchers noted the network’s ability to provide unique malware to each victim, supported by a large number of websites, is assisting it from being detected at a broader scale.

Many high-profile websites have been victims to malvertising operations in recent times. Just a couple of months ago, security researchers reported how visitors to,,,,, and were redirected to browser exploits that installed malware on their computers when they clicked on malicious advertisements on these websites. In this case, the malicious ads were also served through an online advertising network.

Users can avoid the Kyle and Stan malware from infecting their machines by not clicking on suspicious looking advertisements, or by avoiding the installation of downloaded programs.