Pulse Detail — Threat Intelligence

PULSE NAME

AI-dvertiser: Multi-Stage Ad Fraud and ClickFix Network Impersonating Web3 Brands

WHITE QuetzalTeam 2026-05-07 Modified: 2026-05-11

IOCs

MEDIUM VOLUME

We identified a phishing domain impersonating Bitso that operates as part of a broader malicious advertising and traffic distribution network targeting fintech and Web3 users. The infrastructure chains together multiple redirectors, disposable domains and ad distribution services to deliver highly variable content. Observed payloads include AI-generated fake news websites featuring synthetic imagery, ClickFix-style landing pages designed to trick users into enabling browser push notifications for large-scale advertising spam, and fully AI-generated YouTube channels focused on music, philosophy and storytelling. In edge cases, the infrastructure redirects victims to low-visibility Spotify tracks that also appear to be AI-generated. We refer to this ecosystem as “AI-dvertiser”, an emerging model where generative AI is combined with ad fraud, social engineering and automated content farms to create scalable and low-cost malicious engagement infrastructure.

Web3

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1472 T1410

Indicators of Compromise (46)

All IPv4 URL domain hostname FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
IPv4	185.100.234.66	CC=NL ASN=AS31120 padaco automatisering b.v.	2026-05-07
IPv4	46.8.8.229	CC=CZ ASN=AS60592 gransy s.r.o.	2026-05-07
URL	https://670844.jetwonder.co/	—	2026-05-07
URL	https://bitso.info	—	2026-05-07
URL	https://crn77.com/afu.php	—	2026-05-07
URL	https://hosertup.co.in/click.php	—	2026-05-07
URL	https://live.pornamigo.com	—	2026-05-07
URL	https://xml-v4.giantpanda.media/click?i=h4tl9Jy*SPY_0	—	2026-05-07
domain	ajixeb.com	—	2026-05-07
domain	bitso.info	—	2026-05-07
domain	crn77.com	—	2026-05-07
domain	giantpanda.media	—	2026-05-07
domain	hosertup.co.in	—	2026-05-07
domain	jetwonder.co	—	2026-05-07
domain	jyuzuw.com	—	2026-05-07
domain	planet.news	—	2026-05-07
hostname	670844.jetwonder.co	—	2026-05-07
hostname	live.pornamigo.com	—	2026-05-07
hostname	xml-v4.giantpanda.media	—	2026-05-07
URL	https://cashcpimac.newhill.workers.dev	—	2026-05-07
URL	https://xml-v4.pushub.net/click2	—	2026-05-07
domain	pushub.net	—	2026-05-07
hostname	cashcpimac.newhill.workers.dev	—	2026-05-07
hostname	xml-v4.pushub.net	—	2026-05-07
URL	https://9437143c.connection-authcheckv4.pages.dev/?vc=fa1385ab&ts=1778528061439&rn=467562	—	2026-05-11
hostname	9437143c.connection-authcheckv4.pages.dev	—	2026-05-11
URL	https://snubentail.digital/script.sh	—	2026-05-11
domain	snubentail.digital	—	2026-05-11
URL	https://tamenesswhoop.digital/script.sh	—	2026-05-11
domain	tamenesswhoop.digital	—	2026-05-11
FileHash-SHA256	2621723d94b8a8d64645a265c9be3d96edb8c90d5d7e788c5dfca71d466da2c2	—	2026-05-11
FileHash-SHA256	5585c86abada1c547ab3a9ba8f735122b7f770c9d1428c9557fcc731fcaf3957	—	2026-05-11
domain	9sxgrev.pro	—	2026-05-11
domain	axj0tw9.lol	—	2026-05-11
domain	jnoaxfwe.info	—	2026-05-11
URL	https://t.me/ax03bot	—	2026-05-11
domain	acvgste.club	—	2026-05-11
URL	https://secure-layer-01.pages.dev/?vc=ff3d2ef5&ts=1778528639172&rn=402131	—	2026-05-11
hostname	secure-layer-01.pages.dev	—	2026-05-11
URL	https://amigounhitched.digital/script.sh	—	2026-05-11
domain	amigounhitched.digital	—	2026-05-11
hostname	sessionaquire-checkv1.pages.dev	—	2026-05-11
FileHash-SHA256	73e92891b078e61a384ab3fccca55e17e7ebf2706c4a150f2d0460db6d8f6544	—	2026-05-11
URL	https://readyseccheck.space/ntroi.ini	—	2026-05-11
domain	readyseccheck.space	—	2026-05-11
domain	bindirect.click	—	2026-05-11