Most business owners picture a cyberattack starting the same way: a suspicious email, a sketchy link, maybe a fake invoice. Someone clicks it, the hackers get in, and the IT team scrambles to clean up the damage.
That model continues to evolve.
In April 2026, our Apex Security team responded to a generic incident that started with something far more ordinary: an employee was doing research on the internet when they were redirected to through an advertisement to a free PDF converter. No weird email. No suspicious sender. Just standard web browsing, a convincing software lure, and a download that appeared legitimate to the end user. The file was executed and detected, but a payload had slipped completely in memory undetected.
Here's what happened, why it worked, and what it means for your business.
The Problem: "Poisoned" Ads Are the New Phishing
What We Caught: A Real-World Case Study
Why This Works Against Most Businesses
The Solution: Forensic-Led Resilience
Email phishing is still the most common way attackers get in, and training your team to recognize it is non-negotiable. But this case study is about something no amount of inbox vigilance would have stopped. Attackers have moved upstream, directly into the advertising networks behind the websites your team visits in the course of a normal workday.
This technique is called malvertising (malicious advertising), and it is accelerating fast. According to the Center for Internet Security (CIS), malvertisement was ranked the number one initial infection vector for malware in 2024, responsible for driving more infections than phishing emails during that period. In early 2025, Microsoft Threat Intelligence uncovered a malvertising campaign that compromised nearly one million devices globally — delivered through ads on otherwise legitimate websites.
The mechanics are simple and brutal: attackers purchase ads through real advertising platforms , including Google Ads, and route victims to convincing fake software websites. The sites look professional, the downloads appear to work, and by the time anyone notices something is wrong, the damage is done.
What makes this particularly dangerous for businesses isn't just the delivery method. It's what happens next.
Traditional endpoint security software and even modern EDRs struggle to capture and detect what may occur in memory.
These attackers know that. The payloads in the campaigns our team investigated were designed specifically to exploit blind spots and evade detection. Once the fake installer runs, it injects a secondary malicious payload, a file called math.dll , entirely in memory, leaving no file on disk.
This is called process injection, and it remains one of the most effective techniques for defense evasion and malicious payload execution.
Our Apex Security team began investigating after an endpoint in a client environment triggered a generic memory alert. What forensic analysis revealed was a multi-variant fake software lure campaign running through Google Ads.
The attack reached the victim through a legitimate advertising channel on a legitiamet website. The URL our team recovered contained the gad_campaignid parameter — confirmed through browser forensic artifacts as a Google Ads delivery.
Multiple fake software brands were identified in this campaign:
Figure 1 – Apex Forensic Analysis – MyPDFSwitch Landing Page 4/5/26
Figure 2 – Apex Forensic Analysis – MealFormula Landing Page 4/5/26
Both landing pages appeared to be professionally designed, with feature lists, download buttons, and polished branding that would not raise suspicion from most users. Our team also identified a third variant: FlipFormatPDF using identical delivery infrastructure.
Figure 3 – Apex Forensic Analysis – MealFormula Landing Page 3/26/26
Apex has uncovered other variations of what is believed to be the same campaign, that maintains the exact delivery, but with the only adjustment being the software likely leveraged to achieve process injection and subsequent payload execution.
Figure 4 – Apex Forensic Analysis – FlipFormatPDF Landing Page
Both the MyPDFSwitch and MealFormula downloads delivered what appeared to be WinRAR 7.20.0 installer files, a trusted, widely-used application. The FlipFormatPDF variant contains components from SumatraPDF, another legitimate tool. In both cases, vulnerabilities in these bundled components may have been exploited to facilitate in-memory code injection.
Figure 5 – Apex Forensic Analysis – MyPDFSwitch Delivery
Figure 6 – Apex Forensic Analysis – MealForumla Delivery
Through forensic analysis, our team reconstructed the delivery and execution chain:
C:\Users\[REDACTED]\Downloads\MealFormula_430054.exe↓
C:\Users\[REDACTED]\AppData\Local\Temp\nsn7129.tmp\math.dll
The secondary payload (math.dll) executed completely in memory. The local EDR agent generated a generic memory alert , but did not catch the payload execution and did not mitigate the incident. Only forensic-led investigation enabled the complete reconstruction of what happened.
Code signing analysis on the malicious payload revealed the business entity "INSTALLERIM LLC," which appears connected per public internet records to an individual potentially based in Ukraine, suggesting campaign operators originating from either Ukraine or Russia.
Cross-referencing threat intelligence, our team also found online references to math.dll appearing in related campaign variants operating under names including FoodFormula, KitchenCanvas, and RecipeUp confirming this is a broad, ongoing campaign with multiple active lures.
The operators are almost likely using Large Language Models (LLMs) to generate and iterate on landing pages at scale, dramatically reducing the effort required to launch convincing new campaign variants.
The uncomfortable truth is that standard antivirus tools, basic endpoint detection, and spam filters, the tools that most small and mid-sized businesses rely on, were not designed to catch this class of attack.
Consider the scale of the threat landscape your team operates in:
Related:: Estimate the cost of a data breach for your organization with our cybersecurity calculator
And critically, many of these incidents do not start with someone clicking a bad email. They start with normal business activity: employees downloading tools, searching for software, doing their jobs, in an environment where attackers have poisoned the infrastructure they trust.
Catching this kind of attack requires a fundamentally different approach to endpoint security. File scanning is not enough. Alert monitoring is not enough. What's required is continuous behavioral monitoring, watching what processes are doing in real time, not just what files exist on disk.
Figure 7 - Apex Forensic Analysis - Subsequent Payload Delivery
When our Apex team investigated this incident, the existing EDR agent generated generic memory detection. It did not identify the attack or stop the payload. It did not reconstruct what happened; our forensic analysis did all of that.
This is the core distinction between standard endpoint tools and a managed forensic security program. When a memory anomaly appears, our analysts don't dismiss it as noise; they pull the thread until the full attack chain is understood.
Apex Security's approach includes:
This is not a threat aimed at careless behavior. The fake software lures used in these campaigns: PDF converters, productivity tools, AI assistants, mirror the exact utilities that employees across manufacturing, healthcare, and financial services search for every day to support normal workflows. The attack works precisely because the download looks like something your team genuinely needs.
Our analysts are trained to recognize "fake software" lure patterns and understand how they map to the workflows common in regulated industries. That industry context is not incidental, it is core to identifying threats that generic security operations centers miss.
One of the most dangerous gaps in incident response is not technical; it is operational. When a breach escalates, most cybersecurity providers require you to negotiate new contracts, track hourly billing, and wait for emergency availability while an active threat is spreading through your network.
Apex Security eliminates that friction. Full-scale Incident Response is included as a standard feature, no retainer fees, no hourly emergency billing. When your environment needs forensic investigation, our team is already there.
If your business relies on standard antivirus or an unmonitored EDR agent, the case study above represents a real gap in your defenses. A single employee searching for a free tool on a work device, on your network, is all it takes.
The indicators of compromise from the campaign our team investigated are documented below. If you are a current Apex client, these have already been pushed to your environment. If you are not, consider this a preview of what continuous forensic monitoring catches that most tools miss.
Domain IOCs (do not visit — block at firewall/DNS):
File Hash IOCs:
This research was produced by the Compass Apex Security team. Apex Security delivers forensic-grade cyber defense, continuous human-led investigation, and audit-ready reporting for regulated and high-risk organizations. Learn more about Apex Security or book an assessment.