Cybercriminals are using the commercial advertising tracker Keitaro to hide online scams and malware behind ordinary-looking web traffic, with researchers identifying about 15,500 malicious domains linked to the activity over four months.
The finding comes from joint research by Infoblox Threat Intel and ad security specialist Confiant. Examining Keitaro activity from the start of October 2025, the researchers found extensive abuse of the software’s traffic-routing features. The study focuses on how threat actors use domain cloaking to send victims to harmful sites while showing benign content to other visitors, moderators and security tools.
The largest category of abuse involved investment fraud, particularly schemes marketed around artificial intelligence. These pages promoted supposed automated trading systems with claims such as “Smart AI Trading Technology” and “Intelligent Trading Solutions”, often paired with promises of unusually high returns.
The report points to a broader shift in cybercrime infrastructure. Rather than building custom tools, threat actors are increasingly using off-the-shelf commercial products that already provide audience targeting, traffic filtering and campaign management. In this case, the software at the centre of the study is a self-hosted tracker used by legitimate digital marketers to monitor advertising performance.
Cloaking system
Cloaking has long been used to evade platform rules and scrutiny, but the research argues it is now more deeply embedded in criminal operations. Traffic distribution systems and cloaking kits can determine who sees malicious content and who sees harmless pages based on factors including device type, geography and referral source. That lets fraud operators target intended victims while reducing the chance of detection by ad platforms, hosting providers and investigators.
The same methods can also help criminal groups shield operations from rivals, not just defenders. By controlling visibility, operators can limit who is able to inspect a campaign’s true destination.
According to the research, Keitaro no longer supports cloaker integrations, but threat actors are still able to misuse its existing features and in some cases rely on stolen licences. Infoblox and Confiant said they worked with Keitaro during the research to disrupt abuse and better understand how pirated or compromised access was being used.
AI lure
Investment scams were the dominant use case among the malicious Keitaro instances identified. The AI angle appears to have become a central marketing tactic, with fraudsters framing offers as modern, automated and data-driven. The researchers also observed signs that generative AI is being used to mass-produce the text, headlines and imagery that fill scam pages and online adverts.
That combination could make operations easier to scale. A tracker such as Keitaro can manage and route traffic, while generative AI can produce large volumes of tailored content for different campaigns, languages and audience segments.
The research drew on datasets from both organisations. Confiant provided visibility into the advertising supply chain, while Infoblox analysed how the activity appeared in DNS records, supported by spam and website content analysis. Together, those perspectives were used to map a broader network of domains and delivery methods than either approach would likely have revealed on its own.
This matters because the malicious traffic did not come from a single source. Victims were routed into scams and malware through compromised websites, spam messages, social media and online advertising. That suggests operators are not confined to one distribution channel and are adapting campaigns to whichever routes remain effective.
“For years, Keitaro has popped up in individual investigations, but no one had stepped back to ask how big the problem really is,” said Dr. Renée Burton, Vice President of Infoblox Threat Intel. “We found that Keitaro frequently appeared in malicious campaigns – but the story really isn’t about Keitaro; they are just one player in an ecosystem that malicious actors are using to scale and target attacks around the globe.”
Wider pattern
The findings add to growing evidence that cybercrime increasingly relies on mainstream tools and services rather than wholly bespoke infrastructure. Security researchers have warned for years that legitimate cloud, advertising and web management products can be repurposed for fraud, phishing and malware delivery. The use of commercial tracking software fits that pattern because it gives operators functions they would otherwise have to build and maintain themselves.
For defenders, that creates a more complex challenge. Blocking a single malicious site or campaign does not address the broader infrastructure that allows threat actors to spin up replacements quickly. It also complicates enforcement when the same software can be used lawfully by marketers and unlawfully by fraud groups.
The study offers one of the clearest measures so far of how extensively a mainstream ad-tracking product can feature in criminal operations. The researchers said their work on Keitaro and cloaking will continue, with further analysis of related fraud schemes, spam and advertising pipelines, and the ways criminals weaponise the software’s features while vendors try to curb abuse.
Click Here For The Original Source.
