We have discovered a trojan in the wild that hijacks cameras connected to a victim's computer to analyse product and brand logos in the camera's field of view. The victim will not be aware that this is happening, because the trojan disables the LEDs that would normally indicate the webcam being in operation. The victim's browser will then be manipulated in such a way that a hidden adblock component is installed. This enables the trojan to replace advertisement banners with its own ads, based on the user's apparent preferences. The cyber criminals operating the scam make money off of affilate fees tied to the replacement ad banners.

The trojan will upload images from the cameras to AWS cloud servers operated by the cyber criminals. These analyse the footage for known logos, presumably using sophisticated neural networks and machine learning. The server then sends relevant ad banners and embeddable JavaScript back to the malware instance running on the victim's computer. Legitimate ads are thus exchanged with ads benefiting the scammers.


Several versions of the EvilEye malware are currently circulating in the wild. A number of anti-virus vendors have been contacted by us and were supplied with the malware samples we discovered in our research. Current anti-virus software should already protect you against the current threat. When the malware evolves, as it has done several times during our analysis of it, this might change. We would recommend you keep your anti-virus suite up to date at all times. The same goes for software updates to your operating system and other software, of course.


EvilEye was discovered by independent security researchers Marcus Cole and Joe Miller of C-Sec Security in conjunction with a major web advertising firm that preferred not to be named in the report. A paper describing the technical details of the malvertising campaign is being prepared and will be available shortly. If you are an advertiser and were affected by EvilEye, you can contact the authors by emailing – but please refrain from contacting us for technical or press inquiries, since we are a very small team and already very busy.


As has been noted by other researchers in the past, a security vulnerability tends to get overlooked these days if it isn't accompanied by a website, a great name and a nice looking logo. We don't like it either, but unfortunately, such is the world we all live in now.


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer