Skip to Main Content

Kyle & Stan Malvertising Hits Amazon, YouTube

The “Kyle and Stan” method is an example of a particular type of exploit known as ‘malvertising’, because it inserts malware into online advertising, so as to infect visitors of legitimate, high-traffic websites. Because online advertisements are served up by a relatively small number of ad-publishing networks that reach many popular websites simultaneously, malvertising is a very efficient means of malware distribution.

This particular exploit is called “Kyle and Stan” because the malware code contains references to specific sub-domains with the URLs “” and “”

Although most malvertising exploits do not harm individual users directly, they will often make unscrupulous revenue by generating fake advertising clicks, or by redirecting users to other scam websites, or installing spyware or back-doors that are later used to hijack the users’ computers for misuse, for example as botnets. In the case of the Kyle and Stan exploits, users are redirected to websites that offer a legitimate media-player app that, when downloaded, comes bundled with a malicious browser hijacker that installs itself automatically.

Unfortunately, this new threat makes detection extra difficult by creating a unique profile for each and every installation.

In the bigger picture, the Kyle and Stan malvertising exploit may represent a new style of malware distribution that is OS-agnostic and highly efficient. We may soon see an industry call for ad publishers to more carefully scan the ads that are distributed through their networks. Our experts will monitor the progress of Kyle and Stan and will inform you as we learn more.

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.