[GeoEdge Security Research Lab Update | December 22, 2025]
GeoEdge security researchers have recently identified and blocked a new malicious advertising campaign, dubbed LANJack that represents a new evolution in malvertising abuse targeting mobile users.
Unlike the vast majority of malvertising activity, which relies on redirects to external landing pages that promote scams, phishing, or fraudulent offers, LANJack delivers a real, active attack directly from the browser. Both the malicious ad itself and the post-click landing page attempt to interact with the user’s local network environment.
This goes far beyond passive redirection or social engineering. At the core of this activity is DNS rebinding, a technique that allows a malicious site to bypass browser network isolation by dynamically re-resolving a domain to internal or local IP addresses. As a result, the attacker can probe and interact with devices that are normally inaccessible from the public internet.
As part of the attack flow, LANJack attempts to collect information from victims’ local networks and target routers, IP cameras, and other IoT devices. Notably, the activity does not require malware installation or explicit user interaction beyond ad exposure. To increase credibility and reach, the attackers also gained control of a domain previously associated with a well-known telecommunications company. This allowed the malicious traffic to appear legitimate and blend into normal browsing behavior.
GeoEdge has been actively blocking this campaign across its customer base and continues to investigate the full attack chain, infrastructure, and delivery mechanisms.
Stay tuned for a full technical deep dive into the LANJack attack.
For immediate support contact: https://www.geoedge.com/contact-us/
