The Malware That Came Through the Ads

Yesterday, Valve launched the new Steam Controller. It sold out in 30 minutes. Like a lot of people, I was trying to find information about shipping timelines and stock. I fetched a PCGamer article about it, and what came back was not what I expected.

Embedded in the legitimate HTML of the article was a script tag loading from html-load.com. The code was heavily obfuscated. So I deobfuscated it, and what I found was a textbook malvertising attack, running right now, on one of the biggest gaming sites on the internet.

What the script does

The payload loads in two stages. First, an onload handler fires. Then, if anything goes wrong, an onerror handler kicks in as a backup. Both are obfuscated using a character-shuffling function that reassembles strings at runtime, which is a common trick to evade static analysis.

Here is what the onload stage does:

1. Full-screen overlay. It creates an invisible iframe, sized to 100vw x 100vh with z-index: 21, positioned fixed over the entire page. You cannot see it, but it is sitting on top of everything you might click.
2. Cross-origin communication. It uses window.postMessage to exchange messages with this iframe. The iframe content comes from html-load.com, meaning arbitrary code from an attacker-controlled server is running in a layer above the page you think you are reading.
3. Data exfiltration. It encodes your current URL, any error messages, and the domain, then sends them as query parameters to html-load.com via a POST request.
4. Body destruction fallback. If the iframe fails to load or the message exchange times out, it enters a loop that removes document.body entirely and replaces it. Every 100 milliseconds. The page you were reading just vanishes.

And if the onload handler itself fails? The onerror handler is worse:

1. Fake dialog. It displays a confirm() dialog with the message "There was a problem loading the page. Please click OK to leave." This is a classic phishing pattern. Click OK, and you get redirected to html-load.com with your URL and domain exfiltrated.
2. Self-destruct loop. Whether you click OK or Cancel, it sets the same interval that deletes document.body every 100ms. The page becomes unusable either way.
3. Iframe with full-page takeover. It creates another full-viewport iframe, this time directly navigating to html-load.com with all your data encoded in the URL.

This is not a subtle tracking pixel or an aggressive ad. This is a hostile takeover of your browser session.

How it got there

PCGamer did not put this script on their page intentionally. It came through their ad network.

PCGamer is owned by Future PLC, one of the largest media companies in gaming. A single PCGamer article page contacts 54 third-party domains for advertising, tracking, and analytics. Simon Willison documented this in March 2026: 431 network requests to load one article. 82.6% of all transferred bytes are ad-tech and tracking scripts. The actual article text is about 15 KB. The page weighs 1.5 MB of HTML.[1]

That ad pipeline runs Prebid header bidding, where 10 to 12 demand partners bid on each ad slot simultaneously. Amazon Publisher Services runs a parallel auction. DoubleVerify is supposed to catch malicious ads. But somewhere in that chain, a compromised or rogue demand partner is injecting scripts from html-load.com.

This is called malvertising, and it is one of the oldest attacks on the internet. The ad industry keeps promising to fix it. They have not.

html-load.com is a known bad domain

This domain was reported to the StevenBlack/hosts blocklist in 2024 and again in early 2025. It was added to the blocklist on December 4, 2024. Joe Sandbox has a malicious analysis report on it. Privoxy blocks it by default.[2]

But blocking a domain in a hosts file only helps the people who use a hosts file. It does not remove the domain from the ad networks. It does not fix the supply chain. The same malicious script is still being served to anyone visiting PCGamer in a browser without an ad blocker.

What I did about it

I reported this to three places:

• Future PLC security team (security@futurenet.com), with the full technical details, deobfuscated code, and recommendations for their ad pipeline.
• StevenBlack/hosts GitHub issue #3095, adding new evidence that the domain is still active and serving through PCGamer's ad network in May 2026.[3]
• Google Safe Browsing, to get the domain flagged in Chrome and other browsers that use the Google Safe Browsing database.

Whether any of these reports lead to action is another question. The ad industry has a structural incentive to keep the pipeline open. Every intermediary takes a cut. Blocking a demand partner means less revenue. So the malvertising keeps flowing.

What you can do

If you read sites like PCGamer, Kotaku, or any Future PLC property:

• Use an ad blocker. uBlock Origin is the standard recommendation. It blocks at the network level, which is what you need here. The browser extensions that come with antivirus products are generally worse at this.
• Use a hosts file. StevenBlack/hosts is the most maintained option. It blocks known bad domains at the DNS level, before they even load.[4]
• Use DNS-level blocking. NextDNS, Pi-hole, or AdGuard Home can block entire categories of tracking and malware domains at the router level, protecting every device on your network.

The irony of writing about a gaming site's malware problem on a site that runs zero ads, zero trackers, and zero third-party scripts is not lost on me. This blog is hosted on a VPS I control, behind nginx I configured, with no analytics. It costs me money. But at least you can trust what loads in your browser.

Every ad network is a supply chain attack waiting to happen. The more intermediaries between the content and your screen, the more opportunities for someone to slip in something that was not supposed to be there. PCGamer is not unique in this. They are just the one I happened to catch.