The attackers have created so many subdomains that one may only be used once to redirect, Biasini wrote. Since malicious domains are often quickly detected and blocked by security software, rotating them helps ensure an attack will be successful.
The Angler attacks kicked off after victims viewed malicious ads, he wrote.
On Monday, Trend Micro said it discovered a new zero-day in Adobe System's Flash software after analyzing malvertisement attacks involving Angler. The malvertisement had been seen on the popular website Dailymotion.
The Flash flaw, CVE-2015-0313, is the third one found in the application in a month. Adobe plans to fix it later this week.
Sign up for Computerworld eNewsletters.