I should have thought of this.
Instead of just feeding malicious software into genuine advertising agencies, how about setting up your own malicious agency? And if not one, how about 28? And that's exactly what happened.
So you set up a 28 fake ad agencies - that's easy enough, it just takes a bunch of web sites and some fake profiles on linkedin. Then those agencies contact web sites and offer money for ads on genuine web sites. And although they promise to pay, they don't actually have pay for those ads - this is a criminal enterprise.
So unsuspecting users are deluged with malvertising from malagencies. Here's the details.
That's why I block advertising. Not because it's annoying and intrusive, but because some of it is actually malicious.