Systems and methods for monitoring malicious software engaging in online advertising fraud or other form of deceit are disclosed herein. An example method for automated categorization of binary code for identifying malicious software engaging in online advertising fraud disclosed herein includes collecting data defining behavior of the binary code using sensors from a plurality of sandboxes, categorizing the binary code using a behavior signature, the behavior signature including a selector and a filter, the behavior signature defining a signature category based on actions associated with the binary code, wherein a match with the filter removes the binary code from the signature category, and wherein a match with the selector adds the binary code to the signature category, identifying the binary code as malicious software engaging in online advertising targeted behavior based on the signature category, and mimicking a communication associated with the binary code to identify a control server associated the binary code in response to identifying the binary code as malicious software.