"Clients visiting yahoo.com received advertisements served by ads.yahoo.com," Fox-IT said in a blog post. "Some of the advertisements are malicious."
Tens of thousands of users were affected per hour, CNN reported.
"Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France. At this time it's unclear why those countries are most affected," Fox-IT said.
It is unclear who was behind the attack, which appeared to be financially motivated.
The first sign of the attack was Dec. 30.
Yahoo said in a statement that it is aware of the problem.
"At Yahoo, we take the safety and privacy of our users seriously," the statement reads. "We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity."