Popads seems to be using a .jnlp file to make it’s actions seem more legitimate to the end user.
When loaded, this gives a nice little animated popover…while the malicious stuff is happening in the background. This is used to bypass the security warning that was introduced in JRE7u11.
There may be a misconfig on this as it created a very large number of instances of java. 🙂
Popads post updated with this “jnlp” info.