Redditor RawPacket writes[1] that it's probably an IDN homograph attack[2]:
the g, i, m, or p are replaced with characters from a different character set. Looks right, but the domain is registered with a different character.
Example: * gіmp.com is fake. * gimp.com is real.
They look the same, don't they? But if you click on the fake gіmp.com, your browser will take you to the domain xn--gmp-jhd.com as it is using the і from the Cyrillic character set.
For a moment I was thinking "But then the second screenshot would read "xn--gmp-jhd.com", not "gilimp.org" -- but that would be easily hidden by making the former immediately redirect to the latter.
(Mostly I mention this because someone else might be thinking at as well.)
That's a good theory, but I don't think it's what happened here. The ads are gone for me now so I can't verify, but when I did get the ad I checked the network monitor and I'm pretty sure there were no redirects via lookalike domains. Also, I'm pretty sure I copy and pasted the display URL and it was plain ASCII.
Modern browsers won't show those characters in the address bar, exactly to avoid this issue. Which is maybe why the ad points to gilimp.org instead of the gimp.org lookalike.
[2] https://en.wikipedia.org/wiki/IDN_homograph_attack