Blog

Malvertising Surge: Cybercriminals Exploit Google Ads for Credential Theft and Malware Distribution

By helpag

Overview

Threat actors are increasingly exploiting legitimate ad platforms such as Google Ads to launch widespread malvertising campaigns targeting both consumers and enterprise users. These campaigns cleverly mimic trusted brands such as SEMrush, Microsoft, and Chrome to distribute malware, steal credentials, and compromise systems through social engineering and drive-by download attacks.

Recent research and telemetry analysis—including data from Help AG’s own investigations—reveals a sophisticated ecosystem of phishing and malware campaigns that leverage paid search results to gain visibility, lure users to fake websites, and ultimately deliver malicious payloads. This blog explores the techniques used, the threats observed, and actionable recommendations for organizations to protect against this growing trend.

Technical Details

Threat actors behind these campaigns purchase ad placements on Google using cloned branding of popular tools such as SEMrush, RVTools, or Chrome. When users click these ads, they are redirected to phishing pages or malware delivery websites, often hosted on seemingly benign domains.

Several campaigns observed include:

1. SEMrush Impersonation

Fake ads mimicking SEMrush led users to phishing websites, prompting credential entry or triggering malware downloads. The domains looked legitimate, and some even used HTTPS to avoid suspicion.

2. RVTools and Thundershell Payloads

An ad for RVTools, a legitimate vSphere utility, redirected users to a site delivering “ThunderShell”—a PowerShell-based RAT (Remote Access Trojan). The malware allowed attackers to execute commands, exfiltrate data, and maintain persistence.

3. Gootloader Malware

A return of the Gootloader malware was observed using Google Ads targeting users searching for legal document templates. Victims were redirected to compromised blogs with malicious scripts that downloaded malware.

4. Chrome Installer Scam with SectopRAT

A trojanized Chrome installer hosted behind fake ads deployed the SectopRAT malware, enabling remote control over the infected system and potential ransomware staging.

5. Credential Phishing for Google Accounts

A broad phishing campaign targeted Google account credentials via malicious ads that redirected users to cloned login pages. Victims were tricked into entering their login information, which was harvested in real time.

Indicators of Compromise (IOCs)

Help AG’s analysis of telemetry revealed several consistent characteristics of these campaigns:

Referring domains tied to ad clicks contained brand-typos or uncommon TLDs (.site, .click, .top).
Campaigns spiked during early morning hours (likely to catch users before IT monitoring ramps up).
Victims included users across UAE and GCC with keyword searches such as “SEMrush free trial,” “Chrome download,” or “legal document template.”

Detection and Mitigation

Help AG’s Security Operations Center (SOC) utilizes behavioral analytics, DNS monitoring, and machine learning to detect traffic anomalies associated with fake ad redirections. Furthermore, Help AG’s Threat Intelligence Platform cross-correlates suspected domains with global threat feeds to identify and block malicious domains in real-time.

Recommendations

To mitigate the threat posed by malvertising:

Implement DNS Filtering: Block access to known malicious and newly registered domains.
Educate Users: Inform employees not to download software via search ads. Encourage use of official vendor sites.
Use Endpoint Detection and Response (EDR): Monitor and block suspicious activity at the host level.
Restrict Administrative Privileges: Prevent unauthorized software installations.
Harden Browsers: Enable features like Safe Browsing and restrict automatic downloads.

Conclusion

Malvertising campaigns leveraging Google Ads represent a new frontier in social engineering and malware delivery. By blending into the advertising ecosystem, attackers can reach users with alarming precision. Organizations must adopt a proactive stance—combining threat intelligence, user education, and layered security controls—to defend against this evolving threat landscape.

Help AG continues to monitor these campaigns and works closely with regional partners and clients to mitigate emerging threats across the Middle East.

References