Nitrogen Malvertising Campaign Exploits Google and Bing Ads to Target Enterprise Networks

A targeted malvertising campaign called Nitrogen has been observed exploiting Google and Bing ads to infiltrate enterprise networks. This campaign primarily targets technology and non-profit organizations in North America [3], impersonating popular software to trick users into downloading trojanized installers through pay-per-click advertisements.


The Nitrogen campaign uses deceptive tactics to lure users into downloading trojanized installers. These installers create an ISO image file on the user’s computer [2], containing an apparently harmless executable file that actually loads a malicious file when executed [2]. The malware [3], known as NitrogenInstaller, installs a malicious Python package and creates a registry run key for persistence [3]. It establishes communication with the threat actor’s command and control server and launches a Meterpreter shell and Cobalt Strike Beacons [3]. The attackers aim to breach enterprise networks and carry out future ransomware attacks using tools like Cobalt Strike.

The attackers also utilize compromised WordPress sites hosting malicious ISO image files and Python scripts to deliver Cobalt Strike Beacons onto the targeted system [1]. The Python scripts establish a Meterpreter reverse TCP shell [1] [4], enabling remote code execution and the download of a Cobalt Strike Beacon [1]. The attackers may execute manual commands to retrieve additional files and Python 3 environments [3].

The goal of the Nitrogen campaign is to gain initial access to corporate networks for data theft and ransomware deployment [3]. It is important to note that the cybercriminals behind Nitrogen may employ other tools as well [2]. This campaign is part of a larger trend where cybercriminals are increasingly using paid advertisements in search engine results to spread malware.


The Nitrogen campaign highlights the growing threat of malvertising and the need for proactive security strategies. Cybercriminals are using paid advertisements to distribute malware and gain access to corporate networks. It is crucial for users to avoid clicking on promoted search results and only download software from official developer sites [3]. Additionally, organizations should consider implementing SaaS Security Posture Management and staying vigilant against insider threats. The use of tools like Cobalt Strike underscores the need for robust cybersecurity measures to protect against data theft and ransomware attacks.