ALPHV/BlackCat [1] [2] [3] [4] [5] [6], a cybergang associated with the ransomware cartel, has expanded its attack methods to include malvertising [2] [3] [4]. This new tactic highlights the growing threat of browser-based cyber attacks.


According to researchers at eSentire’s Threat Response Unit (TRU) [4], ALPHV/BlackCat has been using Google search ads to distribute ransomware [5]. They promote popular software and direct professionals to attacker-controlled websites [2] [3] [4], where they unknowingly install the Nitrogen malware [2] [3] [4]. Nitrogen is a Python-based malware payload that gives intruders access to the target organization’s IT environment.

To address this rising threat, user awareness training should go beyond email attachments and include the risk of browser-based downloads [3]. Organizations are advised to focus on endpoint monitoring [2] [3] [4], capture and monitor logs for systems that do not support endpoint monitoring [2] [3] [4], and implement attack surface reduction rules to mitigate browser-based attacks [2] [3] [4].

The ALPHV/BlackCat group’s criminal origins and connections to former ransomware groups and recent high-profile attacks underscore the need for enhanced cybersecurity measures [3]. The use of Google Ads by the group serves as a reminder of the ever-evolving nature of cyber threats and the necessity for organizations to continually adapt and enhance their cybersecurity measures to stay ahead of malicious actors.


The expansion of ALPHV/BlackCat’s attack methods to include malvertising has significant implications for organizations. It highlights the need for user awareness training to cover browser-based downloads and emphasizes the importance of endpoint monitoring and attack surface reduction. The group’s criminal connections and use of Google Ads underscore the urgency for enhanced cybersecurity measures. Organizations must continually adapt and enhance their cybersecurity measures to stay ahead of evolving cyber threats [3].