Threat actors are utilizing manipulated search results and fake Google ads to deceive users into downloading malware instead of legitimate software like WinSCP [1] [2] [3] [4] [5]. This ongoing activity [2] [3] [4] [5], known as SEO#LURKER [2] [3] [4] [5], involves a multi-stage attack chain [5].


The attack begins with a malicious advertisement that directs users to a compromised WordPress website. From there, users are redirected to a phishing site controlled by the attackers [2] [3] [4]. The attackers are believed to be using Google’s Dynamic Search Ads (DSAs) to serve these malicious ads [2] [3] [4]. The ultimate goal of this attack is to trick users into downloading malware from a fake website that imitates the legitimate WinSCP software [2] [3] [4].

The malware is delivered through a ZIP file containing a setup executable and a DLL file [2] [3] [4]. Once executed, the DLL file downloads and activates a legitimate WinSCP installer while simultaneously running malicious Python scripts in the background [3] [4]. These scripts establish communication with a remote server controlled by the attackers to receive further instructions [3] [4].

The primary targets of this attack are individuals seeking WinSCP software [2] [3] [4], and the use of geoblocking on the malware-hosting site suggests that victims are primarily located in the US [2] [3] [4]. It is worth noting that this is not the first instance of Google’s Dynamic Search Ads being exploited for malware distribution. In a recent campaign targeting users searching for PyCharm [4], links to a hacked website hosting a rogue installer were used to deploy information-stealing malware [4].


This attack has significant implications for users seeking legitimate software like WinSCP. To mitigate the risk, users should exercise caution when downloading software and ensure they are obtaining it from trusted sources. Additionally, Google should take steps to enhance the security of its Dynamic Search Ads to prevent further exploitation for malware distribution. The use of geoblocking suggests that the attackers are primarily targeting users in the US, but it is important to remain vigilant regardless of location.