A malvertising campaign has been discovered that targets users searching for popular software through Google Ads      . This campaign is unique in its ability to fingerprint users and distribute time-sensitive payloads . It overlaps with another campaign that targets users searching for the KeePass password manager    . These attacks exploit end user trust and can be initiated through various means .
The malvertising campaign utilizes Google Ads to redirect users searching for software like Notepad++ and PDF converters to fake landing pages . These pages fingerprint users’ systems to determine if they are using a virtual machine  . If the security check fails  , users are redirected to the legitimate software website   . The final-stage malware establishes a connection to a remote domain and serves additional malware through an HTA payload    . The campaign also targets users searching for the KeePass password manager     , using deceptive domain names created with Punycode. Clicking on the ad redirects users to a decoy site where they are tricked into downloading a malicious installer. Multiple threat actors have been observed using fake browser updates to distribute Cobalt Strike     , stealers     , and remote access trojans     .
These malvertising campaigns highlight the ongoing and evolving threat of malicious advertising. The attackers are successfully bypassing ad verification checks and targeting specific victims  . To mitigate these attacks, users should exercise caution when clicking on ads and ensure they are downloading software from legitimate sources. Additionally, organizations should implement robust security measures to detect and prevent malvertising campaigns. The use of deceptive domain names and fake browser updates further emphasizes the need for increased awareness and vigilance in online activities.