Google Search Ads for VLC and 7-Zip malware are used by hackers to push malware.

To promote malware downloads, hackers are creating fake websites to distribute open-source and free software through Google Search results.

One prominent cryptocurrency user has been victim of the hacker-hacker campaign. They claim that they were able to steal their entire digital assets and also take control over their personal accounts.

Alex, a crypto-influencer better known online as was hacked over the weekend after they launched a fake executable to the Open Broadcaster Software OBS (Open Broadcaster Software) for live streaming and video recording. They had obtained the executable from a Google search result.

Google search ad for malicious OBS Studio download


Alex posted a tweet recounting the experience of the weekend, “Nothing happened after I clicked on the EXE.” Friends alerted them a few hours later that their Twitter account was hacked.

Alex did not know that this malware was information-stealing and stole their browser passwords, cookies and Discord tokens. It also sent the wallets to remote attackers.

Alex discovered that the OpenSea NFT Marketplace account had been compromised, and another wallet listed the identity of the digital asset.

It was gone. Everything. Everything.

Alex soon discovered their Substack wallet, Gmail and Discord suffered the exact same fate, which was also controlled by hackers.

The online accounts of NFT God, a crypto influencer, were hacked


This is an old tactic, but threat actors seem to be using it more frequently. last October on a large campaign using more than 200 typosquatting domains to mislead customers.

Although the distribution method of the malware was not known at the time, separate reports from Trend Micro and Guardio in December by cybersecurity firms Trend Micro or Guardio showed that hackers had in order to distribute malicious files in search results.

Google Search Results: A flood of malign ads

BleepingComputer did its own research following NFT God’s thread and discovered that OBS was one of many software threats actors use to impersonate other threat actors in order to push malware downloads into Google Ads search results.

We found one example in a Google Ad Search result for Rufus. This is a free tool that creates bootable USB flash drives.

A threat actor created domains that look similar to the official site and then copied all of its main content, including the downloading section.

They used “pro” as their top-level domain in one instance, likely to attract victims and pique interest with promises of more program features.

Malicious Rufus download pushed via ads in Google search results

source: BleepingComputer

It is important to note that Rufus does not have an advanced version. Only one version of Rufus is available in , an executable and portable version . It can be found on GitHub .

The malicious download is sent to a file transfer company. Many antivirus engines because it is an archive bomb.

The text editor Notepad++, which is also used to generate source code and edit the source code of popular programs was impersonated. To create an identical domain to that of the official developer, the threat actor used typosquatting.

Ad in Google Search for malicious Notepad++ download

source: BleepingComputer

Will Dormann, a security researcher, discovered that Notepad++ fake downloads were possible from other URLs. All files had been marked malicious by antivirus engines using the Virus Total scanning platform.

Malicious Notepad++ ad in Google search results


BleepingComputer found another website that contained fake software downloads. It was distributed only via Google Ads results. This website appears to impersonate Zensoft Tech, a legit web design firm in India.

We couldn’t verify whether the downloaded files were malicious, but the URL is typosquatted. The site prevents search engines from indexing the content, and promotes the downloads through search results only. This is an indication that there has been malicious activity.

We found several pieces of software on the site, including WinRAR and 7-ZIP file compression utility. Also included was the popular media player VLC.

Downloads of WinRAR and 7-ZIP that are malicious in Sponsored Ads on Google Search

Source: BleepingComputer

Threat actors obtained a malicious version from a different domain of the CCleaner utility to remove potentially unwanted files as well as invalid Windows Registry entries.

The hackers appear to have tried to outbid legitimate developers and placed their ads at the top. The malicious advertisement displays the official CCleaner website as shown in the below image. The site provided a zip file which information-stealing spyware.

CCleaner malicious download pushed via Google ads

source: BleepingComputer

Multiple security researchers, MalwareHunterTeam and have discovered additional URLs that hosted malicious software impersonating open-source or free software. This confirms the more widespread use of sponsored search results in Google searches by cybercriminals.

CronUp, a cybersecurity firm, provides an who are spreading malware via Google Ads results. They impersonate legitimate software.

These websites look identical to the official sites and offer fake software, or redirect you to another location. Some offer Audacity, while others have VLC or GIMP image editors.

A user nearly fell for this trick while trying to obtain Blender 3D, an open-source 3D design suite. MalwareHunterTeam that there were three fake ads for the product before the official link.

Malicious Blender 3D downloads take top ad spot in Google search results


Will Dormann, security researcher at Bitdefender noticed in one of the malicious samples that was flagged by AV software that it contained an .

BleepingComputer was unable to verify that the malware had been delivered in every case, but in certain cases we were able to identify the RedLine Stealer in the fake CCleaner website.

This malware steals data from your browser (credentials and credit cards, autocomplete information), system details (usernames, locations, security software, available), as well as sensitive data (credit card numbers, credit card number, autocomplete information).

Fernandez discovered that one threat actor had distributed SectoRAT (a.NET-based remote attack trojan), via fake Audacity downloads.

Another Vidar information-stealer was also discovered by the researcher via malign downloads of Blender 3D. This advertisement appeared in Google Search. Vidar is a browser hijacker that collects sensitive information and may also be able to steal cryptocurrency wallets.

Researchers at HP Wolf Security published this article and released an on similar campaigns. They noted that the original one they had analyzed was from November 2022.

They found malware delivered via fake software malvertising, including the IcedID trojan and Vidar as well as Rhadamanthys Stealer, BatLoader, Vidar, Vidar, Rhadamanthys Stealer, and the IcedID trojan.

BleepingComputer, as well as other security experts have observed malicious advertisements in Google Search Results for this software.

  • 7-Zip
  • Blender 3D
  • Capcut
  • CCleaner
  • Notepad++
  • OBS
  • Rufus
  • VirtualBox
  • VLC Media Player
  • WinRAR
  • Putty

BleepingComputer shared these results with Google. A representative from the company told us that Google’s policies were designed to protect brands against impersonation.

We have strong policies that prohibit ads which . These include disguised identities and impersonation of other brands. “We reviewed these ads and removed them.” – Google

Google stated that it was reviewing the reports and looking into whether additional sites or advertisements were reported as violating their policies. If necessary, they would also take corrective action. Google has now completed the process and taken down malicious advertisements.

Protection could be increased by using Ad-blockers

The FBI has flagged the use of sponsored advertisements in search results to deliver malware channels in an issued last Christmas.

According to the agency, these advertisements are placed at the top search results pages with minimal distinction between advertisement and actual search results. They link to websites that look identical to impersonated businesses’ official website.

Cybercriminals are more likely to spread their malware among a wider audience.

It is always a good idea to check the URL of any download source. This combination with an ad blocker should make it much easier to protect yourself from this kind of threat.

Extensions for most web browsers are available that block ads from loading and being displayed on web pages, search results included.

Ad-blockers not only make the internet more convenient, but they also increase privacy. They prevent tracking cookies from being placed on advertisements that collect data about browsing patterns.

However, in this instance, extensions can make the difference between losing your online account or sensitive data and getting digital resources directly from authorized vendors.

Edit [January 18, 2023] – This article was updated to reflect the fact that Google had reviewed other malicious ads and decided not to publish them. Initialy, only a small number of malicious advertisements were reported to Google and they removed them from their platform.

New details added by HP Wolf Security Research, which found other malware that was distributed through false software advertisements since November 2022.