{
	"id": "90bdb160-f483-48fa-90f2-9285e957ec53",
	"created_at": "2026-04-06T00:09:51.652123Z",
	"updated_at": "2026-04-10T03:33:56.976701Z",
	"deleted_at": null,
	"sha1_hash": "018ce9b6803c71447cfd64329db63c629ca3a048",
	"title": "News Article | A surge of malvertising across Google Ads is distributing dangerous malware | Spamhaus Technology",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 732331,
	"plain_text": "News Article | A surge of malvertising across Google Ads is\r\ndistributing dangerous malware | Spamhaus Technology\r\nArchived: 2026-04-05 21:50:35 UTC\r\nBack to Previous Page\r\nResource\r\nPosted on\r\nFebruary 02, 2023Author\r\nSarah Miller Read time\r\n3 mins\r\nIntroduction\r\nIntroduction\r\nA ramp-up in malvertising activity\r\nWhat abuse are we seeing?\r\nWhat could be causing this escalation?\r\nA plea to Google Ads\r\nIntroduction\r\nThreat researchers are used to seeing a moderate flow of malvertising via Google Ads. However, over the past few\r\ndays, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being\r\nutilized. This is not “the norm”. Here’s what researchers are observing and a theory (yet to be proven) on this\r\ntsunami of abuse.\r\nA ramp-up in malvertising activity\r\nSearch “google ads malvertising”, and a plethora of articles published over the past few weeks will be listed. With\r\nheadlines like IcedID spreads via malvertising, from CyberWire, to Hackers abuse Google Ads to spread malware\r\nin legit software, from Bleeping Computer.\r\nNumerous malware, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, and Vidar are being\r\ndelivered to victims’ machines through bad actors impersonating brands such as Adobe Reader, Gimp, Microsoft\r\nTeams, OBS, Slack, and Thunderbird using Google Ads.\r\nhttps://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/\r\nPage 1 of 5\n\nWhat abuse are we seeing?\r\nSpamhaus Technology’s partner abuse.ch and The Spamhaus Project are both observing a significant increase in\r\nthis activity. On January 30th, abuse.ch reported on Twitter that victims were being lured with impersonator\r\nThunderbird Google Ads, leading to spoofed pages, which, once clicked on, delivered an IcedID payload to the\r\nunwitting victim’s device.\r\nOne day later, Google Ads was being used to spread the MetaStealer trojan:\r\nhttps://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/\r\nPage 2 of 5\n\nOver the past 24 hours, both Mozilla Thunderbird and Microsoft teams have been impersonated, with IcedID\r\nmalware being delivered. It’s evident that despite usually focusing on malspam, the operators of IcedID have\r\nturned their attention(s) to malvertising.\r\n \r\nhttps://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/\r\nPage 3 of 5\n\nMeanwhile, The Spamhaus Project researchers have various intelligence relating to this spate of Google Ad\r\nmalvertising, including lookalike Nvidia domains such as:\r\nSpamhaus researchers have linked fake Nvidia domains with Aurora Stealer and Vidar malware. Some of the\r\nGoogle Ads purposefully have typos, which we presume is to try and evade detection, for example:\r\nWhat could be causing this escalation?\r\nThe founder of abuse.ch believes, “It is likely that a threat actor has started to sell malvertising as a service on the\r\ndark web, and there is a great deal of demand.” They explained they’re observing “different infrastructure being\r\nused in these ads, spreading different malware families.” This leads to the conclusion that “ad serving” is a service\r\nthat threat actors purchase.\r\nAdditionally, the research teams are simultaneously seeing two rogue ads appearing for the exact search term but\r\nspreading different malware families –  this is another pointer toward the fact this is malvertising as a service.\r\nA plea to Google Ads\r\nThe Spamhaus Project’s domain expert, Carel Bitter, questioned why Google Ads approved adverts linking to new\r\ndomains. Throughout the security industry, the immediate use of newly registered domains is associated with\r\nhigh-risk activity. If you take a look at the WHOIS data for one of the Nvidia lookalike domains, it was created\r\nless than a week ago:\r\nhttps://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/\r\nPage 4 of 5\n\nCarel acknowledges that he’s an expert on domains, not Google Ads security – we’d love to hear from you if you\r\nhave detailed knowledge in this area and can help us understand why Google is allowing the use of recently\r\nregistered domains.\r\nIn the meantime, we hope Google Ads can rapidly quash this wave of malicious behavior across their platform.\r\nRelated Resources\r\nSource: https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/\r\nhttps://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/"
	],
	"report_names": [
		"a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434191,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/018ce9b6803c71447cfd64329db63c629ca3a048.pdf",
		"text": "https://archive.orkl.eu/018ce9b6803c71447cfd64329db63c629ca3a048.txt",
		"img": "https://archive.orkl.eu/018ce9b6803c71447cfd64329db63c629ca3a048.jpg"
	}
}