{
	"id": "df18fdbf-6b2f-477e-aa88-8d82de4b90f7",
	"created_at": "2026-04-06T00:12:13.291279Z",
	"updated_at": "2026-04-10T03:21:01.471508Z",
	"deleted_at": null,
	"sha1_hash": "31d5702283209eecb4ad370835c95e615b31d1c5",
	"title": "Malicious ad distributes SocGholish malware to Kaiser Permanente employees",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1016628,
	"plain_text": "Malicious ad distributes SocGholish malware to Kaiser\r\nPermanente employees\r\nBy Jérôme Segura\r\nPublished: 2024-12-16 · Archived: 2026-04-05 13:42:36 UTC\r\nOn December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search\r\nAds. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download\r\npaystubs and other corporate related tasks.\r\nWe believe the threat actors’ intent was to phish KP employees for their login credentials, but something\r\nunexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that\r\nprompted them to update their browser.\r\nThis notification is part of a malware campaign known as SocGholish that tricks users into running a script\r\nsupposedly meant to update their browser. Rather, it infects machines and if the victim is deemed important\r\nenough, a human operator will gain access in order to perform nefarious actions.\r\nIn this blog post, we review how this attack unfolds and why a compromised website derailed the attackers’ plan.\r\nWe already reported the malicious ad to Google.\r\nMalicious Kaiser Permanente ad\r\nSeveral criminal gangs are currently abusing Google Ads to phish victims of various large companies. They prey\r\non employees simply googling for their HR portal so that they can display a malicious ad to lure them in.\r\nCase in point, when searching for Kaiser Permanente’s HR portal, we saw the following ad:\r\nWe were able to identify the advertiser who registered a fake account under the name ‘Heather Black’. This ad\r\nwas only showed for U.S.-based searches, as can be seen in the Google Ads Transparency Center report:\r\nhttps://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nPage 1 of 7\n\nFormer company’s website hijacked for phishing\r\nThe displayed url shown in the ad (https://www.bellonasoftware[.]com) does not look associated with Kaiser\r\nPermanente. According to LinkedIn, Bellona Software was a company based in Romania. We can see what their\r\nwebsite looked like in 2021, using the Internet Archive:\r\nhttps://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nPage 2 of 7\n\nSome time more recently, this same website was taken over by criminals who transformed it into a phishing page\r\nfor Kaiser Permanente:\r\nhttps://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nPage 3 of 7\n\nMalicious redirect to SocGholish\r\nIt looks like there was more than one cook in the kitchen, as malicious code was also injected in the core\r\nJavaScript libraries for that website, confirmed in a scan by Sucuri’s SiteCheck:\r\nhttps://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nPage 4 of 7\n\nWhen potential victims clicked on the ad, they landed on that compromised website, which in turn briefly\r\ndisplayed the phishing template only for as long as a mouse scroll or click. Then, a new screen appeared with what\r\nlooks like a Google Chrome notification claiming the user’s browser is out of date:\r\nhttps://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nPage 5 of 7\n\nThis screen, also known as SocGholish, is a long running malware campaign that targets vulnerable websites\r\nindiscriminately. When a user executes the downloaded Update.js file, they are instead running a malicious script\r\nthat will collect some of their computer’s information and relay it to a group of criminals. After this fingerprinting\r\ntakes place, additional tooling such as Cobalt Strike may be downloaded, preparing the ground for a human on\r\nkeyboard type of attack.\r\nTo the best of our knowledge, the phishing campaign has nothing to do with SocGholish, and we assume that the\r\noriginal threat actors did not anticipate for the website they took over to be compromised. As for the gang behind\r\nSocGholish, the victims would come from a Google search, something they usually check for via the referer.\r\nProtecting against web threats\r\nFor victims, neither the phishing scheme nor the malware are a happy outcome. While initially targeted because of\r\nwhat they searched for, they fell into the hands of a different criminal syndicate.\r\nSuch is the reality of web threats. This is a dynamic and ever changing landscape with a number of malicious\r\nplayers trying to lure users in their own way.\r\nOnline ads, and in particular search ads, continue to be a threat. As we have showed many times on this blog, any\r\nbrand is at risk of being impersonated. Unfortunately, this trend has continued unabated throughout 2024.\r\nhttps://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nPage 6 of 7\n\nAt the same time, ‘old’ malware campaigns like SocGholish pose a risk due to a never ending number of outdated\r\nwebsites ready to be compromised and act as a springboard for malware delivery.\r\nWhen searching online, we urge to use extreme caution with any sponsored results and if possible add protection\r\nto your online browsing experience with tools like Malwarebytes Browser Guard.\r\nWe reported the malicious ad to Google and will update this blog if we hear anything back.\r\nWe don’t just report on threats—we remove them\r\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading\r\nMalwarebytes today.\r\nIndicators of Compromise\r\nPhishing site\r\nbellonasoftware[.]com\r\nSocGholish infrastructure\r\npremium[.]davidabostic[.]com\r\nriders[.]50kfor50years[.]com\r\nSource: https://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nhttps://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2024/12/malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees"
	],
	"report_names": [
		"malicious-ad-distributes-socgholish-malware-to-kaiser-permanente-employees"
	],
	"threat_actors": [],
	"ts_created_at": 1775434333,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31d5702283209eecb4ad370835c95e615b31d1c5.pdf",
		"text": "https://archive.orkl.eu/31d5702283209eecb4ad370835c95e615b31d1c5.txt",
		"img": "https://archive.orkl.eu/31d5702283209eecb4ad370835c95e615b31d1c5.jpg"
	}
}