{
	"id": "a5e6eb44-057f-4c5c-8054-76f372b17901",
	"created_at": "2026-04-06T00:17:44.277906Z",
	"updated_at": "2026-04-10T13:12:50.882164Z",
	"deleted_at": null,
	"sha1_hash": "4048dc7e4551531efc07f17788521bf64413e3f1",
	"title": "Google ads lead to fake software pages pushing IcedID (Bokbot)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1353953,
	"plain_text": "Google ads lead to fake software pages pushing IcedID (Bokbot)\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-02 11:53:37 UTC\r\nIntroduction\r\nFake sites for popular software have occasionally been used by cyber criminal groups to push malware.  Campaigns pushing\r\nIcedID malware (also known as Bokbot) also use this method as a distribution technique (we also commonly see IcedID sent\r\nthrough email).\r\nThis week, a new round of reports appeared about Google Ads leading to a new sites pushing IcedID.\r\nhttps://infosec.exchange/@bencrypted/109508166164779496\r\nhttps://infosec.exchange/@th3_protoCOL/109513090531163473\r\nBased on these reports, on Wednesday 2022-12-14, I fired up my lab environment and did a Google search for AnyDesk and\r\ngot a Google ad as my top result.  Although the Google ad showed a legitimate AnyDesk URL, it led to a fake site after I\r\nclicked the ad.\r\nToday's diary reviews my IcedID infection from this fake AnyDesk site.\r\nDetails\r\nShown above:  Search results when I did a quick Google search for AnyDesk.\r\nSearch Engine Optimization (SEO) is a technique that websites use to increase their visibility for search engines like\r\nGoogle.  Cyber criminals occasionally use SEO to direct search traffic to malicious advertisement links.  These ads redirect\r\nusers to fake software sites based on specific search terms.  I've heard this technique referred to as \"SEO poisoning.\"\r\nThe above image shows the top search results after I typed anydesk into Google search.  The top result is a Google ad for\r\nAnyDesk, which shows a legitimate URL for the official AnyDesk site.\r\nI clicked on the ad, and it generated the following Google Ad Services URL:\r\nhxxps://www.googleadservices[.]com/pagead/aclk?\r\nsa=L\u0026ai=DChcSEwjh1bP_3_n7AhXbFdQBHdF9AqwYABAAGgJvYQ\u0026ohost=www.google.com\u0026cid=CAASJeRovgWCSOUdKVM_De2wE7MnzlxJn\r\nLks\u0026sig=AOD64_3NZNQWkb8O_B18hKIs9Q3klfDfBw\u0026q\u0026adurl\u0026ved=2ahUKEwjHl6v_3_n7AhVrkmoFHdIpAG4Q0Qx6BAgDEAE\u0026nis=8\r\nThat generated the following URL:\r\nhxxps://clickserve.dartsearch[.]net/link/click?\u0026ds_dest_url=https://oferialerkal[.]online/81HqPxz2?\r\nhttps://anydesk.com/en/features/unattended-access\u0026id=4\u0026gclid=EAIaIQobChMI4dWz_9_5-\r\nwIV2xXUAR3RfQKsEAAYASAAEgLqA_D_BwE\r\nThis led to a URL from a malicious traffic distribution system (TDS) domain oferialerkal[.]online.  These malicious TDS\r\ndomains frequenty change multiple times each day.  The above URL generated HTTPS traffic to oferialerkal[.]online,\r\nwhich then led to the following fake AnyDesk URL:\r\nhxxps://wwwanydesk[.]top/en/downloads/windows\r\nhttps://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344\r\nPage 1 of 5\n\nThis is a fake AnyDesk page, with a button to download a malicious zip archive hosted on a Google Firebase Storage URL\r\nat:\r\nhxxps://firebasestorage.googleapis[.]com/v0/b/our-audio-370812.appspot.com/o/wnitFn4RCG%2FSetup_Win_14-12-\r\n2022_18-36-29.zip?alt=media\u0026token=3ef517f1-eb72-46bc-ac4b-3fb41f92d373\r\nAs I wrote this diary, the above URL still worked, and it delivered a the malicious zip archive.\r\nShown above:  Fake AnyDesk site delivering the malicious zip archive.\r\nThe zip archive contained a Microsoft Installer (.msi) file.  Double-clicking the .msi file on a vulnerable Windows host\r\ncaused it to drop and run a DLL to install IcedID on the victim's system.\r\nShown above:  Downloaded zip archive and extracted .msi file.\r\nShown above:  The installer DLL for IcedID.\r\nTraffic from the infected Windows host\r\nhttps://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344\r\nPage 2 of 5\n\nShown above:  Traffic from the infection filtered in Wireshark, part 1.\r\nShown above:  Traffic from the infection filtered in Wireshark, part 2.\r\nhttps://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344\r\nPage 3 of 5\n\nShown above:  Traffic from the infection filtered in Wireshark, part 3.\r\nIndicators of Compromise\r\nTraffic generated by IcedID installer DLL for gzip binary:\r\n143.198.92[.]88 port 80 - klepdrafooip[.]com - GET / HTTP/1.1\r\nIcedID post-infection C2 traffic:\r\n94.140.114[.]40 port 443 - primsenetwolk[.]com - HTTPS traffic\r\n94.140.114[.]40 port 443 - onyxinnov[.]lol - HTTPS traffic\r\n158.255.211[.]126 port 443 - trashast[.]wiki - HTTPS traffic\r\nIcedID backchannel traffic with VNC:\r\n51.195.169[.]87 port 8080\r\nFirst Cobalt Strike:\r\n176.105.202[.]212 port 80 - 176.105.202[.]212 - GET /adcs4\r\n172.67.130[.]194 port 443 - kingoflake[.]com - HTTPS traffic\r\nSecond Cobalt Strike:\r\n199.127.62[.]132 port 80 - 199.127.62[.]132 - GET /download/h.exe\r\n108.177.235[.]187 port 443 - bukifide[.]com - HTTPS traffic\r\nSliver and/or DonutLoader:\r\n190.61.121[.]35 port 443 - 190.61.121[.]35:443 - GET /static/ZillaSlab-Bold.subset.e96c15f68c68.woff/CEx6_0FDJn4RWxBZcsquwwUk57-\r\nn7pCuR5k24zUnBepPlxY9gqn968ZXnXAtC2GwTONSpEx3Pnz_lvqz2c2E5B_7n2lMU3wZ7Yeqb9yK9OFsqEQnybJ3THr_uiJpi3X5yQI3puCye\r\nMxD8EcfWPoPWF8lqYiHLRDP1rKGIpBbW\r\n46.4.182[.]102 port 80 - post-infection TLSv1.3 HTTPS traffic\r\nAssociated malware:\r\nDownloaded zip and extracted .msi file:\r\nSHA256 hash: 19265aac471f7d72fcddb133e652e04c03a547727b6f98a80760dcbf43f95627\r\nFile size: 1,108,416 bytes\r\nFile name: Setup_Win_14-12-2022_18-36-29.zip\r\nSHA256 hash: 63a7d98369925d6e98994cdb5937bd896506665be9f80dc55de7eb6df00f7607\r\nFile size: 1,966,080 bytes\r\nFile name: Setup_Win_14-12-2022_18-36-29.msi\r\nIcedID files from an infected Windows host:\r\nhttps://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344\r\nPage 4 of 5\n\nSHA256 hash: 7e5da5fcda0da494da85cdc76384b3b08f135f09f20e582e049486e8ae2f168e\r\nFile size: 1,503,408 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\MSI5da0ddad.mst\r\nFile description: 64-bit DLL to install IcedID dropped by above .msi file\r\nRun method: rundll32.exe [filename],init\r\nSHA256 hash: 53639070024366d23c3de5ba1d074cbd1d8b9e78d46f75c32ef02fc20c279fc3\r\nFile size: 1,503,408 bytes\r\nFile location: hxxp://klepdrafooip[.]com/\r\nFile description: gzip binary from klepdrafooip[.]com retrieved by IcedID installer DLL\r\nSHA256 hash: 205fbc52fafd456388d3ef80ff00498c90295791a91811725fea94052dc4fe7a\r\nFile size: 364,202 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\GenreAttract\\license.dat\r\nFile description: Data binary used to run persistent IcedID DLL\r\nNote: First submitted to VirusTotal on 2022-11-08.\r\nSHA256 hash: bfa3eb36beeaa65334abe81cdd870e66b37da3e478d1615697160244fd087b48\r\nFile size: 1,499,312 bytes\r\nFile location: C:\\Users\\[username]\\AppData\\Roaming\\{12A3307B-B372-BBC6-7E4B-4992C7C7842B}\\{6127EF7F-696C-8BDF-5350-88ECC5774CA5}\\uwurtb4.dll\r\nFile description: persistent IcedID DLL\r\nRun method: rundll32.exe [filename],init --tu=\"[path to license.dat]\"\r\nCobalt Strike files:\r\nSHA256 hash: 7486c3585d6aa7c2febd8b4f049a86c72772fda6bd1dc9756e2fb8c5da67bafa\r\nFile size: 1,894,758 bytes\r\nFile location: htxxp://176.105.202[.]212/adcs4\r\nFile description: PowerShell script for first instance of Cobalt Strike activity\r\nSHA256 hash: e8f2c929e1b84a389fede03bff9a4ee951cf563a64809b06f2f76201536fddf7\r\nFile size: 1,001,472 bytes\r\nFile location: hxxp://199.127.62[.]132/download/h.exe\r\nFile location: C:\\Users\\[username]\\AppData\\Local\\Temp\\Dimuak.exe\r\nFile description: 64-bit EXE for second instance of Cobalt Strike activity\r\nSliver and/or DonutLoader:\r\nSHA256 hash: 40194a07a5afa1ef8e0ea4125a62d4ff5b70a14849b154a4694cfd08e40eb22b\r\nFile size: 17,085,660 bytes\r\nFile location: hxxp://190.61.121[.]35:443/static/ZillaSlab-Bold.subset.e96c15f68c68.woff/CEx6_0FDJn4RWxBZcsquwwUk57-\r\nn7pCuR5k24zUnBepPlxY9gqn968ZXnXAtC2GwTONSpEx3Pnz_lvqz2c2E5B_7n2lMU3wZ7Yeqb9yK9OFsqEQnybJ3THr_uiJpi3X5yQI3puCyecatd8A\r\nMxD8EcfWPoPWF8lqYiHLRDP1rKGIpBbW\r\nFile description: binary with shellcode and 64-bit EXE, for Sliver-based and/or DounutLoader malware\r\nSHA256 hash: 08dd1a4861f4d2b795efb71847386bd141caa0a7ce141798e251db8acd63d3a9\r\nFile size: 17,081,991 bytes\r\nFile description: above binary with shellcode removed\r\nFile type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows\r\nFinal words\r\nWe'll likely continue to see criminal groups abusing Google ads through SEO poisoning and using fake websites to\r\nimpersonate popular software.  This is an effective way for criminals to distribute their malware.\r\nTraffic and malware samples from today's infection are available here.\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344\r\nhttps://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344\r\nPage 5 of 5\n\nhttps://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344   \nShown above: Traffic from the infection filtered in Wireshark, part 1.\nShown above: Traffic from the infection filtered in Wireshark, part 2.\n   Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344"
	],
	"report_names": [
		"29344"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434664,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4048dc7e4551531efc07f17788521bf64413e3f1.pdf",
		"text": "https://archive.orkl.eu/4048dc7e4551531efc07f17788521bf64413e3f1.txt",
		"img": "https://archive.orkl.eu/4048dc7e4551531efc07f17788521bf64413e3f1.jpg"
	}
}