{ "id": "c4499034-43dc-4f03-8781-878df34f9392", "created_at": "2026-04-06T00:16:21.367241Z", "updated_at": "2026-04-10T03:35:53.13005Z", "deleted_at": null, "sha1_hash": "4b7c4cbaa216abc9ffac4ec57b0fa54b7d2672a8", "title": "The ALPHV/BlackCat Ransomware Gang is Using Google Ads to Conduct Cyberattacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63402, "plain_text": "The ALPHV/BlackCat Ransomware Gang is Using Google Ads to\r\nConduct Cyberattacks\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 16:01:27 UTC\r\nSecurity researchers with eSentire, a top global cybersecurity solutions provider, are warning that Russian-speaking affiliates of the ransomware gang ALPHV/BlackCat are attacking corporations and public entities in the\r\nAmericas and Europe. In the past three weeks, we have seen these affiliates attempt to breach a law firm, a\r\nmanufacturer, and a warehouse provider within our customer network, alongside attacking other companies.\r\nHowever, their attacks were intercepted and shut down by eSentire’s security research team, the Threat Response\r\nUnit (TRU). ALPHV/BlackCat threat actors typically achieve initial access into their victims’ IT networks through\r\none of three ways: valid credentials, exploitation of remote management and monitoring services, and browser-based attacks. This year, however, one of the affiliates has expanded into malvertising to execute browser-based\r\nattacks.\r\nThis affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP\r\nand Cisco AnyConnect, to lure business professionals to attacker-controlled websites. Thinking they are\r\ndownloading legitimate software, the business professionals are actually downloading the Nitrogen malware.\r\nNitrogen is initial-access malware that leverages Python libraries for stealth. This foothold provides intruders with\r\nan initial entry into the target organization’s IT environment. Once the hackers have that initial foothold, they can\r\nthen infect the target with the malware of their choosing. In the case with this attack campaign, the target victims\r\nare being infected with the ALPHV/BlackCat ransomware, according to Keegan Keplinger, Senior Threat\r\nIntelligence Researcher with TRU.\r\nAccording to TRU, the malvertising attacks they shut down in the past three weeks on behalf of the law firm and\r\nmanufacturer are a continuation of a June 2023 campaign, where an affiliate of the ALPHV/BlackCat\r\nRansomware gang was observed using malicious ads to distribute the Nitrogen malware, which led to the\r\nALPHV/BlackCat ransomware. eSentire was the first cybersecurity company to identify and name the Nitrogen\r\nmalware in June 2023. TRU named the malicious software after an artifact found in the naming conventions used\r\nby the threat actors.\r\nAbout Nitrogen\r\nNitrogen is labeled as initial access malware because it is malicious software that threat actors use to gain entry to\r\na target victim’s IT environment. Nitrogen malware is unique in that it uses highly obfuscated Python libraries to\r\nbypass security controls. Python libraries enhance the functionality and capabilities of Python code programs.\r\nThey are pre-written collections of code that provide a wide range of functions, classes, and tools for specific\r\ntasks, making it easier for developers to build complex applications without starting from scratch. Because Python\r\nlibraries are legitimate tools, they typically do not raise any suspicions with security defenders. The additional\r\nhttps://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire\r\nPage 1 of 6\n\nlayer of obfuscation acts to slow down analysts and security researchers in reversing and pinpointing the attack\r\npath taken by the malware once active in the operating system. See more technical details around Nitrogen here.\r\nThe Criminal Origins of ALPHV/BlackCat Ransomware Group\r\nThe ALPHV/BlackCat ransomware group and its affiliates are typically observed to be Russian-speaking, and\r\nvarious security teams report that the core ALPHV/BlackCat operators are based in Russia. The gang first\r\nappeared on the ransomware scene in November 2021. According to the FBI, the ALPHV/BlackCat gang\r\ncompromised 60 businesses and public entities between November 2021 and March 2022. At the time of this\r\nreporting, in 2023, ALPHV/BlackCat lists 170 victims on their name and shame page, ranking them the third most\r\nactive ransomware gang behind Cl0p \u0026 LockBit.\r\nSome of ALPHV/BlackCat’s recent and most publicized attacks include MGM Resorts, which is comprised of 19\r\nU.S. properties, including the Bellagio, Mandalay Bay, and the Cosmopolitan. The attack caused considerable\r\nchaos at the resorts, forcing guests to wait hours to check in and crippling electronic payments, digital key cards,\r\nslot machines, ATMs, and paid parking systems. MGM Resorts reported that they expect a $100 million hit to its\r\nthird-quarter results due to the breach.\r\nALPHV/BlackCat also recently named McClaren Health Care as a victim. It is one of Michigan’s largest\r\nhealthcare systems and is made up of hospitals, clinics, and healthcare facilities. McClaren administrators reported\r\nthat the ALPHV/Black Cat threat actors accessed various data from 2.2 million patients. Among the type of data\r\nincludes full name, SSNs, date of birth, healthcare insurance information, Medicare/Medicaid information, billing\r\ndata, and treatment and prescription information. The ALPHV/BlackCat ransomware group also recently claimed\r\nto have hacked Clarion, a global manufacturer of audio and video equipment for cars and other vehicles, and the\r\nhotel chain Motel One.\r\nWhen digging into ALPHV/BlackCat’s lineage, TRU discovered that ALPHV/BlackCat has connections to the\r\nformer BlackMatter ransomware group, whose ransomware code is said to be a combination of the notorious\r\nDarkSide and REvil ransomware software. Additionally, these ransomware operations have all counted FIN7, a\r\nsophisticated cybercrime group, among their affiliates.\r\nReaders might recall that the DarkSide ransomware operators were responsible for compromising the Colonial\r\nPipeline, the largest pipeline system for refined oil products in the U.S., which resulted in their pipeline systems\r\nbeing taken offline in May 2021.\r\nSeveral of REvil’s high-profile attacks include global computer manufacturers Acer and Quanta, top Mexican\r\nbank, CIBanco, Chilean bank, BancoEstado, and one of the entertainment industry’s largest law firms, Grubman\r\nShire Meiselas \u0026 Sacks. At the time of their breach, this firm represented Lady Gaga, Madonna, Bruce\r\nSpringsteen, Jessica Simpson, and Mariah Carey, among others.\r\nALPHV/BlackCat Ransomware Group, Ruthless and Despicable\r\nOne might ask, “Why are the ALPHV/BlackCat ransomware operators and their affiliates so despicable?” It is the\r\nlengths these threat actors will go to force their victims to pay their ransom demands. In February of this year,\r\nALPHV/BlackCat hackers broke into one of the largest healthcare networks in Pennsylvania, the Lehigh Valley\r\nhttps://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire\r\nPage 2 of 6\n\nHealth Network. It is estimated that the hackers stole data on approximately 500 patients, and for some of the\r\npatients this data included medical data, social security numbers, banking information, name, address, birthdate,\r\netc., which the threat actors threatened to release on their data leak site. In March, the hackers went even further\r\nwith their extortion attempts, shocking both security defenders and healthcare professionals around the world.\r\nThe ALPHV/BlackCat threat actors published photos of “topless” female breast cancer patients on their leak site\r\nafter the health group refused to pay a $1.5 million ransom following their February attack. The clinical images\r\nwere used by Lehigh Valley Health Network as part of radiotherapy treatment for their cancer patients. In July, the\r\nALPHV/BlackCat gang went so far as to provide an API for their leak site to increase visibility for their attacks.\r\nBrowser-Based Cyberattacks—a Growing Attack Surface\r\nWhile much of cybersecurity user awareness training is still focused on malicious email attachments, browser-based malware downloads have usurped email as a primary method of initial cyber infection access for hands-on\r\nransomware intrusions. As previously mentioned, in this Nitrogen campaign, users are infected when they go\r\nlooking for popular, legitimate software to download and then click through on a Google Ad that renders to a\r\nmalware site instead. The software lures TRU has observed the threat actors using in the Nitrogen campaign\r\ninclude Advanced IP Scanner, WinSCP, Slack, and Cisco AnyConnect. Additionally, TRU has observed ALPHV\r\nransomware stemming from Gootloader attacks, another successful browser-based initial access malware known\r\nto target law firms.\r\nInitial Access Malware\r\nKnown examples of ransomware-associated initial access malware that leverage browser-based attacks include\r\nGootloader, SocGholish, BatLoader, and now Nitrogen. Nitrogen uses an obfuscated python framework that\r\nleverages DLL side loading. Interestingly, ALPHV has been observed as an end-game for at least two of these\r\nbrowser-based initial access pieces of malware: Gootloader and Nitrogen.\r\nIntrusion Tool Buffet\r\nSince 2020, Cobalt Strike has been growing as the primary intrusion tool leveraged by ransomware affiliates. In\r\nresponse, the security community quickly developed detections and threat- hunting paradigms around Cobalt\r\nStrike. In turn, threat actors have begun to shift to new intrusion tools, including leveraging Remote Monitoring\r\nand Management (RMM) tools and remote access software (AnyDesk, TSDService, Atera and ConnectWise\r\nScreenConnect™) and new intrusion frameworks (Sliver and Brute Ratel). In at least one Nitrogen incident, TRU\r\nobserved a full buffet of Intrusion Frameworks being used by the ALPHV/BlackCat threat actors: Cobalt Strike,\r\nSliver, and Brute Ratel.\r\nSecurity Recommendations to Protect Against Nitrogen Attack Campaigns\r\nLeading to ALPHV/BlackCat Ransomware\r\n1. Organizations need to start including browser-based attacks, including those that use fake advertising, as\r\npart of User Awareness Training (UAT). Browser-based attacks are increasingly leading to hands-on\r\nransomware intrusions and infostealers that enable ransomware intrusions later.\r\nhttps://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire\r\nPage 3 of 6\n\n2. Make sure you are implementing attack surface reduction rules around script files such as .js and .vbs, but\r\nkeep in mind that when these attacks arrive in .ISO files, the “Mark of the Web” is lost so Attack Surface\r\nReduction rules won’t detect the files from the Internet.\r\n3. Employ endpoint monitoring to ensure you can catch malicious execution, when social engineering attacks\r\nbypass user scrutiny – and make sure that endpoint coverage is fully comprehensive. TRU has observed a\r\ntendency for ransomware attacks to make it further down the kill-chain when they begin on endpoints that\r\nare out of scope for endpoint monitoring.\r\n4. Employ logging to ensure you are capturing telemetry – especially for devices and services that don’t\r\nsupport an endpoint agent, including VPN, device enrollment, and server software for applications that\r\ndon’t generate endpoint telemetry, like Citrix, IIS, and cloud services).\r\nIf you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend\r\nyou partner with us for security services to disrupt threats before they impact your business. Want to learn more?\r\nConnect with an eSentire Security Specialist.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire\r\nPage 4 of 6\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire\r\nPage 5 of 6\n\nSource: https://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-goo\r\ngle-ads-laced-with-malware-warns-esentire\r\nhttps://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire" ], "report_names": [ "the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434581, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b7c4cbaa216abc9ffac4ec57b0fa54b7d2672a8.pdf", "text": "https://archive.orkl.eu/4b7c4cbaa216abc9ffac4ec57b0fa54b7d2672a8.txt", "img": "https://archive.orkl.eu/4b7c4cbaa216abc9ffac4ec57b0fa54b7d2672a8.jpg" } }