{
	"id": "b062f718-4a6a-4f5b-b240-716edcd3ca94",
	"created_at": "2026-04-06T01:30:48.458035Z",
	"updated_at": "2026-04-10T03:20:22.483675Z",
	"deleted_at": null,
	"sha1_hash": "544fba566c374a4a305d76ee8cab4eb805635557",
	"title": "Malvertising through search engines",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3050819,
	"plain_text": "Malvertising through search engines\r\nBy Victoria Vlasova\r\nPublished: 2023-03-09 · Archived: 2026-04-06 00:32:04 UTC\r\nIn recent months, we observed an increase in the number of malicious campaigns that use Google Advertising as a\r\nmeans of distributing and delivering malware. At least two different stealers, Rhadamanthys and RedLine, were\r\nabusing the search engine promotion plan in order to deliver malicious payloads to victims’ machines. They seem\r\nto use the same technique of mimicking a website associated with well-known software like Notepad++ and\r\nBlender 3D.\r\nThe treat actors create copies of legit software websites while employing typosquatting (exploiting incorrectly\r\nspelled popular brands and company names as URLs) or combosquatting (using popular brands and company\r\nnames combined with arbitrary words as URLs) to make the sites look like the real thing to the end user—the\r\ndomain names allude to the original software or vendor. The design and the content of the fake web pages look the\r\nsame as those of the original ones. Threat actors then pay to promote the website in the search engine in order to\r\npush it to the top search results. The technique is called “malvertising”.\r\nOur observations\r\nIn the following snapshots, we can see Google ads promoting fake pages for AMD drivers and the Blender 3D\r\nsoftware. If we take a closer look at the URLs, we will see that the domain names incorporate the software name\r\nbut are in fact unrelated to the real AMD or Blender 3D vendors. In most cases, the top-level domains are different\r\nfrom those of the official sites as well. The use of less common TLDs enables the threat actors to register second-level domains that are similar to the real ones. These domains lure victims to click on the link and access the fake\r\nwebsite more often than random domains registered in a more common domain zone, such as COM, because they\r\nmay look more like a legitimate website.\r\nFake AMD and Blender 3D websites in search results\r\nWe visited some of the promoted sites and obtained the malicious payloads they were distributing. In this article,\r\nwe will focus mainly on the “Blender 3D” fake websites.\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 1 of 14\n\nFake Blender 3D web pages\r\nThe size of the downloaded file (ZIP archive) is 269 MB, which is close to the original Blender installer size. The\r\nsize of 257 MB stated on the fake web page matches that of the original Blender 3D installer, but it does not match\r\nthe size of the fake download.\r\nWhen the user clicks the “Download” button, the archive blender-3.4.1-windows-x64.zip\r\n(E0BDF36E4A7CF1B332DC42FD8914BA8B) is downloaded.\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 2 of 14\n\nThe size of the file (BBA8AA93FCDDA5AC7663E90C0EEFA2E7) extracted from the archive is 657 MB. When\r\nlaunched, it drops two files into the temp directory:\r\nThe original Blender 3D MSI installer (marked green on the screenshot below), whose size is also 657 MB;\r\nA PE file that acts as a next-stage loader for a malicious PE file (marked red), which also has the same size\r\nas the original installer: 657 MB.\r\nDropped files: the original Blender 3D MSI installer and the malicious loader\r\nThe size of the dropped malicious loader is this big because it is inflated with junk bytes when the PE file is\r\ncreated. The deflated malicious loader size is about 330 KB, and the rest is junk.\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 3 of 14\n\nJunk bytes inflating the loader\r\nAfter the initial installer (extracted from the archive) drops these two files, it runs the malicious PE file using the\r\nCMD method (cmd.exe /c [Filename] command) to hide it from the user. Additionally, the initial installer also\r\nruns the original Blender 3D MSI to make the victim believe that the desired software is running.\r\nThus, the threat actors disguise their malicious payload through the installation of another software product by\r\ncreating a “pre-installer” for the legitimate software, which will put both the malware and the desired genuine\r\nsoftware on the victim’s machine.\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 4 of 14\n\nBlender 3D installer launched by the “pre-installer”\r\nThe screenshot above shows the actual software installer running, but if we take a closer look at the processes, we\r\nwill notice a short-lived sub-process (cmd.exe /c -\u003e “SetupFileProgram”) run by the “pre-installer”. This short-lived process is the loader for the malware.\r\nThe loader\r\nThe loader is a .NET file protected by an unregistered version of .NET Reactor. It seems to use an anti-debugging\r\ntechnique in order to prevent a debugger from executing and dynamically analyzing the binary. In a nutshell, the\r\nloader runs a new powershell.exe process and manipulates it to execute numerous PowerShell commands, which\r\ninstruct it to access a third-party URL in order to get the payload. The payload is a base64-encoded, AES-encrypted fileless binary. Further commands are related to decoding and decrypting that binary, then running it in\r\nmemory, within a newly created aspnet_compiler.exe process, a legitimate Windows .NET framework compilation\r\ntool.\r\nIn this case, we observed two detection evasion tricks during the runtime:\r\nThe fileless technique, which involves getting a payload from an online source and loading it directly into\r\nthe memory of a process;\r\nLOLBAS (living-off-the-land binaries and scripts), which, in this case, is the use of a .NET compilation\r\ntool to run the malicious binary.\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 5 of 14\n\nBelow, we provide a more detailed analysis of the loader execution chain. After passing the loader anti-debugger,\r\nwe can see that it starts a PowerShell process, so we will put a breakpoint at the CreateProcessW WinAPI call to\r\nobserve the behavior.\r\nCall of CreateProcessW to spawn a PowerShell process\r\nSince we did not see any command passed to the PowerShell process when initializing it via the CreateProcessW\r\ncall, we can conclude that it will be passed at some point later, so we can observe the passing of the PowerShell\r\ncommand(s) by putting a breakpoint at WinAPI WriteFile in order to see the command lines for the\r\npowershell.exe process.\r\nSo, after letting it run and reach the breakpoint, we will check the result in the return of the function call, and we\r\ncan see in the stack that the first command pushed to the powershell.exe process was #Start-Sleep -seconds 30;.\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 6 of 14\n\nObserving the pushed command(s)\r\nWe can try checking the memory section where the command is stored and searching for other commands that are\r\nbeing kept in the memory for later use by the loader.\r\nMemory address of the pushed PowerShell commands\r\nAfter taking all the data from this memory section, we will see all the commands passed to the powershell.exe\r\nprocess via the WriteFile WinAPI call.\r\nPowerShell commands\r\nIf we read the commands, we will see exactly what the powershell.exe process is about to do. The commands\r\ninstruct it to perform the following actions:\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 7 of 14\n\n1. 1 Download string data, which is part of the following URL, namely the name of the file:\r\nhttp[:]//45.93.201[.]114/docs/[RandomChars].txt. The downloaded data is a Base64-encoded string that is\r\ndecoded into encrypted data.\r\n2. 2 Prepare the decryption method, AES-CBC, as can be seen in the screenshot above. We can also easily see\r\nand decode the Base64-encoded key and IV (initialization vector) used for decryption in the PowerShell\r\ncommand.\r\n3. 3 Decrypt the data into a Gzip-compressed binary.\r\n4. 4 Decompress the binary.\r\n5. 5 Invoke the binary to run it.\r\nDecrypted binary\r\nThe binary that we obtained is the dropper of known malware, the RedLine stealer. The version of the stealer at\r\nhand uses an interesting technique to hide its malicious payload: it is encoded in the least significant bit of images\r\nstored in the resource section of the dropper, as well as the key and the IV bytes for its AES decryption.\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 8 of 14\n\nEmbedded images with a malicious payload\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 9 of 14\n\nPayload decryption routine\r\nAfter decrypting the payload, the dropper starts a legitimate process named “aspnet_compiler.exe”, which is part\r\nof the Microsoft .NET framework, and injects the payload into it.\r\nInjecting a payload routine\r\nInfrastructure\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 10 of 14\n\nTo deploy decoy pages, the malefactors register deceptive domain names, such as blender3d-software[.]net or\r\nblender3d-software[.]org. We have found more than fifty similar domains hosted at the same IP address:\r\n91.229.23[.]200. These domain names mimic other software distribution sites as well, for example, afterburner-software[.]org, tradingviews-software[.]org, and unity-download[.]com.\r\nThe malicious payload could be stored on the same site (for example,\r\nhxxps[://]blahder3dsoft[.]store/Blender[.]rar) as the landing page or on a public service that can be used as the file\r\nhosting service (MediaFire or GitHub).\r\nConclusion\r\nWe are seeing an increase in the spread of malware families through Google Ads campaigns, specifically through\r\nsearch ads. Threat actors use fake websites to mimic legitimate software vendor websites to lure victims, and pay\r\nfor ads to promote these. They use typosquatting and combosquatting for their malicious website domains, which\r\nhave become common techniques in recent months. In some cases, such as the one described in this article, the\r\nthreat actors also make sure to install the desired software alongside their malicious payload.\r\nIn recent campaigns, we observed mainly stealer-type malware, such as RedLine or the notorious Rhadamanthys,\r\nwhich is also known to use malvertising techniques to reach victims and steal data from their compromised\r\nmachines.\r\nThis kind of distribution suggests that the threat actors are targeting victims, both individual and corporate, all\r\naround the world.\r\nIndicators of Compromise\r\nIoC Description\r\nE0BDF36E4A7CF1B332DC42FD8914BA8B blender-3.4.1-windows-x64.zip\r\nBBA8AA93FCDDA5AC7663E90C0EEFA2E7 blender-3.4.1-windows-x64.exe\r\n4b6249bea60eec2d9e6890162a7fca5f Blender.rar\r\n8d709a5ce84504f83303afda88649b24 RedlLine stealer\r\nd0915b6057eb60c3878ce88d71efc351 RedlLine stealer\r\nhxxps[:]//download2392.mediafire.com/bb289kqoibyg/\r\n1udjwornnpwxlua/blender-3.4.1-windows-x64.zip/\r\nLink to malicious file\r\nhxxps[:]//github.com/sup6724/blender3d13/releases/\r\ndownload/updates/blender-3.4.1-windows-x64.zip\r\nLink to malicious file\r\nhxxps[://]blahder3dsoft[.]store/Blender[.]rar Link to malicious file\r\nhttp[:]//45.93.201[.]114/docs/[RandomChars].txt URL with malware data string\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 11 of 14\n\n91.229.23[.]200\r\nIP address common for some malicious landing\r\npages\r\nblahder3dsoft[.]store\r\nFake Blender websites\r\nblender3d-download[.]com\r\nblender3d-download[.]net\r\nblender3d-download[.]org\r\nblender3ds-download[.]com\r\nblender3ds-download[.]net\r\nblender3ds-download[.]org\r\nblender3d-software[.]com\r\nblender3d-software[.]net\r\nblender3d-software[.]org\r\nblender3ds-software[.]com\r\nblender3ds-software[.]net\r\nblender3ds-software[.]org\r\nblender-download[.]com\r\nblender-download[.]net\r\nblender-download[.]org\r\nblenders3d-download[.]com\r\nblenders3d-download[.]net\r\nblenders3d-download[.]org\r\nafterburnermsi-download[.]com Other suspicious software-themed domains related\r\nthrough the same IP address\r\nafterburner-software[.]net\r\nafterburner-software[.]org\r\ndesktop-tradingview[.]net\r\ndesktop-tradingview[.]org\r\ndownload-tradingview[.]net\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 12 of 14\n\ndownload-tradingview[.]org\r\noverclock-msi[.]com\r\noverclock-msi[.]net\r\noverclock-msi[.]org\r\nproject-obs[.]com\r\nproject-obs[.]net\r\nproject-obs[.]org\r\nstudio-obs[.]com\r\nstudio-obs[.]net\r\nstudio-obs[.]org\r\ntradingview-software[.]com\r\ntradingview-software[.]net\r\ntradingview-software[.]org\r\ntradingviews-software[.]com\r\ntradingviews-software[.]net\r\ntradingviews-software[.]org\r\nunity-download[.]com\r\nunity-download[.]net\r\nunity-download[.]org\r\nunityhub-download[.]com\r\nunityhub-download[.]net\r\nunityhub-download[.]org\r\nunity-software[.]net\r\nunity-software[.]org\r\nwebull-download[.]com\r\nwebull-download[.]net\r\nwebull-download[.]org\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 13 of 14\n\nSource: https://securelist.com/malvertising-through-search-engines/108996/\r\nhttps://securelist.com/malvertising-through-search-engines/108996/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/malvertising-through-search-engines/108996/"
	],
	"report_names": [
		"108996"
	],
	"threat_actors": [],
	"ts_created_at": 1775439048,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/544fba566c374a4a305d76ee8cab4eb805635557.pdf",
		"text": "https://archive.orkl.eu/544fba566c374a4a305d76ee8cab4eb805635557.txt",
		"img": "https://archive.orkl.eu/544fba566c374a4a305d76ee8cab4eb805635557.jpg"
	}
}