{
	"id": "810743c5-3ab8-4883-8d85-4684e2b4b192",
	"created_at": "2026-04-06T00:22:35.738035Z",
	"updated_at": "2026-04-10T03:23:51.495374Z",
	"deleted_at": null,
	"sha1_hash": "742f2afe4b3bf70831f4a6954beab211160b505e",
	"title": "Malicious Google Ad --\u003e Fake Notepad++ Page --\u003e Aurora Stealer malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1646888,
	"plain_text": "Malicious Google Ad --\u003e Fake Notepad++ Page --\u003e Aurora Stealer\r\nmalware\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 18:11:07 UTC\r\nIntroduction\r\nGoogle ads are a common vector for malware distribution.  Do a Google search for any popular free software download. \r\nReview any search results marked \"Ad\" or \"Sponsored,\" then check the link to see if anything is unusual.\r\nI've already written two diaries and authored various tweets about this type of activity:\r\nhttps://isc.sans.edu/diary/Google+ad+traffic+leads+to+stealer+packages+based+on+free+software/29376\r\nhttps://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344\r\nhttps://twitter.com/Unit42_Intel/status/1615470858067222568\r\nhttps://twitter.com/Unit42_Intel/status/1608567622856998912\r\nOthers have also reported his activity.  Recent posts include:\r\nhttps://www.bleepingcomputer.com/news/security/google-ad-for-gimporg-served-info-stealing-malware-via-lookalike-site/\r\nhttps://heimdalsecurity.com/blog/google-ads-exploited-to-spread-malware/\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nhttps://www.hackread.com/google-ads-malware-nft-crypto-wallet/\r\nOne example of free software routinely spoofed for Google ads is Notepad++.  Almost without fail, I can find a fake\r\nwebpage for Notepad++ every day through Google ads.  For today's diary, I found a Google ad for a malicious site at\r\nnotopod-plos-plus[.]com.\r\nhttps://isc.sans.edu/diary/rss/29448\r\nPage 1 of 6\n\nShown above:  Google ad for fake Notepad++ site.  Misspelled \"Notepad\" as \"Notepade\" in the ad.\r\nThese fake sites copy pages from the real software sites and have links to download the malware.\r\nShown above:  Downloading malware form the fake Notepad++ page.\r\nThe URL to download malware was notopod-plos-plus[.]com/bsdf/file.php which redirected to another URL hosting the\r\nmalware.  I found the redirect by using a URL shortner revealer.  In this case, I used expandurl.net and found the malware\r\nhosted at hxxps://obsqroject[.]com/npp.8.4.8.Installer.x64.exe.  Note the \"q\" in \"obsqroject\" in the malware download\r\nURL.  The malware is 'hosted on a server impersonating the legitimate site obsproject.com.\r\nhttps://isc.sans.edu/diary/rss/29448\r\nPage 2 of 6\n\nShown above:  Using a tool that reveals locations of shortened URLs to find a redirect for our malware.\r\nThe downloaded malware was detected by Microsoft Defender as an unrecognized app, so I had some extra clicks to run it.\r\nShown above:  Windows Defender doesn't like this type of downloaded EXE file.\r\nPost-infection traffic caused by this malware went to a server at 79.137.133[.]225 over TCP port 8081.\r\nhttps://isc.sans.edu/diary/rss/29448\r\nPage 3 of 6\n\nShown above:  Post-infection traffic shown in Wireshark.\r\nPost-infection traffic consists of plain text.  Text sent by the server to the infected Windows host was WORK and Accept and\r\nThanks. Data sent by the infected Windows host to the server looks like Base64 text.\r\nShown above:  Start of TCP stream for the post-infection traffic.\r\nhttps://isc.sans.edu/diary/rss/29448\r\nPage 4 of 6\n\nShown above:  End of TCP stream for the post-infection traffic.\r\nNote the server sent WORK once, Accept multiple times and Thanks twice.\r\nShown above:  Text sent from the server to the infected Windows host.\r\nThis post infection traffic follows patterns seen with previous examples of Aurora Stealer malware.\r\nIndicators of Compromise\r\nGoogle ad traffic to fake Notepad++ site:\r\nhxxps://www.googleadservices[.]com/pagead/aclk?\r\nsa=L\u0026ai=DChcSEwiNnNGbq9D8AhUOFdQBHYudC80YABAAGgJvYQ\u0026ohost=www.google.com\u0026cid=CAASJORocbWbOK8xihLbtr-uk4JIaGPISKgFmjK_urkXpVpd9puZOQ\u0026sig=AOD64_3UiS622EDVVxZE1kULfyg7CYIZgA\u0026q\u0026adurl\u0026ved=2ahUKEwik1sqbq9D8AhXJmGo\r\nhxxps://notopod-plos-plus[.]com/?\r\ngclid=EAIaIQobChMIjZzRm6vQ_AIVDhXUAR2LnQvNEAMYASAAEgKemfD_BwE\r\nTraffic to download the malware:\r\nhttps://isc.sans.edu/diary/rss/29448\r\nPage 5 of 6\n\nhxxps://notopod-plos-plus[.]com/bsdf/file.php\r\nhxxps://obsqroject[.]com/npp.8.4.8.Installer.x64.exe\r\nAurora Stealer post-infection traffic:\r\ntcp://79.137.133[.]225:8081\r\nDownloaded Aurora Stealer malware sample available at:\r\nhttps://bazaar.abuse.ch/sample/6c365c86aa823b55235be2d7f139160bfe994a33b2d34b73de239b24bbde7391\r\nSandbox analysis of the Aurora Stealer malware:\r\nhttps://app.any.run/tasks/3998cf08-2e26-45da-8d37-f1e99aba0d3f\r\nhttps://tria.ge/230118-f1ewcaac94\r\nFinal Words\r\nCriminal groups frequently use Google ads to distribute malware.  These ads frequently lead to fake sites impersonating web\r\npages for legitimate software.  In some cases, these malicious files install a copy of the legitimate software and include\r\nmalware in the background.  In other cases like this one, the files just run or install malware.\r\nIn most cases, Microsoft Defender warns victims these files are potentially dangerous.  Unfortunately, many people click\r\npast these warnings and infect their computers.\r\nHow can we best prevent these infections?  My advice is to follow best security practices and avoid ads when searching for\r\nfree software downloads on Google.\r\n----\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/29448\r\nhttps://isc.sans.edu/diary/rss/29448\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/29448"
	],
	"report_names": [
		"29448"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434955,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/742f2afe4b3bf70831f4a6954beab211160b505e.pdf",
		"text": "https://archive.orkl.eu/742f2afe4b3bf70831f4a6954beab211160b505e.txt",
		"img": "https://archive.orkl.eu/742f2afe4b3bf70831f4a6954beab211160b505e.jpg"
	}
}