{
	"id": "2533b4d0-3bef-4ca5-98b6-6662171cdd94",
	"created_at": "2026-04-06T00:19:17.131674Z",
	"updated_at": "2026-04-10T13:12:22.965234Z",
	"deleted_at": null,
	"sha1_hash": "7b973fe91d26d2679403fafb8ad7e43a657f76a6",
	"title": "Malvertising Surges to Distribute Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48465,
	"plain_text": "Malvertising Surges to Distribute Malware\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 23:21:01 UTC\r\nMany intrusions and compromises start with the infection of an endpoint with malicious software (malware).\r\nMalware distribution is often centered around tricking someone into opening an executable file that purports to be\r\nbenign, such as a common software utility, but is actually malicious. One of the most common methods for\r\ndistributing malware is through spam, but there are other ways. One long-used technique to land malware on\r\nsystems saw a resurgence in December 2022.\r\n“Malvertising” is a portmanteau of malware and advertising. It involves buying search engine advertisements and\r\nplacing links in those ads that lead to malicious sites. The technique has been used by threat actors nearly as long\r\nas search-related, pay-per-click (PPC) ads have been around, but the recent surge was intense and unexpected.\r\nHere, Intel 471 explores how malvertising works, some defenses to employ against it and examples of how it was\r\nrecently leveraged to distribute malware.\r\nHow PPC Works\r\nGoogle’s PPC Ads platform is the primary medium actors use to distribute malware. Intel 471 analysts walked\r\nthrough the process of setting up a Google Ads campaign. The exercise revealed a great deal about how these\r\nactors conduct campaigns and some theories about how they obtain top search results for their advertisements.\r\nGoogle’s PPC Ads management panel has a fairly intuitive design that allows users to view their advertisement\r\ncampaign statistics at a glance. Users can view their current advertisements, keywords, recommendations,\r\nstatistics and total cost for each offer. Users must supply a URL to create an advertisement, display paths for the\r\nURL, provide a description with the offer and craft some headlines for the advertisement. The descriptions,\r\nheadlines and site are factored into the equation that Google uses to calculate the advertisement ranking.\r\nOnce an advertisement is created, users can set the maximum amount of money to spend on PPC for an ad.\r\nAdvertisement space is sold using a blind auction mechanism where advertisers can outbid competitors but cannot\r\nsee what others bid for advertisement space. Google’s old advertisement ranking algorithm previously considered\r\nhow much advertisers bid to award advertisement placement rankings, however, the new system calculates a mix\r\nof advertisement bid price, description, headline and site checking.\r\nOnce users create an advertisement and set a bid price, they can begin using the multiple tools available on the\r\nGoogle Ads platform. Device targeting allows advertisers to set how much they want to bid on advertisements that\r\nwill be shown only on certain types of devices, such as tablets or mobile phones.\r\nCustomers can use additional targeting available in the “Audience” tab of the Google Ads panel. Users can\r\nmonitor the demographics for people who click on the advertisements, create targeted advertisements or exclude\r\ncertain demographics and target specific types of people, such as those working in financial services or hospitality.\r\nhttps://intel471.com/blog/malvertising-surges-to-distribute-malware\r\nPage 1 of 4\n\nThe platform also allows advertisers to target customers based on geolocation in addition to audience tracking, or\r\na variety of factors that include cities, states and postcodes.\r\n[Image: Ppctargeting 2 - A screenshot of the advertiser targeting options for the Google PPC Ads platform Jan. 26,\r\n2023.]\r\nBokBot\r\nBokBot, also known as IcedID, is a banking trojan that also doubles as a downloader for additional malware. The\r\nactors behind the development of BokBot historically had a relationship with the Conti ransomware group and\r\nTrickbot, another type of banking malware and botnet used to distribute ransomware. During the past year, initial\r\naccess brokers (IABs) increasingly used BokBot as gateway malware for attacks in place of the now-defunct\r\nBazarLoader or Trickbot families. In December 2022 and January 2023, BokBot operators began experimenting\r\nwith the Google PPC Ads platform for distribution.\r\nThe traffic distribution system (TDS) of these BokBot campaigns uses victim and bot filtering on the landing page\r\nwhere the Google Search Ads engine points. This filtering ensures that a connecting client is not coming from a\r\nvirtual private network (VPN) IP address, makes user agent checks and follows hypertext transfer protocol\r\n(HTTP) \"GET\" header criteria. If a connection does not meet the criteria, the user is not redirected to the BokBot\r\nmalicious landing page and instead stays on the advertisement site, which may or may not be related to the\r\ntargeted app or brand. This site typically is unrelated to the campaign. Connections that meet the targeted criteria\r\nare redirected to the BokBot malicious landing page and will never see the advertisement site.\r\nA recent BokBot campaign masqueraded as an advertisement for Docker, an operating system virtualization\r\nplatform. The malicious advertisements contain typosquatted domains and appear higher than the legitimate offer\r\nfor Docker. Once the user clicks on the ad link, BokBot’s first typosquatting domain performs some basic bot\r\nfiltering to determine whether the viewer of the advertisement is a legitimate victim to target and not a researcher.\r\nIf the check fails based on user agent, user agent client hints or geolocation, the Docker campaign landing page\r\nwill direct the viewer to a fake tutorial on how to set up and use Docker.\r\n[Image: Dockersearchresults - A screenshot of a malicious Docker advertisement that appears before both the\r\nlegitimate Docker search results and advertisement Jan. 26, 2023.]\r\nBatLoader and EugenLoader/FakeBat\r\nMalware loaders, also called “droppers,” are the initial infections on systems which are then used by threat actors\r\nto download other malicious code. BatLoader, identified in February 2022, is a type of loader that leverages\r\nMicrosoft software installers (.msi) and PowerShell.\r\nIntel 471 recently uncovered that two different threat actors are distributing BatLoader through different command\r\nand control (C2) infrastructures. The campaign identified as BatLoader by Mandiant in 2022 involved the\r\nexecution of .BAT files by the .MSI during install. A second campaign, however, does not involve the execution of\r\n.BAT files. Instead, that malware has an inline PowerShell script that is executed in place of the .BAT file. Due to\r\nthese differences, Intel 471 analysts have decided to rename the second campaign to EugenLoader. It is also\r\nknown as FakeBat.\r\nhttps://intel471.com/blog/malvertising-surges-to-distribute-malware\r\nPage 2 of 4\n\nAs public reporting and our own reporting blended EugenLoader and BatLoader, it makes it hard to identify when\r\nEugenLoader first popped up. But it was likely running as of November or December 2022. During our\r\ninvestigation into EugenLoader, we found a domain that appeared to be used as the download destination for new\r\ncampaigns. The root of the domain was mistakenly left open and revealed .MSI files for EugenLoader campaigns.\r\nAs seen below, the EugenLoader malware had been renamed to impersonate known software such as FileZilla,\r\nuTorrent and WinRAR, among others.\r\n[Image: Openindex - The root directory of a domain for a suspected EugenLoader campaign was left open.]\r\nDuring distribution campaigns, EugenLoader stands up domains that purport to offer legitimate popular software\r\nbut instead substitute malware for what is promised.\r\nOne of the most consistently active malvertising campaigns for EugenLoader masquerades as WinRAR, which is a\r\npopular software utility for compressing and extracting files. While other campaigns seemed to get their\r\nadvertisement to the top of the search results intermittently, the WinRAR campaign has no such limiters. This\r\nenables the actors to trick victims into installing EugenLoader continually.\r\nEugenLoader was also distributed via a malvertising campaign that spoofed 7-Zip, which is another popular file\r\narchiving software. Using well-crafted Google search advertisements, this campaign is able to place its download\r\nlinks before the official 7-Zip download page as observed in the image below.\r\n[Image: 7zipsearchresults 2 - Two PPC ads appear offering 7-Zip but with domains that are not related to the\r\nofficial project. This screenshot was taken during a Germany-based browsing session Jan. 19, 2023.]\r\nAnalysis\r\nUntil recently, malvertising was not a preferred initial access vector and seldomly was used compared to\r\ntraditional vectors such as email spam. However, the operators behind EugenLoader were able to purchase\r\nadvertisements that consistently appeared in the first search result position on Google. It should be assumed it is a\r\ndangerously successful technique that has the potential to challenge malware spam (malspam) as the go-to vector\r\nfor criminals.\r\nThere are advantages and disadvantages for malware distributors to place malicious advertisements. First, an\r\nadvantage: Bad actors capture an audience that is actively seeking out a tool to download. Appearing as the first\r\nsearch result means there’s a high probability someone may click without closely looking at the domain. The\r\nsubsequent landing page then looks identical to the legitimate one, and people are likely to download and install\r\nthe tool.\r\nThis has advantages over spam, which may be caught and quarantined by security tools or sent to the spam folder,\r\nnever meeting the eyes of the potential victim. If it does reach the victim, the attacker must trick the person into\r\ntaking action, such as opening an invoice, clicking on a link or running an executable. But malvertising catches\r\npeople who want to download something and run it immediately.\r\nMalvertising doesn’t come cheap, however. PPC ads could cost as much as US $2 to US $3 per click. Because bad\r\nactors are bidding for ad space, the actions also raise the costs for legitimate advertisers. It is possible malvertisers\r\nhttps://intel471.com/blog/malvertising-surges-to-distribute-malware\r\nPage 3 of 4\n\nare paying for the ads with stolen credit card information. How bad actors are paying for the ads would be another\r\nresearch avenue to pursue, which could shed light on groups behind the campaigns.\r\nIn some cases, the success of campaigns could be gauged. Some of the malicious ads directed victims to sites\r\nhosted on Bitbucket, which may show the number of downloads. One campaign showed upward of 3,000\r\ndownloads. At US $2 a click, those who placed the campaign may have paid as much as US $6,000, which shows\r\nthe attackers have financial means. Other types of malware seen in the campaigns included information stealers\r\nsuch as RedLine. The malware often thwarted VirusTotal submission. The file sizes were up to 700 MB, which is\r\nvery large compared to the typical size of a dropper or loader. VirusTotal has a file size limit of 32 MB (files up to\r\n200 MB may be submitted), which meant that malicious files distributed by the campaigns weren’t necessarily\r\nturning up later for analysis.\r\nThe malvertising surge, which mostly affected Google, appeared to peak in mid-January 2023 and has fallen since.\r\nThe security community has been in touch with Google regarding its findings. Several researchers contributed to a\r\nspreadsheet that tracked malvertising campaigns and the brands that were impersonated. Between Jan. 19, 2023,\r\nand Feb. 22, 2023, the spreadsheet contained examples of 584 malvertising campaigns. Also, researchers created\r\ntools such as this one by Randy McEoin that can perform searches for malvertising and this one by Michael\r\nMcDonnell that also takes screenshots of the campaigns. Hopefully, awareness has increased and defenses have\r\nbeen raised to minimize future malvertising campaigns.\r\nDefensive recommendations\r\nIntel 471 recommends customers consider deploying advertisement-blocking browser extensions such as the\r\n“AdBlock,” “Adblock Plus” or “uBlock Origin” supported browser extensions. These mitigate the appearance of\r\nGoogle PPC Ads traffic and prevent users from being duped into attempting to install malware masquerading as a\r\nlegitimate application. Additional recommendations are to monitor for unauthorized MSIs and the installation and\r\nrunning of unsigned executables.\r\nSpecial thanks to Jérôme Segura, senior director of threat intelligence at Malwarebytes, for help with this post.\r\nSource: https://intel471.com/blog/malvertising-surges-to-distribute-malware\r\nhttps://intel471.com/blog/malvertising-surges-to-distribute-malware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel471.com/blog/malvertising-surges-to-distribute-malware"
	],
	"report_names": [
		"malvertising-surges-to-distribute-malware"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434757,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b973fe91d26d2679403fafb8ad7e43a657f76a6.pdf",
		"text": "https://archive.orkl.eu/7b973fe91d26d2679403fafb8ad7e43a657f76a6.txt",
		"img": "https://archive.orkl.eu/7b973fe91d26d2679403fafb8ad7e43a657f76a6.jpg"
	}
}