{
	"id": "64665bad-b5ac-479b-be0d-bcee1635b02a",
	"created_at": "2026-04-10T03:20:51.104105Z",
	"updated_at": "2026-04-10T03:22:18.507247Z",
	"deleted_at": null,
	"sha1_hash": "93537a87b151616fa5626eeea9529731ab29845a",
	"title": "Threat Actors use Google Ads to Deploy VIDAR Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1317703,
	"plain_text": "Threat Actors use Google Ads to Deploy VIDAR Stealer\r\nBy Dave Truman, Stephen Green, George Glass\r\nPublished: 2022-12-13 · Archived: 2026-04-10 03:00:19 UTC\r\nKroll has observed threat actors abusing Google Ads to deploy malware masquerading as legitimate downloads or\r\nsoftware that has been “cracked” or modified to remove or disable features such as copy protection or adware. As\r\npart of our analysis of this trend and threat, we have identified specifically that VIDAR malware, an information-stealing trojan, is using Google Ads to advertise spoofed domains and redirect users to fraudulent sites or malware\r\ndownloads. Kroll is currently tracking the use of this tactic by ransomware groups globally, particularly groups\r\nthat are assessed with medium confidence to be associated with former Conti ransomware affiliates such as Royal,\r\nBlack Basta, and Hive ransomware operators. While the infection vector is the same, Zloader is typically used to\r\ndeploy further malicious tooling to gain a foothold within the network during the Intrusion Lifecycle.\r\nAs an example of Kroll’s findings and analysis into this trend, we discovered a particular Google Ad that, while\r\ndisplaying the legitimate domain of the opensource image editing product GIMP, ultimately redirected the user to\r\na typo-squatted domain, hosting a cloned website containing malicious downloads. This is particularly interesting\r\nas the format of the advert is controlled through Google’s Ad framework. The display domain highlighted below is\r\nextracted by Google from the target URL provided by the advertiser.\r\nFigure 1: Screenshot of Malicious Ad (Source: Kroll) \r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 1 of 8\n\nFigure 2: Screenshot of the Typo-Squatted Domain (Source: Kroll) \r\nThe malicious domain gilimp[.]org appears to have been registered on October 17, 2022, indicating that this\r\nadvert could have been live for up to 16 days at the time of our analysis. \r\nFigure 3: Whois Record for Typo-Squatted Domain (Source: Kroll) \r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 2 of 8\n\nAt the time of the investigation, it was no longer possible to access the advertisement (“advert”), and the\r\nscreenshots available online no longer showed the destination URL of the advert when hovered over to see the\r\nfirst step in the request chain, making it more difficult for Kroll to definitively determine exactly how the threat\r\nactor achieved this. \r\nKroll analyzed a binary on the malicious domain that was presented to appear as the GIMP software. The analysis\r\nshowed that it was in fact VIDAR malware. Our experts were able to determine that the malware was stealing\r\nbrowser cookies and passwords, along with detailed system information, before sending these to a C2 IP address. \r\nThe IP information for this IP address shows its geolocation as St. Petersburg in the Russian Federation. \r\nFigure 4: C2 IP Address Information (Source: Kroll) \r\nMost Likely Methodologies\r\nThe Kroll Cyber Threat Intelligence team tested a number of theories leveraging the Google Ad workflow for how\r\n“malvertising” could lead to the deployment of the VIDAR Stealer. Kroll proposed with high confidence the\r\nbelow two most likely scenarios based on completed research to date:\r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 3 of 8\n\n1. A homoglyph attack utilizing international domain name scheme\r\n2. Via manipulation of the tracking template URL option \r\nHomoglyph Attack \r\nThis attack method is documented by others within the Security and Incident Response communities and seems to\r\nbe a favorite hypothesis shared by many to include Kroll’s researchers. \r\nFigure 5: Screenshot Showing the Setting Up of Homoglyph Attack in Google Ads (Source: Kroll) \r\nAs detailed in Figure 5, Kroll’s threat intelligence team would be able to set up an advert utilizing an international\r\ndomain name that would pass most viewer’s initial inspection of the domain. If a homoglyph attack was used, it is\r\nan exceptionally effective approach with no obviously out-of-place characters. \r\nFigure 6: Zoomed In View of Ad (Source: Kroll) \r\nKroll observed that the ultimate page reached by clicking on the link was not an international domain, but a\r\nsecond, different typo-squatting domain. This inconsistency makes this method appear less probable since the\r\nthreat actor would need to link to 2 domains via a redirect chain. \r\nHowever, there is a possibility that the threat actor did this to protect their homoglyph domain or they were aware\r\nthat some web browsers will show the ascii format domain name in the address bar (for example: xn--\r\ngmp2ub[.]org instead of gïmp[.]org), making the website appear more suspicious. Kroll's testing of this process\r\nalso identified Google's automated domain checking processes which would normally frustrate a threat actor's\r\nusage of this methodology.\r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 4 of 8\n\nTracking Template URL \r\nGoogle Ads allow for the use of a tracking link that would be the first link connected too, in order to store various\r\nparameters for your advertising campaign before forwarding on to the target page. With this tracking link set, the\r\ndisplay domain remains the domain of the target URL. \r\nFigure 7: Screenshot Showing the Setting Up of a Cross domain Tracking Template in Google Ads (Source:\r\nKroll) \r\nIt is possible that, by using a malicious tracking link, a threat actor could set up an advert for the legitimate\r\ngimp.org and redirect to their malicious page instead of the real page. This is currently the method Kroll assesses\r\nhas been leveraged by Threat Actors in prior Intrusion Lifecycles.\r\nKroll tested this methodology using a malicious tracking template hosted on a separate domain and successfully\r\nredirected an advert click to a third domain - the video of which can be viewed here. The setup used the process\r\ndescribed in the official Google documentation for cross-domain redirects.\r\nFigure 8: Screenshot of Active Advert Setup using Cross domain Tracking Template (Source: Kroll) \r\nBy utilizing a custom PHP script on the tracking domain, we were then able to redirect traffic to a proof-of-concept domain instead of the legitimate website. There is some automated checking performed by Google to\r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 5 of 8\n\ndetect incorrect redirecting; however, this was circumvented with minimal effort. It is likely this automated\r\nchecking is designed to detect mistakes rather than this specific methodology. \r\nAdditional Methodologies \r\nOur team also explored a series of less likely scenarios: \r\n1. A configuration setting within the Google Ads system allowing the ability to specify a different target\r\ndomain to display domain either legitimately allowed or via a bug \r\n2. Use of an open redirect on the gimp.org site \r\n3. A bug in URL validation processes allowing for manipulation of display \r\n \r\nConfiguration Setting \r\nTo date, our team have been unable to produce a combination of settings in the Google Ads interface that would\r\nallow a different display domain from the target domain. \r\nUse of Open Redirect \r\nThe Google Ads system extracts the domain it displays in the advert from the Final URL field. If an open redirect\r\nwere present on the gimp.org website and being used as the Final URL, “gimp.org” would be displayed. It is not\r\npossible to test whether Google Ads would detect this without an open redirect vulnerability being present to use\r\nin the test. \r\nFigure 9: Screenshot Showing Hypothetical Setup of Attack Using an Open Redirect (Source: Kroll) \r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 6 of 8\n\nFor this to work, there would have to be an open redirect vulnerability on the gimp.org website; additionally, the\r\naforementioned redirection validation checks performed by google would need bypassing.\r\nValidation Bug \r\nIt is conceivable that a bug in the validation of inputs might have allowed the manipulation of the advert and target\r\ndomain. Our team tried a numerous strategies to see what resulted as controlled tests. All tests were caught by\r\nserver-side validation. However, they were successful in changing the display of the preview advert to not reflect\r\nthe target domain. \r\nFigure 10: Screenshot Showing an Attempt to Manipulate the URL to Display Incorrectly (Source: Kroll) \r\nGoogle Review \r\nAs mentioned earlier, Google has a review process for adverts. Changes to the advert, including changing domain\r\nor tracking link will take the advert offline and require further review.\r\nImpact \r\nNow that this attack has been documented on various websites, it is very likely that other actors will attempt this\r\ntechnique because it can effectively turn any website into a watering hole attack, conveniently placing their\r\nmalicious website at the top of the Google Search results.\r\nWhile it is particularly dangerous for sites that provide software for download, it could easily be expanded for\r\nother purposes. For example, a clone of a login page of a legitimate domain could be hosted for credential\r\nharvesting.\r\nKroll Recommendations \r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 7 of 8\n\nInform and educate personnel of this current attack methodology, making them aware of the dangers of\r\ndownloading executables from websites that have not been verified as legitimate, particularly in relation to\r\nexecutables found after clicking through any form of online advertising. \r\nWhere possible, restrict staff from downloading executables, a feature of many web filtering capable proxy\r\nservers.\r\nRequire all installs to be performed by information technology staff from vetted binary repositories. \r\nEmploy endpoint detection and response (EDR) and next-generation anti-virus (NGAV) tools across all\r\nendpoints within the environment.\r\nLearn more about Kroll’s end-to-end cyber security services or call our Cyber Incident Response Hotline to\r\nrequest immediate assistance.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nhttps://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer"
	],
	"report_names": [
		"threat-actors-google-ads-deploy-vidar-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775791251,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93537a87b151616fa5626eeea9529731ab29845a.pdf",
		"text": "https://archive.orkl.eu/93537a87b151616fa5626eeea9529731ab29845a.txt",
		"img": "https://archive.orkl.eu/93537a87b151616fa5626eeea9529731ab29845a.jpg"
	}
}