{
	"id": "fab8a0b7-a092-42f3-a8cf-3cdfdbe75436",
	"created_at": "2026-04-06T00:19:47.925429Z",
	"updated_at": "2026-04-10T03:21:05.977869Z",
	"deleted_at": null,
	"sha1_hash": "ca047d51906d54a3762a3a8b1dfd125d756ab147",
	"title": "Threat actor impersonates Google via fake ad for Authenticator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 372703,
	"plain_text": "Threat actor impersonates Google via fake ad for Authenticator\r\nBy Jérôme Segura\r\nPublished: 2024-07-30 · Archived: 2026-04-05 16:54:40 UTC\r\nWe have previously reported on the brand impersonation issue with Google ads: users who search for popular\r\nkeywords are shown malicious ads that purport to be from an official vendor.\r\nNot only does this trick innocent victims into downloading malware or losing their data to phishing sites, it also\r\nerodes trust in brands and by association in Google Search itself.\r\nToday, we show yet another example of brand misuse, except that this one targets Google itself. If you were trying\r\nto download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the\r\npast few days, you may have inadvertently installed malware on your computer.\r\nA similar distribution site and the same payload were previously discovered by sandbox maker AnyRun. In this\r\nblog post, we will reveal the missing piece at the top of the killchain, namely the Google ad that was involved in\r\ntricking users into visiting a decoy website.\r\nTrust, but ‘verified’?\r\nThe core issue with brand impersonation comes from ads that appear as if they were from official sources and\r\nadvertisers’ identities verified by Google. This was the case here with this ad for Authenticator:\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 1 of 8\n\nThe truth is Larry Marr has nothing to do with Google, and is likely a fake account. We can follow what happens\r\nwhen you click on the ad by monitoring web traffic. We see a number of redirects via intermediary domains\r\ncontrolled by the attacker, before landing on a fake site for Authenticator.\r\nFake site leads to signed payload hosted on Github\r\nThe fraudulent site chromeweb-authenticators[.]com was registered via NICENIC INTERNATIONAL GROUP\r\nCO., LIMITED on the same day as the ad was observed.\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 2 of 8\n\nLooking at the site’s source code, we can see the code responsible for downloading Authenticator.exe from\r\nGitHub. Note the comments from the author in Russian:\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 3 of 8\n\nHosting the file on GitHub allows the threat actor to use a trusted cloud resource, unlikely to be blocked via\r\nconventional means. While GitHub is the de facto software repository, not all applications or scripts hosted on it\r\nare legitimate. In fact, anyone can create an account and upload files, which is exactly what the threat actor did\r\nunder the username authe-gogle, creating the authgg repository that contains the malicious Authenticator.exe:\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 4 of 8\n\nLooking at the file itself, we can see that it has been digitally signed by “Songyuan Meiying Electronic Products\r\nCo., Ltd.” just one day before, and the signature is still valid at the time of writing:\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 5 of 8\n\nThe malware, DeerStealer, is a kind of stealer that will grab and exfitrate your personal data via an attacker-controlled website hosted at vaniloin[.]fun.\r\nConclusion\r\nThreat actors have been abusing Google ads as a way to trick users into visiting phishing and malware sites. Since\r\nthe whole premise of these attacks relies on social engineering, it is absolutely critical to properly distinguish real\r\nadvertisers from fake ones.\r\nAs we saw in this case, some unknown individual was able to impersonate Google and successfully push malware\r\ndisguised as a branded Google product as well.\r\nWe should note that Google Authenticator is a well-known and trusted multi factor authentication tool, so there is\r\nsome irony in potential victims getting compromised while trying to improve their security posture. We\r\nrecommend avoiding clicking on ads to download any kind of software and instead visiting the official\r\nrepositories directly.\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 6 of 8\n\nMalwarebytes blocks access to the fake Authenticator website, and we detect the payload as Spyware.DeerStealer.\r\nIndicators of Compromise\r\nMalicious domains\r\nvcczen[.]eu\r\ntmdr7[.]mom\r\nchromeweb-authenticators[.]com\r\nchromeweb-authenticatr[.]com\r\nkejip[.]com\r\nPayloads (DeerStealer)\r\n5d1e3b113e15fc5fd4a08f41e553b8fd0eaace74b6dc034e0f6237c5e10aa737\r\nb83fad3d2b0e83e565d23c914b06ac2934258616d55d211fe78032c918f814dc\r\nC2s\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 7 of 8\n\nvaniloin[.]fun\r\nmundoparachicas[.]space\r\nSource: https://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nhttps://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarebytes.com/blog/threat-intel/2024/07/threat-actor-impersonates-google-via-fake-ad-for-authenticator"
	],
	"report_names": [
		"threat-actor-impersonates-google-via-fake-ad-for-authenticator"
	],
	"threat_actors": [],
	"ts_created_at": 1775434787,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca047d51906d54a3762a3a8b1dfd125d756ab147.pdf",
		"text": "https://archive.orkl.eu/ca047d51906d54a3762a3a8b1dfd125d756ab147.txt",
		"img": "https://archive.orkl.eu/ca047d51906d54a3762a3a8b1dfd125d756ab147.jpg"
	}
}