{
	"id": "96113b93-637f-4cde-a9ae-4070e6154620",
	"created_at": "2026-04-06T00:12:43.803236Z",
	"updated_at": "2026-04-10T13:12:36.734717Z",
	"deleted_at": null,
	"sha1_hash": "f97072a2b2b99c9da85999c1ac8cb954e18fc9c9",
	"title": "“MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto Wallets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7572667,
	"plain_text": "“MasquerAds” — Google’s Ad-Words Massively Abused by Threat\r\nActors, Targeting Organizations, GPUs and Crypto Wallets\r\nBy Nati TalDecember 28, 2022•9min read\r\nArchived: 2026-04-05 14:02:53 UTC\r\nThreat actors masquerAd-ing their malicious sites in the Google Ads flow\r\nThe Google-Ads Point of View\r\nGoogle Ads advertisement platform is highly reputable and probably one of the most used in the world — and there is\r\na good reason for that. We are all used to get not only effective and relevant ads with it, but usually also quickly\r\nnavigating to sites we were looking for.\r\nLet’s say, you search for Grammarly to finally get rid of all those typos. You will write “Grammarly” in the search\r\nbar, click Enter, and quickly get the official (probably promoted) Grammarly website on the top of the search results\r\npage. Easy. And this is also how Google sees that — they get a bid on a keyword linked to an advertisement landing\r\npage. The advertiser is a valid customer? The advertised site is legit? No probs — you got your ad placed!\r\nA standard promoted search results ad campaign from Google Ads perspective\r\nLooking into this simple flow from a wider perspective and taking into account anomalies in the behavior of both site\r\nhosts as well as visitors, got us to uncover many malicious malware-spreading campaigns of many purposes and\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 1 of 12\n\nsources — propagating solely using the Google Ads platform. A concept with such powerful outcomes it even got the\r\nFBI’s attention already.\r\nBrands, ad words, and reputable search engines in the hands of threat actors\r\nA Simple Trick for Getting Under Google-Ads Radar\r\nThe trick is simple — creating a benign site to be promoted with the wanted keyword and keeping it valid and safe in\r\nthe eyes of the policy enforcer. Yet, the moment those “disguised” sites are being visited by targeted visitors (those\r\nwho actually click on the promoted search result) the server immediately redirects them to the rogue site and from\r\nthere to the malicious payload — usually also hiding inside reputable file sharing and code hosting servers like\r\nGitHub, dropbox, discord’s CDN, etc.\r\nAnd what actually happens under Google-Ads Radar\r\nThose rogue sites are practically invisible to visitors not reaching from the real promotional flow (e.g. arriving with a\r\nvalid gclid value) showing up as benign, unrelated sites to crawlers, bots, occasional visitors, and of course for\r\nGoogle’s policy enforcers. Some examples of such flows, active during December 2022, can be seen here — showing\r\non the left the masked site Google is actually advertising, while on the right you see the actual phishing site ad-clickers are being redirected to:\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 2 of 12\n\nPhishing America First Bank customers / spreading malware with uTorrent, Audacity and Brave brands\r\nTo deep dive into the technical details of this scheme, the following is a real sample flow targeting Grammarly as\r\nobserved out in the wild in late November 2022. The promoted search result sends you to the domain\r\ngrammalry[.]org which is an advertisement for “Christian Heating and Air-Conditioning” yet only for those who\r\nvisit it directly. If you clicked on that promoted search result you generate a unique click id (Google’s Click ID, or\r\ngclid) that is checked by the threat actor and if valid (and it is valid only once!) together with other params like\r\nvisitors' geo-location, user-agent, etc., it will forward you to the malicious Grammarly phishing page under the\r\ndomain gramm-arly[.]com .\r\nNote that forwarding is done on the server side, hidden from Google as well as from the visitor that will never get to\r\nsee the “masquerAd” site — only the actual phishing page:\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 3 of 12\n\nFrom searching to download Grammarly to downloading and installing a malicious payload\r\nThe Gramnarly Malware — A Raccoon Stealer Variant\r\nNo, it wasn’t a typo… gramnarly[.]com is just one of the Grammarly-branded phishing pages out there. And no,\r\nthey don’t wait for someone to misspell the domain name (wishing he had Grammarly in the first place). All needed is\r\njust bid on the Grammarly ad word and create a “masquerAd” flow:\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 4 of 12\n\nGrammarly branded masquerAd flows\r\nNow that those threat actors don’t need to waste time and effort in reaching the most relevant targets (well, Google\r\ndoes that for them) they can put more effort into their malicious payload. And indeed, in this campaign, the\r\nGrammarly payload is not the simple stealer that is quickly detected by common protection mechanisms. Some of the\r\nmore interesting characteristics we've seen include:\r\nBundled with the actual software — Installing the Grammarly branded malware will actually install a copy\r\nof Grammarly. It is of course bundled with another executable that does all the black magic silently.\r\nBloated Files — the installation executable (or the container zip in other variants) is full of bloated zeroed\r\nfiles just to make the file bigger than automated malware analysis systems' max allowed size. Usually 500Mb\r\nand above. Also, making less than 1% of the code fingerprinted with malicious code snippets is another great\r\nway to mitigate detection. Dynamic execution is the most effective way to actually see something is bad here\r\n— and we will hardly see any of the current protection vendors execute these huge files automatically.\r\nChanging Payloads Periodically — because of the smaller scale, it is feasible to actually re-create the\r\npayloads every day with minor changes and using different malicious payloads of stealers, crypto miners, and\r\nsuch. So one day you download a Raccoon stealer from a dropbox folder, and the other day it’s a Vidar stealer\r\nin an executable MSI file from a discord CDN server.\r\nEven for Virus-Total, it took several days since our submission to get more than a few heuristic detections:\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 5 of 12\n\nGrammarly.exe As downloaded from grammartly[.]org\r\nCurrent virus total report here:\r\nhttps://www.virustotal.com/gui/file/3baf692a1589355af206f4e3886a09fe8997f0b62c78c1403556285eaba40e94/detection\r\nVermux — Scaled Up GPU-Targeted Operation\r\nThe most scaled-up campaign abusing this technique for propagation is most un-doubtfully the GPU-targeted threat\r\nactor we labeled Vermux. Vermux is targeting any computer that has or might have GPU hardware, and does that by\r\ntargeting relevant brands of software tools or drivers that are popular with users of such PCs.\r\nOn top of the list is the keyword “Afterburner” referring to the MSI Afterburner graphics card tool, as can be seen in\r\nthese genuine search results as made from the Central USA area — showing how the adBuffer domain\r\nafterbern[.]live shows up on top of the list:\r\nGenuine search results showing the promoted the masquerAd site afterbern[.]live\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 6 of 12\n\nAfterburner is used by many gamers as well as graphic designers to control, overclock and make the most out of their\r\nGPU. Vermux are after that GPU exactly, but for another reason — crypto-currency mining. And indeed, clicking on\r\nthe promoted search result as seen above will redirect you eventually to the hidden malicious site that looks exactly\r\nlike the original:\r\nCan you tell the difference? (The fake one is on the right)\r\nThe MSI Afterburner campaign’s payload was noticed by researchers a few weeks ago, notable for how it is hard to\r\nbe detected. With fully understanding this elusive propagation technique of masquerAd-ing, we were able to uncover\r\nthe full extent and versatility of Vermux — reaching far further than just this one fake afterburner installer.\r\nVermux deployed hundreds of domains, “masquerAd” sites as well as phishing pages in servers located mostly in\r\nRussia, serving rogue ads mainly to USA and Canadian residents. This threat actor is abusing a vast list of brands and\r\nkeeps on evolving.\r\nThe main attack vector is hunting down those GPUs. Here are some examples of adBuffer flows active during\r\nNovember-December 2022. First, the popular MSI Afterburner as we’ve seen above:\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 7 of 12\n\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 8 of 12\n\nVermux MSI Afterburner flows\r\nAnd another well-known brand popular with GPU owners is the open-source 3d editing and rendering software\r\n“Blender”:\r\nmasquerAd flows targeting Blender users\r\nAdding to the above, Vermux works on other vectors to make even more profit — some targeting your crypto wallets\r\nand passwords, some targeting other popular tools with which Vermux can gain control — and some going directly to\r\nyour trading or bank accounts:\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 9 of 12\n\nSome more examples of masquerAd-ing flows operated by Vermux\r\nVermux Malware Payload — Served Freely on GitHub\r\nVermux’s payload is mostly built based on the Vidar trojan for control, and some proprietary compilation of python\r\nbased Monero mining software. The files are following the rules we’ve noted before, making them evasive and hard\r\nto detect. Vermux not only abuse the reputation and propagation power of Google Ads, but they also abuse the\r\nreputation of known file-sharing services and code repositories like BitBucket, GitHub, Dropbox, OneDrive, etc. Here\r\nare some examples of such repos discovered in GitHub:\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 10 of 12\n\nMyNameisVermux Public Repository on GitHub\r\nThe above is a repo called plainly sofwarefree , with the user Dor4il135 that uploaded different “malwarized”\r\ninstallation packages for Slack, OBS, Blender, and even Norton Antivirus ( 18.exe ).\r\nDor4il135 Public Repository on GitHub\r\nThe last is one of Dor4il135 own repos active for over a month, now finally been taken down. A month is a lot of\r\ntime, serving different types of software bundled with Vidar and other malware variants, and is updated almost daily\r\nwith newer versions — mostly for changing binary foodprints to avoid detection.\r\nSummary\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 11 of 12\n\nSecurity is an issue of trust — thus, we constantly rely upon trusted reputable vendors on our daily endeavors over the\r\nweb. No one is perfect though, and there are probably more bad actors looking to exploit those security loopholes\r\nthan we can only imagine. Here we see exactly that — the constant rat race between the companies behind those\r\npowerful advertisement systems, global content delivery, and security infrastructures to those evasive actors that find\r\na way to sneak under the radar and exploit the trusty others for their own gain.\r\nThis “masquerAd” concept is simple yet does exactly what those actors need — abuse the trust we sometimes blindly\r\ngive to Google and their promoted search results. Adding to the above, the abuse of reputable file-sharing services as\r\nwell as well-known software brands make them evade even the most advanced EDRs on the market. It’s inevitable to\r\napply a more behavioral and unbiased protection level — even for the plainest and most common action like googling\r\nsomething up…\r\nDon’t get fooled by misspelled domain names, and always double-check where you download your files from!\r\nSource: https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nhttps://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e"
	],
	"report_names": [
		"masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434363,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f97072a2b2b99c9da85999c1ac8cb954e18fc9c9.pdf",
		"text": "https://archive.orkl.eu/f97072a2b2b99c9da85999c1ac8cb954e18fc9c9.txt",
		"img": "https://archive.orkl.eu/f97072a2b2b99c9da85999c1ac8cb954e18fc9c9.jpg"
	}
}