Virus in advertising: criminals disguise malware in Google Ads

Virus in advertising: criminals disguise malware in Google Ads

It is undeniable the increase of cyberattacks in the last couple of years, and the strategies of criminals continue to adapt their skills to less suspicious environments and be able to access privileged data from our accounts or devices. Now, it is the advertising platform of Google which is the center of the alerts.


The cybersecurity firm ESET has detected in Southeast Asia a scam mode based on fraudulent Google Ads campaigns that distribute the FatalRAT Trojan on computers that click on certain ads.

In report shared on Twitter from ESET’s research account highlights targets distributed throughout this area of the world, focusing on China, Taiwan, Hong Kong, Malaysia, Japan, Philippines, Thailand, Singapore, Indonesia and Burma.

“Unknown attackers created fake websites that look identical to those of popular applications such as Firefox, WhatsApp or Telegram; but, in addition to providing the legitimate software, they also deliver FatalRAT, a remote access Trojan that gives the attacker control of the victim computer.” ESET highlights in the report.

Following the publication of this finding, the ads were removed in the Google Ads system.

Malware via Google Ads

According to the research, attackers leverage Google Ads to appear in the search engine as a featured result when users search for popular applications and their installers.

In addition to those previously mentioned, ESET notes that Google Chrome, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao and WPS Office are the brands with the highest recurrence in searches.

The report claims that the URLs used by criminals contain some intentional misspellings to “look like” legitimate domains to deliver an installer file with the FatalRAT malware, a remote access Trojan documented since August 2021.

Once installed, this malicious code gains full control of the infected computer and includes executing commands and files, as well as collecting data from browsers and capturing everything we type on the keyboard.

“It is possible that the attackers are solely interested in stealing information such as web credentials to sell on underground forums or use for another type of crimeware campaign.” ESET clarifies, “but for now specific attribution of this campaign to a known or new threat actor is impossible.”

Kayleigh Williams