Keypoints
- Malicious sponsored results on Google were used to target system administrators with fake installers for common utilities (PuTTY and FileZilla).
- Traffic is routed through cloaking pages that either redirect to decoys (or a Rick Astley video) or to convincing lookalike sites that host the payload.
- The delivered payload is Nitrogen, which leverages signed Python setup.exe to DLL sideload python311.dll, enabling execution under a legitimate binary.
- Nitrogen establishes C2 communications (observed C2 IPs) to perform data theft and has been associated with follow-on deployment of BlackCat/ALPHV ransomware.
- Indicators published include cloaking domains, multiple lookalike domains, payload URLs, SHA256 hashes, and C2 IP addresses for detection and blocking.
- The campaign was reported to Google but remained active; defenders are advised to block ad networks, enforce DNS filtering, and use EDR to detect DLL sideloading.
MITRE Techniques
- [T1189] Drive-by Compromise โ Malvertising and search ads deliver the initial web-based lure leading to payload hosting and downloads (โThe initial intrusion starts from a malicious ad displayed via Google search.โ).
- [T1583.001] Acquire Infrastructure: Domain Registration โ Actors use registered lookalike and typosquatted domains to host decoy and malicious installers (โLookalike sites: file-zilla-projectt[.]org, puuty[.]orgโ).
- [T1204.002] User Execution: Malicious File โ Victims are socially engineered into downloading and executing installers masquerading as PuTTY/FileZilla (โVictims are tricked into downloading and running the Nitrogen malware masquerading as a PuTTY or FileZilla installer.โ).
- [T1574.002] Hijack Execution Flow: DLL Side-Loading โ The campaign abuses a signed Python setup.exe to load a malicious python311.dll (Nitrogen) via sideloading (โsetup.exe (from the Python Software Foundation) sideloads python311.dll (Nitrogen).โ).
- [T1071.001] Application Layer Protocol: Web Protocols โ Malware communicates with remote command-and-control over web protocols to receive commands and exfiltrate data (โNitrogen C2s: 94.156.65[.]98 94.156.65[.]115โ).
- [T1486] Data Encrypted for Impact โ Post-compromise activity includes data theft and potential deployment of ransomware such as BlackCat/ALPHV (โNitrogen is used by threat actors to gain initial access to private networks, followed by data theft and the deployment of ransomware such as BlackCat/ALPHV.โ).
Indicators of Compromise
- [Cloaking domains] used in ad redirects โ kunalicon[.]com, inzerille[.]com
- [Lookalike domains] impersonating utilities โ file-zilla-projectt[.]org, puuty[.]org (and other typosquat domains)
- [Payload URLs] hosting Nitrogen installers โ amplex-amplification[.]com/wp-includes/FileZilla_3.66.1_win64.zip, newarticles23[.]com/wp-includes/putty-64bit-0.80-installer.zip
- [SHA256 hashes] of Nitrogen payloads โ ecde4ca1588223d08b4fc314d6cf4bce82989f6f6a079e3eefe8533222da6281, 2037ec95c91731f387d3c0c908db95184c93c3b8412b6b3ca3219f9f8ff60945 (and 1 more hash)
- [C2 IPs] command-and-control servers โ 94.156.65[.]98, 94.156.65[.]115
- [File names] used in sideloading chain โ setup.exe (signed Python installer), python311.dll (malicious Nitrogen DLL)
The campaign begins with malicious Google-sponsored search ads that point targets to cloaked redirectors or directly to lookalike download pages for PuTTY/FileZilla. The infrastructure performs traffic validation and cloaking (redirecting researchers or bots to decoys, sometimes a Rick Astley video), then serves convincing counterfeit pages that host ZIP installers containing the Nitrogen DLL payload.
Execution relies on DLL sideloading: a legitimate, signed Python setup.exe is bundled with or executed alongside a malicious python311.dll, allowing Nitrogen to run under a trusted binary. Once executed, Nitrogen contacts remote C2 servers (observed IPs 94.156.65[.]98 and 94.156.65[.]115) using web protocols to receive commands, exfiltrate data, and stage additional actions.
Defenders should block known cloaking and lookalike domains, blacklist the identified payload URLs and hashes, monitor for abnormal use of signed installers launching unexpected DLLs (python311.dll), and use EDR telemetry to detect DLL side-loading and C2 communications to the listed IPs to prevent escalation to data theft and BlackCat/ALPHV ransomware deployment.