SEO poisoning campaigns are increasingly used to serve malvertising and deliver commodity malware via manipulated search results, demonstrated by a Blender 3D example where malicious ads appear at the top before the legitimate site. Attackers rotate domains and delivery methods (Dropbox, Discord) to broaden reach, mask infrastructure behind CloudFlare, and exploit popular downloads lacking strong brand protection. #Blender3D #SEOpoisoning
Keypoints
- SEO poisoning is a rising method for delivering crimeware via malicious search ads targeting popular software.
- In the Blender 3D case, three malicious ads appeared before the legitimate Blender.org site, indicating automated, scalable operations.
- Malicious domains include blender-s.org, blendersa.org, and blender3dorg.fras6899.odns.fr, which imitate legitimate sites.
- The downloads are hosted on Dropbox links (e.g., blender.zip) and sometimes delivered via Discord, showing multiple delivery channels.
- The downloaded Blender.exe is signed with an invalid AVG Technologies certificate, suggesting certificate abuse.
- SHA1 hashes and file names (blender.zip, Blender.exe, blender-3.4.1-windows-x64.zip, blender.iso) reveal the payload artifacts and iso contents.
- CloudFlare was used to hide or protect the attacker infrastructure, with warnings shown to new visitors; the actors have tied activity to other software-themed campaigns.
MITRE Techniques
- [T1189] Drive-by Compromise β SEO poisoning leading to malicious advertisements are the rising star in todayβs crimeware malware delivery methods. β βSEO poisoning leading to malicious advertisements are the rising star in todayβs crimeware malware delivery methods.β
- [T1036] Masquerading β The malicious blender-s site contains a download link for βBlender 3.4β; however, the download is delivered through a Dropbox URL rather than blender.org. β βThe top results, blender-s.org is a near exact copy of the legitimate Blender domain.β
- [T1105] Ingress Tool Transfer β Downloads are delivered via remote hosting services (Dropbox links and Discord), not direct from the legitimate site. β βthe download is delivered through a Dropbox URL rather than blender.orgβ
- [T1116] Code Signing β The Blender.exe file is signed by an invalid certificate belonging to AVG Technologies USA, LLC. β βThe Blender.exe file is signed by an invalid certificate belonging to AVG Technologies USA, LLC.β
Indicators of Compromise
- [Domain] β blender-s.org, blendersa.org, and blender3dorg.fras6899.odns.fr β Malicious domains used in the campaigns.
- [URL] β https://www.dropbox[.]com/s/pndxrpk8zmwjp3w/blender.zip, https://www.dropbox[.]com/s/fxcv1rp1fwla8b7/blender.zip, https://cdn.discordapp[.]com/attachments/1001563139575390241/1064932247175700581/blender-3.4.1-windows-x64.zip β Download locations linking to payloads.
- [SHA1] β 43058fc2e4dfa2d8a9108da51186e35b7d49f0c6, fddc43c67773ba9d36a309074e414316667ef368, f8caaca7c16a080bb2bb9b3d850d376d7979f0ec, 069588ff741cc1cbb50e98f66a4bf9b4c514b957, f00c1ded3d8b42937665da3253bac17b8f5dc2d3, 53b7bbde90c22e2a7965cb548158f10ab2ffbb24
- [File] β blender.zip, Blender.exe, blender-3.4.1-windows-x64.zip, blender-3.4.1-windows-x64.iso β Payload artifacts and distribution archives.
- [C2] β 74.119.194.167 β Command-and-control-related indicator mentioned for the campaign.