Keypoints
- Malicious Google Ads impersonate legitimate companies to push fake software downloads targeting utility apps such as Slack and Notion.
- Threat actors create advertiser identities tied to real businesses and use cloaking/fingerprinting to evade detection.
- Delivery uses redirection chains, click trackers, decoy sites, and platform-hosted payloads (GitHub for Windows; creativekt[.]com PHP scripts for Mac).
- Windows payloads are likely Rhadamathys infostealers; macOS installers are AMOS/Atomic Stealer variants detected as OSX.Poseidon.
- Attackers inflate Windows binaries to hinder sandbox analysis and exfiltrate harvested credentials as zip archives to remote servers in Russia.
- Researchers validated redirects from ads, reported advertisers to Google, and recommend blocking ads or using browser protection tools.
MITRE Techniques
- [T1566] Phishing – Deceptive ads are used to lure victims into downloading malware. (‘malware disguised as software downloads’)
- [T1203] Malicious Link – Ads and trackers redirect users to malicious hosting sites and decoy pages that deliver payloads. (‘Ads redirect users to malicious sites that host malware.’)
- [T1003] Credential Dumping – Infostealer payloads harvest stored passwords and secrets from files, browsers, extensions and apps. (‘Malware collects passwords and other sensitive information from infected systems.’)
- [T1071] Command and Control – Stolen data and archives are uploaded to remote servers and the malware communicates with C2 infrastructure. (‘Malware communicates with remote servers to exfiltrate stolen data.’)
Indicators of Compromise
- [Malicious hostnames] Ad landing pages and payload hosting – creativekt[.]com, slack[.]designexplorerapp[.]net, and 5 more hostnames
- [Malicious download URLs] Mac download scripts – creativekt[.]com/macdownloads/script_6703ea1fc058e8.92130856.php, creativekt[.]com/macdownloads/clockify_mac.php
- [GitHub repositories] Windows payload hosting – github[.]com/09shubin/asdjh23/releases/download/nhehhh34/, github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/
- [Payload hashes – Windows] Infostealer binaries – 9c8dadbb45f63f…, 2b587ca6eb1af1…, and 6 more hashes
- [Payload hashes – Mac] macOS infostealer installers – b55f2cb39914d84a4aa5de2f770f1eac3151ca19, 9dc9c06c73d1a69d746662698ac8d8f4669cde4b
- [Command and control IPs] Exfiltration/C2 servers – 85.209.11[.]155, 193.3.19[.]251
Attack flow: actors create advertiser profiles that mimic real companies, publish sponsored search ads carrying branding and plausible descriptions, then use a layered redirection chain (click trackers, cloaking/fingerprinting, and decoy pages) to profile visitors and avoid automated detection. Victims who follow the ad are funneled to decoy sites that prompt fake installers; Windows installers were hosted via GitHub repositories while macOS installers used PHP scripts on creativekt[.]com such as creativekt[.]com/macdownloads/script_6703ea1fc058e8.92130856.php and creativekt[.]com/macdownloads/clockify_mac.php.
Payload behavior and hosting: Windows binaries were inflated to evade sandbox analysis and match characteristics of Rhadamathys infostealers; associated hashes include 9c8dadbb45f63fb07fd0a6b6c36c7aa3… Mac installers are AMOS/Atomic Stealer–derived infostealers detected as OSX.Poseidon and harvest stored passwords and secrets from file systems, browsers, extensions and apps, then bundle results into zip archives for upload to remote servers (C2s reported at 85.209.11[.]155 and 193.3.19[.]251).
Investigation and mitigation: analysts validated ad redirects from multiple geographic locations and browser profiles to reproduce the chain, reported malicious advertisers to Google, and mapped hosting infrastructure (creativekt domain + GitHub repos). Recommended defenses include blocking or filtering sponsored results, using ad-blocking/browser-guard tools, and detecting indicators such as the listed domains, download URLs, payload hashes, and C2 IPs for proactive network and endpoint controls.