Keypoints
- Search-based malvertising campaigns escalated, leveraging URL/analytics shorteners and compromised legitimate sites to cloak redirect chains.
- Two primary redirect types observed: shortener/analytics cloaks and subdomains on reassigned or hacked .com/.ar sites that enable conditional redirects.
- Conditional redirects used the Google referer to selectively serve malicious destinations based on parameters like referrer, user-agent, or IP.
- Multiple brand impersonation campaigns (OneNote, Epic Games, Braavos, Trello, Notion, etc.) distributed MSIX installers from deceptive download URLs hosted on various domains.
- Each MSIX was signed with a valid digital certificate (Consoneai Ltd) and contained an obfuscated PowerShell script which executed and connected to attacker C2 servers.
- The PowerShell execution is detectable by EDR solutions (example: ThreatDown EDR alerting on PowerShell execution), and C2 domains and IPs were enumerated in the report.
- IOC lists provided include hacked sites, decoy/download domains, file hashes, and numerous command-and-control hostnames and a tracked IP.
MITRE Techniques
- No MITRE ATT&CK techniques are explicitly referenced in the article.
Indicators of Compromise
- [Hacked sites] Examples of compromised redirectors used in the chain – cecar[.]com[.]ar, estiloplus[.]tur[.]ar
- [Decoy/impersonation domains] Domains used to impersonate legitimate software pages – onenote-download[.]com, epicgames-store[.]org (and multiple others)
- [Download URLs] MSIX installer endpoints observed – bezynet[.]com/OBS-Studio-30[.]0[.]2-Full-Installer-x64[.]msix, church-notes[.]com/Epic-Games_Setup[.]msix
- [File hashes] Examples of observed installer hashes – 07b0c5e7d7…8029, 0d906e43dd…1a7a (and 5 more hashes)
- [Command and control] C2 infrastructure examples – 62.204.41[.]98, ads-pill[.]xyz (and many ads-*.top/.xyz/.site domains)
Attack chain technical summary: Victims click search ads which first hit URL shorteners or legitimized redirectors (including compromised Argentinian .ar sites). Those intermediate pages inspect the incoming Google referrer (and other attributes) and perform conditional redirects to malicious landing domains that serve MSIX installers. The observed redirect orchestration uses both reassigned subdomains and hacked legitimate sites to evade straightforward domain blocklists.
Payload characteristics and execution: The delivered files are MSIX installers signed with a Consoneai Ltd certificate; extracting the package reveals a heavily obfuscated PowerShell script. When the installer is executed the PowerShell runs, decodes its payload, and establishes outbound connections to command-and-control hosts (examples include 62.204.41[.]98 and ads-pill[.]xyz and many ads-*.top/.xyz/.site domains) to catalog victims for follow-up operations. Endpoint protections (e.g., EDR) can detect the PowerShell execution activity and generate alerts.
Defensive notes (technical): Mitigation should include blocking known C2 domains/IPs, restricting or filtering MSIX installations via application whitelisting, monitoring and alerting on suspicious PowerShell child processes and network behavior, and preventing malvertising exposure via DNS- or proxy-level ad blocking to stop the redirect chain before reaching malicious download hosts.