“Hey, This Isn’t the Right Site!” Distribution of Malware Exploiting Google Ads Tracking – ASEC BLOG


Summary: AhnLab Security Intelligence Center (ASEC) has discovered a malware strain that exploits Google Ads tracking to distribute malicious files. The malware disguises itself as installers for popular groupware like Notion and Slack, and once installed, it downloads malicious payloads from the attacker’s server.


Key Point:
* The malware is distributed through Google Ads tracking, tricking users into thinking they are accessing a legitimate website.
* The attacker used Google Ads tracking to insert external analytic website addresses and collect visitors’ data.
* The malware is distributed in the form of Inno Setup or NSIS installers.
* The malware injects itself into legitimate Windows files in the %system32% path.
* Users should pay attention to the URL seen upon accessing a website, not the URL shown on the ad’s banner.


AhnLab SEcurity intelligence Center (ASEC) has recently detected a malware strain being distributed by using the Google Ads tracking feature. The confirmed cases show that the malware is being distributed by disguising itself as an installer for popular groupware such as Notion and Slack. Once the malware is installed and executed, it downloads malicious files and payloads from the attacker’s server. Below is the list of the file names that have been discovered so far.

  • Notion_software_x64_.exe
  • Slack_software_x64_.exe
  • Trello_software_x64_.exe
  • GoodNotes_software_x64_32.exe

This type of malware is being distributed in an installer form, usually as the Inno Setup installer or Nullsoft Scriptable Install System (NSIS) installer. Among them, the Notion_software_x64_.exe file was seen up until recently when users searched with the keyword “notion” on Google.

The attacker used Google Ads tracking to trick users into thinking they were accessing a legitimate website.
Google Ads tracking lets advertisers insert external analytic website addresses to collect and use their visitors’ access-related data to calculate ad traffic. The following figures are examples of the final URL and the tracking template URL that are entered into a Google Ad.

Figure 1. Final URL (example)
Figure 2. Tracking template URL (example)

The following figure is an example of how the ad is shown to users. It contains a tracking URL which, as you can see, is not visible to the users. When users click on the banner, it redirects them to the tracking template URL instead of the final URL that they can see.

Figure 3. The banner shown on a Google Ad (example)
Figure 4. Redirection sequence upon clicking the ad (example)

Google Ads tracking is originally used to analyze website traffic. However, this particular ad contains not an external statics site, but a malicious code distribution site.
The attacker’s ad has currently been deleted. When it was still active, clicking on the banner would take unsuspecting users to the address that would trick them into downloading a malicious file. The redirection address and the final landing page are shown below.

Redirection address

1. hxxps://www.googleadservices[.]com/pagead/aclk? sa=L&ai=DChcSEwjvxY_g38yEAxX96RYFHbN_DHwYABAAGgJ0bA&ase=2&gclid=CjwKCAiArfauBhApEiwAeoB7qFTSv58y3y V4nTuE_ptW9t-YIT1- Y_jH70VIcuKX3qsNu9u5d2TplRoCKDwQAvD_BwE&ohost=www.google.com&cid=CAESVeD21RQt4fRwNUkcEV8_EYQ96O MpQS8F7ZevrgG_k_jZewow_akDRbQ3vK-L7r7Z7yVUCyf4YKpyZrJCjoIkJjEcGbU1LviHlcWC8x9hRsFbAGy8Sbc&sig=AOD64_3Ho3r-SX_3edPZOWfLXPSWeCY1SQ&q&nis=6&adurl&ved=2ahUKEwibkYng38yEAxWScPUHHRJlCjAQ0Qx6BAgFEAE
2. hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8
3. hxxps://cerisico[.]net/

Final landing page

● hxxps://notione.my-apk[.]com

The final landing page was constructed similarly to the actual website of a groupware tool, prompting visitors to download and execute the malware.

Once it is executed, the malware uses websites that can save texts such as textbin or tinyurl to access the malicious payload addresses. The URLs that the attacker used to fetch the malicious payload address are shown below.

  • hxxp://tinyurl[.]com/4jnvfsns
  • hxxp://tinyurl[.]com/4a3uxm6m
  • hxxps://textbin[.]net/raw/oumciccl6b
  • hxxp://tinyurl[.]com/mrx7263e

When the above addresses are accessed, they respond by giving malicious payload download addresses as a reply. The URLs of these addresses are shown below.

  • hxxps://slashidot[.]org/@abcDP.exe
  • hxxps://yogapets[.]xyz/@abcmse1.exe
  • hxxps://bookpool[.]org/@Base.exe
  • hxxp://birdarid[.]org/@abcDS.exe
Figure 5. Malicious payload address

The Rhadamanthys malware (Infostealer type) is ultimately downloaded from the above address and injected in legitimate Windows files in the %system32% path. Since the malware is executed by a legitimate file, it can steal users’ private data without them knowing of its activity.

Legitimate Windows files that are targets for injection (%system32% path)

● dialer.exe
● openwith.exe
● dllhost.exe
● rundll32.exe

This Rhadamanthys malware distribution case has confirmed that attackers can use Google Ads to deceive users. In fact, all search engines that provide tracking to calculate ad traffic can be used to distribute malware. Users must pay attention to the URL that is seen upon accessing the website, not the URL that is shown on the ad’s banner.



  • 9437c89a5f9a51a4ff6d6076083fa6c9
  • 12b6229551fbb1dcb2823bc8b611300f
  • 33aa3073d148816e9e8de0af4f84582e
  • f0a3499f83d2d9066ab19d39b9af6696
  • 2498997ab3e66e24bc08d044e0ef4418
  • f2590ece758eb32302c504ac3ff413f4
  • eef03c8cd2f27ead8b2d59d5cda4cf6e
  • 9034cf58867961cde08a20cb1057c490
  • f7200603cb8aa9e2b544255ed848c9c0


  • hxxp://tinyurl[.]com/4jnvfsns
  • hxxp://tinyurl[.]com/4a3uxm6m
  • hxxps://textbin[.]net/raw/oumciccl6b
  • hxxp://tinyurl[.]com/mrx7263e
  • hxxp://tinyurl[.]com/253x7rnn
  • hxxps://slashidot[.]org/@abcDP.exe
  • hxxps://yogapets[.]xyz/@abcmse1.exe
  • hxxps://bookpool[.]org/@Base.exe
  • hxxp://birdarid[.]org/@abcDS.exe
  • hxxps://alternativebehavioralconcepts[.]org/databack/notwin.php
  • hxxps://pantovawy.page[.]link/jdF1/?url=https://www.notion.so/pricing%3Fgad_source%3D1&id=8
  • hxxps://cerisico[.]net/

[File Detection]

  • Trojan/Win.Agent.C5595056 (2024.02.29.02)
  • Trojan/Win.Agent.C5592526 (2024.02.23.02)
  • Trojan/Win.Agent.C5594794 (2024.02.28.03)
  • Trojan/Win.Rhadamanthys.R636740 (2024.02.27.00)

[Behavior Detection]

  • Injection/MDP.Event.M10231

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: Original Post


  • T1566.002: Phishing: Spearphishing Link: The attackers use Google Ads tracking to deceive users into clicking on malicious links that appear to be legitimate groupware installers, such as Notion and Slack.
  • T1204.002: User Execution: Malicious File: The attackers trick users into downloading and executing malicious executables disguised as legitimate software installers.
  • T1105: Ingress Tool Transfer: The malware downloads additional payloads from attacker-controlled servers after the initial execution.
  • T1059.001: Command and Scripting Interpreter: PowerShell: The malware may use PowerShell scripts to fetch and execute the malicious payloads from the URLs provided.
  • T1027: Obfuscated Files or Information: The malware uses obfuscation techniques to hide the true nature of the malicious files and payloads.
  • T1562.001: Impair Defenses: Disable or Modify Tools: The Rhadamanthys malware may attempt to disable or modify security tools to avoid detection.
  • T1055: Process Injection: The Rhadamanthys malware injects its payload into legitimate Windows files in the %system32% path, such as dialer.exe, openwith.exe, dllhost.exe, and rundll32.exe, to evade detection and maintain persistence.
  • T1505: Server Software Component: The attackers use websites that can save texts, such as textbin or tinyurl, to store and access the malicious payload addresses.
  • T1071.001: Application Layer Protocol: Web Protocols: The malware communicates with attacker-controlled servers using HTTPS to download additional payloads.
  • T1497.001: Virtualization/Sandbox Evasion: System Checks: The malware may perform checks to detect if it is running in a virtualized or sandboxed environment to evade analysis.
  • T1047: Windows Management Instrumentation: The attackers may use WMI to execute commands or payloads on the infected system.