It is not new for threat actors to abuse online advertising networks for their malvertising campaigns. But recently, we have seen a huge rise in threat actors abusing Google Ads to spread fake versions of legitimate applications loaded with various stealer malware.

We have seen a large number of legit application websites typo-squatted to look like original websites. When a user tries to download the application from any one of these fake websites, they are misled to download the trojanized version of the application, which when installed, will drop a stealer along with the legit application.

Figure 1. Google Ads pointing to fake websites
Figure 2. Fake Anydesk website

The threat actors are now actively using this strategy to infect their victims with various information stealer malware like Rhadamanthys Stealer, Aurora Stealer, Vidar Stealer, IcedID, Gozi, and RedLine Stealer. Threat actors use Google Ads Geo locale features in deploying these campaigns. 

Rhadamanthys Stealer

Rhadamanthys stealer is an Infostealer with anti-analysis, and anti-VM protection. It is actively spreading through Google Ads and is available as a MaaS (Malware as a service) platform. We have seen two cases where the malware is spreaded using ZIP format and MSI format at the time of writing this blog.

As per the information given by researcher Germán Fernández we got our hands on a fake Anydesk website (Figure 2). From there, we were able to backtrack to a free file sharing and storage website called

Figure 3. Gofile share used by Threat Actor

Figure 3. Shows the gofile share used by the Threat Actors to store their trojanized MSI files loaded with Rhadamanthys stealer.

Figure 4. Information gathered from the MSI table

From the MSI’s File table (Figure 4), we figured out that there are two MSIL files with the name Initialize.exe and ‘Initialize 4.exe’ with a predefined function ‘Install’ to invoke the legit application and the malware respectively. These two MSIL assemblies will be executed in the order shown in the InstallExecuteSequence table (Figure 4) after the user clicks on the Install button in the Installer’s user interface.The executable’s actions are declared in the CustomAction table.

Figure 5. Code present in ‘Initialize 4.exe’ to execute the loader runtime broker.exe

In one scenario shown in Figure 5 the stealer’s filename is  ‘runtime broker.exe’, which is a python binary, compiled using pyinstaller. Upon extraction, we found a file named Binary_Stub_Replacer.pyc. Upon decompiling this file, we found an encoded string, which upon decoding, gives out another python script shown in Figure 6. .Figure 5. Code present in ‘Initialize 4.exe’ to execute the loader runtime broker.exe

This decoded script has a Base64 encoded PE file, which is decoded and executed in memory.

Figure 6. Decoded final python script to Inject 

When we analysed the decoded Base64 string we figured out that it is a PE file that is modified in a way to run as a shellcode.

The working of the extracted python script is as follows

  1. A VirtualAlloc function will create a memory space within the current process with Read Write Execute permission.
  2. Then the RtlMoveMemory function will copy the decoded Base64 string into the newly allocated memory.
  3. Finally the start of the memory address is given as the argument for the CreateThread function to execute it as a shell code.
  4. After the MZ magic bytes it had another set of bytes ‘/x45x52xE8’, when  disassembled, gives us the opcode for call $+5.
Figure 7. Disassembly View of MZ header
  1. After which it adds 0x34000 to EAX register and calls it, which will give the location of another shell code at the end of the decoded PE file that will eventually execute the entry point of the PE file after rebasing.

The loaded PE file is Rhadamanthys dropper which will decrypt the encrypted Rhadamanthys loader from its .data section and execute it in memory. 

After this, the Rhadamanthys loader downloads a JPG payload downloaded from one of its C2 servers.

Figure 8. JPG image as a response from C2 server

The JPG file had some encrypted data after the end of JPG marker bytes ‘/xFFxD9’ this was loaded into the memory where this payload is decrypted and further used for dropping the main module of Rhadamanthys stealer in %TEMP%/nsis_uns[xxxxxx].dll folder that will be invoked using rundll32.exe with arguments PrintUI <Base64 encoded shellcode>

Figure 9. Base64 encoded Shellcode

A ZIP version of the stealer was shared by @malware_traffic which lured the victims to install trojanized Notepad++ installer, hosted in a fake website, distributed through google ads. The ZIP contains an installer with a large size of 765MB of which malicious payload size is only 325kb, the rest is zero-padded overlay.

While on execution, it performed a similar task explained above without the need for python binary to load the stealer dropper into memory, it didn’t use any initial loaders, but directly executed the Rhadamanthys dropper to download the next stage and deploy the Rhadamanthys stealer into the victim’s machine.

Gozi / Ursniff Stealer

Another researcher Will Dormann shared that the popular application WinRAR is also trojanized and shared through Google Ads. Upon analysing, the mentioned MSI file it had suspicious PowerShell scripts embedded to the CustomAction table.

Figure 10. Embedded PowerShell Script in Custom Action table

On execution, the msiexec.exe will start PowerShell and execute the script declared in the CustomAction table which will download another encoded PowerShell script from the domain https://huggingface[.]co/Absurd/Xernya/raw/main/winrar, which is then decoded and executed. This will in-turn contact the C2 https://advertising-check[.]ru/start.php to do the following activity,

Figure 11. Decoded PowerShell script

  1. Add defender exclusion to the process ZipCosdaz.exe, ZipCosdaz1.exe and Explorer.exe.
  2. Downloads the above-mentioned files from Bitbucket hosting service, Nsudo.exe from github repo, legit WINRAR application from then drops those in %appdata%\Roaming folder.
  3. Executes and installs the downloaded legit WINRAR setup file.
  4. Downloads and installs Gpg4win application from its original source.
  5. Removes the GPG encryption with the password ‘putingod’ using the installed gpg4win application.
  6. With the help of Nsudo.exe it launches the decrypted zipcosdaz1.exe,zipcosdaz.exe and zlocal.exe with full privileges.
  7. Informs C2 https://advertising-check[.]ru/install.php an installation happened.
Figure 12. Bitbucket used for storing encrypted malware

The zlocal.exe is used to load gongshell.dll (a tool used to access windows explorer shell functionalities in .NET applications easily) into its memory and checks whether it could access the special folder path NetworkPlacesFolder. Then enumerates all the Network paths. If any network share is accessible, it will contact the C2 https://advertising-check[.]ru/goodlocal.php just to inform that the victim has Network share and is accessible.

Figure 13. Code to check special folder access

Zipcosdaz.exe and zipcosdaz1.exe are the actual stealer-related binaries which will decrypt the encrypted shellcode from its .data section, and executes it to download the final payload (GOZI/Ursnif stealer) to steal the user information data.

HuggingFace is originally a platform to build, train and deploy ML models which also provides a git-like repository to store Models, Datasets and Spaces. The threat actors abused it under the user name Absurd (https://huggingface[.]co/Absurd/Xernya/tree/main) to store their malicious scripts.

RedLine Stealer

From the above-mentioned Bitbucket share, we found they have also included RedLine stealer in their attack vector.

The files kms.exe.gpg and winrar.exe.gpg from the Bitbucket share are downloaders that will download the RedLine stealer payload.

Figure 14. Code to download the RedLine Stealer payload

The downloaded RedLine Stealer will first try to contact the C2 (194[.]180[.]48[.]43:34991) before performing its stealer operations 

Figure 15. Encrypted C2 server

After successful connection to the C2 it will perform its stealer activity, which collects the information related to Discord, Steam, Crypto Wallets, list of installed applications and browser-related files.

Figure 16. Code to search for Discord location

IcedID Stealer

We have also encountered another instance of the IcedID distribution campaign. As one of our researchers previously published a blog on a phishing site which impersonates the legitimate website of Zoom and supplied a fake zoom installer in MSI format along with IcedID.

Sophos researchers have also reported IcedID stealers are used in this attack vector where the threat actors used a fake Adobe reader website through Google Ads that will deliver a zip file containing an ISO file which when mounted will cause an IcedID infection.


It is noted that the threat actors are continuously abusing Google Ads to deliver stealers along with popular applications like OBS studio, Winrar, Notepad++, Anydesk and many more, it is always a good option to use an Adblocker to keep yourself away from such fake website Ads. Install a reputable security product like “K7 Total Security” and keep your security software up to date, to stay protected from such latest threats.


NameHashDetection Name
Rhadamanthys stealer
Noteppad_Settup X32iX64.exe85802F14262B7A0C9A9D77423F8F8DA0Trojan-Downloader ( 0059d8751 )
AnyDesk_Installer.msi98362B6678B62BBBC026A353993279B8Trojan ( 0001140e1 )
BlueStacks Installer.msiA0CDD5965E3848F02F3183D36C64F332Trojan ( 0059d74c1 )
FurMark_1.32.1.0_Setup Installer.msi 53306EA61F39660F74D20BB445D77E0BTrojan ( 0001140e1 )
GPU-Z.2.52.0 Installation.msiA4E44723F9847257FD5F8B54C04950DCTrojan ( 0001140e1 )
WeMod-SetupInstallation.msi 0EA472C618E1A7D0C1ED83F92BF348F5Trojan ( 0001140e1 )
Zoom Installer.msi F3178261BC52648D2913284719DBA022Trojan ( 0001140e1 )
Gozi / Ursnif
zipcosdaz.exe 61FF7FCDC9945BCF1A593F113CDD6CD9Trojan ( 0059df891 )
zipcosdaz1.exe C700EDBDA5566F4F7F32E564FE16D9D7Spyware ( 00552cf91 )
zlocal.exe 18C31D1DD601B95696354AB8E072C9E9Spyware ( 0059df881 )
RedLine Stealers
Kms.exe decrypted 66AD8C108702A540F7FABA28E7BB2FE4Trojan-Downloader ( 0059cf5b1 )
Winrar.exe decrypted 6B48DF1268BB93845130FE7596C1C072Trojan-Downloader ( 0059cf5b1 )
KMS.exe FF47F4CA43BA693C1D81B2752BDE36A9Spyware ( 0059955a1 )
winrar.exe EDFCA9E6D885919071CB3C05814F49C4Spyware ( 005995031 )
Other Stealers
Aurora Stealer c0a7843660c41c0da01a91298f426c03Trojan ( 0059bc771 )
Vidar Stealer 435c3ebfc3099b58fb21505eedc4eaceUnwanted-Program ( 004d2a1d1 )
IcedID 330a0d636e81c4a988b1dbd29274e150Trojan ( 0001140e1 )

C2 and URLs

Rhadamanthys Stealer




Gozi / Ursnif Stealer


RedLine Stealer


IcedID Stealer









Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Information Stealers going Incognito on Google Ads”