Malware Delivered through Google Search

Criminals using Google search ads to deliver malware isn’t new, but Ars Technica declared that the problem has become much worse recently.

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.


It’s clear that despite all the progress Google has made filtering malicious sites out of returned ads and search results over the past couple decades, criminals have found ways to strike back. These criminals excel at finding the latest techniques to counter the filtering. As soon as Google devises a way to block them, the criminals figure out new ways to circumvent those protections.

Posted on February 7, 2023 at 7:23 AM14 Comments


Austin February 7, 2023 9:01 AM

Google has had this problem for ages. The only successful ransomware incidents at my company years back came from users clicking Google search ads for the website they were trying to get to. Users searched “” trying to get to and the first line was an ad for Amazon store but took you to a page running exploits. Thankfully it did not spread between machines. We reported it to Google 7 times in 2 days. Eventually chrome safe browsing blocked the page but the ad was still there for a few days.
Similarly, a friend’s business was robbed by a criminal after they had problems with quickbooks and searched google for quickbooks support. The first listing was an ad for with a phone number so they called. A “technician” immediately answered and began helping them. He had them start remote support and then started doing various exports and command line actions. He said he needed 2nd tier support and would contact them to schedule on the next business day. Four hours later, the bank called asking why they had emptied all their accounts. When I got involved, we could easily get the ad to come up again and reported it but it remained for 11 days.
It is rampant. We teach our users that they should never click advertisements in google search.

C64 February 7, 2023 9:14 AM

I think a whole bunch of them has “issues”. Like the case with DuckDuckGo and their acceptance of trackers from Microsoft, disclosed by security researchers last year.

Because of “an agreement in their syndicated search content contract between the two companies”.

Explains why DuckDuckGo search results are so similar to those of Bing. More than what could be expected if it actually was an independently indexed search engine.

CE February 7, 2023 1:21 PM

Google is also pushing their new Manifest Version 3 to cripple ad-blockers. It looks like (I know that it isn’t so) they are trying to help these people distribute malware in order to make ad money.

Clive Robinson February 7, 2023 2:21 PM

@ ALL,

Re : Evolution in action.

I know some do not like the idea but when you read,

“These criminals excel at finding the latest techniques to counter the filtering. As soon as Google devises a way to block them, the criminals figure out new ways to circumvent those protections”

Tells you three things,

1, It is an adverserial process.
2, The process evolves rapidly.
3, The defender is not proactive.

Thus you could ask why the corporation with the biggest financial risk in the Internet Add Revenue is reactive not proactive to threats against a major sorce of their income (if not profit).

There is the obvious but somewhat trite “Because they are the defender…” argument.

Or you could take a slightly more in depth view without necessarly “deep diving” down the rabbit hole, and ask “What high level advantage the attackers have?”

In the past it’s been discussed that frequently defending systems are in effect “static” and attacks are quite “agile”. To a certain extent this can be expected as “the longer the wall the easier it is to find a less guarded point to attack” which also moves slowely or not at all, thus fascilitating an attack

Sometimes we have to accept that a system is too large to effectively defend within the current resources.

So I’d be tempted to ask what the trade offs were at various points along the development and maintainence cycles.

Zorro February 7, 2023 4:28 PM

And BTW Microsoft’s Bing has now changed so that you can ask it questions. Seems to be integrated with ChatGPT.

Ted February 7, 2023 6:45 PM

From a Dec 2022 ProPublica article:

“Legislators, including Sen. Mark Warner, chair of the Senate Intelligence Committee, have warned that the opaque and fraud-ridden digital ad ecosystem led by Google poses a national security risk.”

If true, this probably doesn’t do much to soften the antitrust suit the DOJ and several AG’s recently filed against them.

n00b February 8, 2023 12:01 PM


it could be best to disallow posts that only include a hyperlink or very little text besides a hyperlink.

Nameless Cow February 8, 2023 12:50 PM

@Clive Robinson

“What high level advantage the attackers have?”

A few thoughts come to mind…

  1. Asymmetry in the criteria of success. The defender has to find and correct/mitigate all exploitable vulnerabilities in the system (there are many of them); the attacker only needs to find one that the defender hasn’t found/fixed.
  2. The defender’s system has a purpose to serve and many users/stakeholders to satisfy, besides being secure. Compromises need to be made to balance the different requirements. The attacker has no such concerns.
  3. The defender’s system is often complex and has many dependencies. The defender generally has no control over system complexity.

Markets February 8, 2023 3:12 PM

Irrelevant matters with google.

A drop on the driveway, compared to M$FT massive failures.

Congress should fix matters of the us gov.

Clive Robinson February 9, 2023 6:58 AM

@ Nameless, ALL,

Re : Attacker Advantage.

The advantages you have listed I tend to treat “as givens”, what I was getting at was other less normally considered advantages, such as managment and insiders leaking information in one of three ways,

1, Unknowingly.
2, Knowingly.
3, Deliberately.

One way unknowingly can happen is attackers can by fairly simple tests work out what Open Source is being used in the stack…

Knowingly often happens at “confrences” etc when the techies sufficiently describe the systems used they virtually give “a map of the castle” to anyone looking at the talk or even just the “death by viewfoil” presentation.

As for Deliberately well we know it happens and that is what the MICE acronym is about for spys, perhaps we need a similar acronym for ICTsec.

@apokrif February 12, 2023 8:54 PM

@Apokrif: People click on ads because they’re at the top of the page, are sometimes barely discernible from the actual search results, and there’s no often no clear indication where the ads end and the search results begin.

EvilKiru February 13, 2023 2:46 PM

“@apokrif • February 12, 2023 8:54 PM” was me failing to notice I had typed the wrong name…

Chris Drake February 15, 2023 8:14 PM

“all the progress Google has made filtering malicious sites…” says who?

Those are the words from someone who has never actually found something serious for google to fix, and tried to get them to fix it.

What they SAY they do, and what they actually do do when the time comes are two vastly different things!

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.