We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Uptick in Malvertising Attacks via Google Ads

Uptick in Malvertising Attacks via Google Ads
Author Image Keira Waddell
Keira Waddell Published on 10th February 2023 Senior Writer

Instances of “malvertising” have spiked significantly over the last few months, to the point where downloading software via Google poses a high risk. Cybercriminals have been using Google Ads to push fake download pages for popular software to the top of Google search results.

The alarm was first raised by volunteers at Spamhaus on the 2nd of February. In the past month, they have found fake download pages for popular software such as Microsoft Teams, Slack, Adobe Reader, Gimp, OBS, Tor, and Thunderbird — right at the top of search result pages via Google Ads.

XLoader, Formbook, AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, and Vidar are just some of the malware families responsible for the upsurge. Previously, these families infected devices through Microsoft Office documents with malicious macros. But with Microsoft’s macro-blocking efforts, cybercriminals have been forced to find new methods.

SentinelLabs, an InfoSec research group, observed virtualized.NET malware loaders being distributed through these malvertising attacks. Dubbed by SentinelLabs as Malvirt loaders, they were using an unusually high amount of anti-analysis and anti-detection techniques.

The Malvirt loaders SentinelLabs described were deploying malware known as XLoader, an infostealer malware. This is used to steal personal data from infected devices and as a staging platform for additional malware.

In one example, SentinelLabs found this combination of Malvirt loaders and XLoader malware on fake download pages for the 3D creation suite Blender. These pages were pushed to the top of the search results page for the query “Blender 3D” by Google Ads.

When approached by Ars Technica for an interview, Google representatives declined, issuing the following statement instead:

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.”

Ars Technica found several more instances of Google Ad downloads that were flagged by VirusTotal as malicious, including searches for “Thunderbird,” “Tor download,” and “visual studio download.”

Cybercriminals have consistently devised new ways to hit back despite Google's decades-long efforts to remove harmful sites from ads and search results. Users should be wary when downloading software from Google or other popular search engines.

About the Author

Keira is an experienced cybersecurity and tech writer dedicated to providing comprehensive insights on VPNs, online privacy, and internet censorship.