Cybercriminals Offer Malvertisement-as-a-Service by Abusing Google Ads

Originally published at:

CloudSEK’s contextual AI digital risk platform XVigil has identified an increase in supply and demand for services that abuse Google Ads to deliver malware payloads and loaders, across various dark web and cybercrime forums.


Adversary Intelligence

Threat Type:







Executive Summary

  • Surge in posts on cybercrime forums that sell or rent Google Ad services.
  • These services direct victims to malicious sites and deliver payloads and loaders.
  • Initial access to organizations, to deploy ransomware and exfiltrate data, leading to loss of revenue and reputation.
  • Access to individuals’ and CXOs’ PII and credentials.
  • Restrict sites that employees can visit or download from.
  • Real-time monitoring and takedowns of malicious domains that impersonate your organization.

Overview of the service:

  • Price: USD 4,500 – 5,000
  • Redirect victims to malicious sites
  • Automatically deliver payloads or loaders
  • Reduce the time taken to host and carry out malicious campaigns

Analysis and Attribution

Information from Cybercrime Forums

On 13 May 2022 a threat actor shared a post, on a Russian-language cybercrime forum, advertising a Google Ad service that converts a victim device to a bot. The threat actor claims that the Google Ad service was initially developed for their own use. However, they are now renting it out to other actors.

Threat actor advertising Google ad service that converts victim devices to bots


Features of the Google Ad Service

  • The threat actor claims that the Google Ad service:
    • Directs victims who click on the ad to a legitimate-looking malicious page.
    • And after performing certain checks, downloads the loader onto the victim’s device.
  • The loader operates based on the victim. For instance, a victim searching for a PDF reader will be directed to a fake PDF site and download the loader along with the PDF software.
  • The loader’s features include:
  • Compatibility with Windows 10 and Windows 11.
  • Ability to run exe/dll/msi with administrator or system rights.
  • Complete bypassing of Windows Defender.
  • No alerts from SmartScreen.
  • Complete bypassing of Google Chrome, even if the user has the highest security settings.
  • The payload is issued depending on the structure of the network:
    • If the network belongs to an individual, multiple payloads can be delivered to the system.
    • However, if the network belongs to a corporation, a payload will be delivered only if it is the main controller domain of the company.

Note: The post does not explicitly state if the loader gets automatically downloaded or whether the victim is prompted to download it.

Demand for Google Ad Services

There has been an increasing demand for Google Ad services on cybercrime forums:

Threat actors looking for services that rely on Google Ads

This demand has led to an increase in the number of posts advertising Google Ad services:

Threat actors looking for services that rely on Google Ads

Impact & Mitigation

Impact Mitigation
  • This service can be used to deliver and deploy malware and infostealers, to harvest credentials, and maintain persistence, leading to loss of revenue and reputation.
  • Threat actors can sell or share the stolen PII and credentials on the dark web.
  • This data can then be used by other threat actors to orchestrate social engineering schemes, phishing attacks, and identity theft.
  • Check for malicious and unprompted downloads.
  • Scan systems and networks for malicious payloads and malware.
  • Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers.
  • Real-time monitoring and takedowns of malicious domains that impersonate your organization.