This Google Ads campaign pushes malware that your antivirus can't pick up

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Cybersecurity researchers have spotted a new advertising campaign on the Google Ads network which pushes malware onto unsuspecting victims’ endpoints. What makes this malvertising campaign different from others is the fact that the malware being distributed is almost impossible for today’s antivirus solutions to pick up.

The threat actors made it work by building code that can only be understood by virtual machines. If the victims run the malware, the virtual machine can translate the code back to its original code and run the malicious executive. 

The researchers, from from SentinelLabs, explain the MO: "Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands.”

Delivering Formbook

"A virtual machine engine executes the virtualized code by translating it into the original code at runtime."

This type of malware also makes analysis difficult, the researchers added: "When put to malicious use, virtualization makes malware analysis challenging and also represents an attempt to evade static analysis mechanisms."

The malware being distributed this way is Formbook, a known infostealer. Its virtualized version was dubbed “MalVirt”. To trick people into downloading the malware, the threat actors created a number of fake websites, pretending to be landing pages where people can download the Blender 3D software.

Blender 3D is a popular 3D modeling, rendering, and animation program.

This is not the first time Google’s ad network was abused to deliver malware. In late December last year, researchers spotted a major campaign impersonating a number of popular programs and applications, such as Grammarly, MSI Afterburner, and Slack, to deliver IceID and Racoon Stealer, both known infostealing malware. 

Malicious campaigns that make their way to Google Ads are arguably more dangerous, as people tend to trust major tech companies by default. Still, the best way to stay safe is to always double-check the address of the website, regardless of if it’s being advertised on Google or not.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
A padlock resting on a keyboard.
Understanding and avoiding malvertizing attacks
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
Fraude en ligne phishing
Google Search ads are being hacked to steal account info
malware
Google warns of legit VPN apps being used to infect devices with malware
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why