Windows admins targeted with clever malvertising scam

News
By
published

Don't Google your favorite system tools

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
(Image credit: Getty Images)

Hackers are targeting Windows system administrators with malvertising, hoping to get them infected with ransomware

In a recent campaign, observed by cybersecurity researchers Rapid7, hackers are impersonating two popular Windows utilities - WinSCP, and Putty.

The former is an SFTP/FTP client, while the latter is an SSH client. 

BlackCat deployed

In essence, the campaign is not particularly creative, and relies on system admins being in a hurry, being reckless, or simply trusting their search engines a bit too much. First, the attackers would create fake websites for the above-mentioned tools. The researchers found puutty[.]org, puutty[.]org, wnscp[.]net, and vvinscp[.]net, among others.

They would then find a way to advertise these websites on popular search engines so that when an admin “googles” the tool (instead of typing in the address in the bar, or clicking on a bookmark) the top search result will be a fake website that looks almost identical to the legitimate one.

If they don’t spot the ruse, they will download and install malicious malware loaders which, in turn, deploy ransomware. 

In this campaign, the researchers said, it is possible that the hackers are delivering BlackCat ransomware (also known as ALPHV). This tool was shut down after the successful breach of Change Healthcare, when the company was apparently extorted out of $22 million. After that attack, the group took the money and shut the whole operation down. 

"In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution," explains Rapid7's Tyler McGraw. "The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year."

Security researchers have, for a while now, warned that users shouldn’t trust search engines too much, as they are often tricked into displaying malicious websites in top spots. 

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Mac users targeted with new malware, so be on your guard
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Fake Reddit sites found pushing Lumma Stealer malware
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
Latest in Security
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
Latest in News
iOS 18 Control Center
iOS 19: the 3 biggest rumors so far, and what I want to see
Doom: The Dark Ages
Doom: The Dark Ages' director confirms DLC is in the works and says the game won't end the way 2016's Doom begins: 'If we took it all the way to that point, then that would mean that we couldn't tell any more medieval stories'
DVDs in a pile
Warner Bros is replacing some DVDs that ‘rot’ and become unwatchable – but there’s a big catch that undermines the value of physical media
A costumed Matt Murdock smiles at someone off-camera in Netflix's Daredevil TV show
Daredevil: Born Again is Disney+'s biggest series of 2025 so far, but another Marvel TV show has performed even better
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Nintendo Switch 2
A Nintendo Switch 2 FCC filing confirms Wi-Fi 6 and NFC support for the upcoming console
More about security
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration

Google bug bounty payments hit nearly $12 million in 2024
AMD logo

Security flaw means AMD Zen CPUs can be "jailbroken"
Sonos Arc Lowest Price deal image

You can now save $250 on one of the best Dolby Atmos soundbars from Sonos
See more latest
Most Popular
Doom: The Dark Ages
Doom: The Dark Ages' director confirms DLC is in the works and says the game won't end the way 2016's Doom begins: 'If we took it all the way to that point, then that would mean that we couldn't tell any more medieval stories'
iOS 18 Control Center
iOS 19: the 3 biggest rumors so far, and what I want to see
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
The Fluance Ri71 speaker in a wood finish, in front of a plant
Fluance's new active stereo speakers look like a dream soundbar alternative, as well as being perfect for turntables or Bluetooth music
DVDs in a pile
Warner Bros is replacing some DVDs that ‘rot’ and become unwatchable – but there’s a big catch that undermines the value of physical media
A costumed Matt Murdock smiles at someone off-camera in Netflix's Daredevil TV show
Daredevil: Born Again is Disney+'s biggest series of 2025 so far, but another Marvel TV show has performed even better
AirPods Pro 2 out of their case on a wooden surface
Camera-toting AirPods with Apple Intelligence said to be in active development – but the idea may be too flawed to take off
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
Motorola Edge 50 Pro lavender
Your next Android bargain? Major Motorola leak teases details of multiple 2025 phones – including the Edge 60 series
A close-up of the PS5 Pro
PS5 Pro games will soon get something 'very similar' to FSR 4 for what Sony is calling 'the next evolution of PSSR'