Surge in Malvertising Delivers Infostealers via Fake Software Installers

By Ash K
Surge in Malvertising Delivers Infostealers via Fake Software Installers

News • Expert Insights

Surge in Malvertising Delivers Infostealers via Fake Software Installers

Threat actors are abusing paid search ads and SEO-poisoned pages to distribute trojanized installers for popular tools (e.g., editors, media apps, utilities). The payloads frequently deploy commodity infostealers such as RedLine, Vidar, and Lumma to harvest credentials, cookies, and crypto wallets.

TL;DR

  • Victims click sponsored results or top SEO hits that mimic legitimate download portals.
  • Redirect chains lead to look-alike domains serving MSI/EXE installers or bundled archives.
  • Final payloads are info-stealers that exfiltrate browser data, MFA seeds, and wallet files.
  • Blocking suspicious ads, enforcing allow-listed download sources, and hardening browsers significantly reduces risk.

What’s happening

Ad networks and search engines periodically allow newly registered domains to run sponsored results before reputational signals catch up. Actors capitalize on this window to impersonate well-known software brands with pixel-perfect landing pages and typosquatted domains. Some campaigns conditionally serve payloads based on geolocation, user-agent, or ad click-referrer to evade sandboxes and crawlers.

Tactics, Techniques & Procedures (TTPs)

  • Initial access: Malvertising / SEO poisoning → drive-by download.
  • Defense evasion: Packaged MSIs with valid-looking metadata; signed loaders; living-off-the-land execution (e.g., msiexec / rundll32).
  • Credential access: Browser data theft (Chromium/Gecko), cookie/session exfil, password managers, crypto wallets.
  • Command & Control: HTTPS beacons to disposable domains or Telegram bots.

Detection opportunities

  • Alert on newly observed domains serving “download” pages for popular apps.
  • EDR events for msiexec.exe or rundll32.exe spawning from browser processes.
  • Unusual access to Login Data, Cookies, and Local State files in user profiles shortly after a new installer runs.
  • Outbound connections to rare domains immediately post-install; compressed JSON exfil bursts.

Recommended mitigations

  1. Lock downloads to trusted sources: Publish an allow-list of vendor sites and block unknown file-hosting & link shorteners at the gateway.
  2. Harden browsers: Disable third-party cookies; restrict risky extensions; enable password manager alerts for unsafe sites.
  3. Application control: Require code-signing + reputation checks for MSIs/EXEs; block execution from user writeable temp paths.
  4. User training: Teach users to navigate to vendors directly rather than clicking ads; verify domain spelling before downloading.
  5. Credential hygiene: Enforce phishing-resistant MFA and periodic cookie revocation via re-authentication on high-risk apps.

Example indicators (placeholders)

Replace with validated IOCs from your telemetry.

download-notepads[.]com
win-utility-setup[.]site
cdn-soft-fast[.]online
SHA256 (installer.msi) = d41d8cd98f00b204e9800998ecf8427e
User-Agent anomalies: Chrome/99.0 on Windows 11 with legacy TLS ciphers

This article provides general defensive guidance and avoids operational details that could enable misuse.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.