Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads.

The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.

This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.

A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.

The scourge of “malvertising” is nothing new, but the tactic is still so effective that it's contributing to the rise of investment scams and the spread of new strains of malware.

Criminals are impersonating MyLowesLife, Lowes' HR portal for current and former employees.

See how adversaries are impersonating Google Authenticator in Google Ads to deliver the DeerStealer information-stealing malware. 

Welcome to the Finding Malware Series The "Finding Malware," blog series is authored to empower the Google Security Operations community to

We uncovered a malvertising campaign where the threat actor hijacks social media pages, renames them to mimic popular AI photo editors, then posts malicious links to fake websites.

Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware.

Rapid7 observed a recent malvertising campaign luring users to download malicious installers for popular software like Google Chrome and Microsoft Teams.

Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines, where clicking on the ad leads to typo squatted domains.

Beginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged GoogleAds to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites.

The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests.

Google and Twitter ads are promoting sites containing a cryptocurrency drainer named 'MS Drainer' that has already stolen $59 million from 63,210 victims over the past nine months.

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.

We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.

In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.

A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex. Threat actors have bought an advert that impersonates Cisco's brand and is displayed first when performing a Google search.

The element originally known as “foul air” stinks up computers as a new initial-access campaign exhibiting some uncommon techniques

Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application.

We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.

.NET malware loaders distributed through malvertising are using obfuscated virtualization for anti-analysis and evasion in an ongoing campaign.

Although Flash Player reached end of life for macOS in 2020, this has not stopped Shlayer operators from continuing to abuse it for malvertising campaigns.

Scammers go mainstream by hijacking top Google searches and replacing them with malicious ads.