top of page

BlackCat Brings Bad Luck Using Google Ads

Published: December 17, 2023 on our newsletter Security Fraud News & Alerts Newsletter.

Trend Micro researchers recently identified that a notorious ransomware group is using various malvertising tricks within Google Ads to distribute fake WinSCP installers. They are using Targeted Attack Detection (TAD) service. What is that, you say? This means that if you click on an infected ad that you see on your webpage, your network could get a bad case of cat scratch fever. Let’s break it down a bit more.

Google Ads are all over the internet. When they are clicked, Google helps boost sales for the advertisers by targeting audiences with ads that are more relevant to them. You know that time you were emailing a friend about a particular product and suddenly an ad for it showed up on the side of the webpage you were viewing? That’s Google working its technological magic and helping drive traffic to its advertisers’ websites.

In this case, threat actors, particularly the Blackcat Ransomware group (also known as ALPHV) are taking advantage of this type of ad display to launch malvertising campaigns against those looking for the WinSCP product. They are using WinSCP as their keywords to drive traffic to their malicious websites. WinSCP is a free file manager product that supports various file types. They exploit keyword hijacking to trap search engine users with malicious ads and distribute malware right under their noses.

Keyword hijacking, or sometimes called brand hijacking or ad hijacking, happens when one company uses another company’s keywords or brand name in a Google AdWords pay-per-click campaign. For example, you search for “Rayban Sunglasses.” You expect to go to websites that sell actual Rayban sunglasses. With keyword hijacking, cybercriminals put up their own websites using those keywords and drive traffic to their sites. So, you may get some legitimate places to buy the sunglasses, the criminals do whatever they can to get their page at the top of the list, where users are more likely to click.

In this case, those landing on the malicious page are sent to another site that is a cloned one of the legitimate WinSCP website. There is a download link that will install all kinds of tools that can disable anti-virus solutions and allow the group access to the system.

Fortunately, there are ways to avoid this.

Mitigation Techniques:

  • Awareness that this is possible and is actively happening will go a long way to protecting all systems. Educating employees and others about identifying and avoiding potential phishing attacks is key.

  • Keep an eye on logs and activities happening within the network. Determine what “regular” day-to-day traffic is on your network and watch for anomalies.

  • Have an incident response plan in place and keep it updated. Follow it if the time comes.

Want to schedule a conversation? Please email us at

bottom of page