Fake installers are tricking victims into installing malware

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Hackers have once again been found abusing Google Ads to deliver malware - this time, hitting Chinese-speaking targets living in Southeast and East Asia.

Cybersecurity experts at ESET found that unidentified threat actors created multiple malicious landing pages, all impersonating major programs, including some that are unavailable in China, including Firefox, WhatsApp, Signal, Skype, and Telegram.

The landing pages are all hosted on the same server, which also hosts the programs. But when downloading the payload, the victims would get both the legitimate software, and FatalRAT, a remote access trojan that allows the threat actors control over the target endpoint.


FatalRAT is capable of doing all sorts of nasty things - logging keystrokes, stealing data stored in the browsers, and downloading and running additional programs. The researchers said that this version of the trojan has been in use at least since August 2022, but older versions were in use even earlier - in May.

To distribute the malware, the attackers abused Google Ads, meaning that when someone searches for any of the abovementioned programs on the famed search engine, they would get the malicious landing pages very high up in the search results pages. 

Researchers couldn’t reproduce the search results but claim that the hackers were probably engaged in URL hijacking:

“Although we couldn’t reproduce such search results, we believe that the ads were only served to users in the targeted region,” said ESET researcher Matías Porolli. “Since many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on URL hijacking to attract potential victims to their websites,” he added.

The hackers’ endgame is unknown, too, researchers said, speculating that they could just be after credentials, in order to sell them for profit. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.