One of the most popular text editors is being spoofed to infect victims with malicious ads

(Image credit: Notepad++)

A new malicious Google ads campaign, which was active for “months”, was probably dropping Cobalt Strike deployments on unsuspecting victims, researchers have warned.

Cybersecurity researchers from Malwarebytes recently discovered a campaign hijacking Google Ads being served to people searching for Notepad++, a popular word editing software.

Whenever someone searches for Notepad++ (or types in a similar query that should bring up the editor), the first few results they see would be ads, some of which would lead them to a malicious site.

Cobalt Strike

This is a popular tactic, seen multiple times before. On the search engine results page, the site titles are displayed in larger font compared to the links, making it easy for people to forget to double-check it and just click on the suggested result. Furthermore, Google is generally considered a trusted, safe environment, where people don’t question the motives of the sites being displayed there (especially on page one).

In any case, once the victim clicks on the link, the site first runs a few quick tests to make sure the visitor is genuine (and not a bot, a VPN, or similar) and then displays a site that looks almost identical to the legitimate Notepad++ site. For those deemed bots (or otherwise unsuitable visitors), the site redirects them to a decoy site. Repeat customers are presented with a 404 page.

Being inactive at the time of analysis, Malwarebytes couldn’t investigate the actual payload, but the researchers speculate the attackers were most likely deploying Cobalt Strike. This tool often precedes the deployment of ransomware, BleepingComputer reports.

Ad network abuse is nothing new. Cybersecurity experts are warning users to be careful whatever they’re doing online, and always double-check to make sure they’re downloading legitimate software from legitimate sources. Pirated software, and those distributed through links in emails and social media messages are almost always malicious.

More from TechRadar Pro

Microsoft SQL servers hijacked to deliver Cobalt Strike and ransomware
Here's a list of the best firewalls today
These are the best malware removal tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.