Thursday, May 1, 2025
HomeAndroidHackers Abuse Google Ads To Attacking Graphic Design Professionals

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Published on

SIEM as a Service

Follow Us on Google News

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals, as the actor has launched at least 10 malvertising campaigns hosted on two specific IP addresses: 185.11.61[.]243 and 185.147.124[.]110, where these malicious ads, when clicked, redirect users to websites that initiate malicious downloads.

Two IP addresses, 185.11.61.243 and 185.147.124.110, have been associated with a malicious graphic design/CAD malvertising campaign, where the first IP address has been active since July 29, 2024, and currently hosts 109 unique domains. 

Screenshot of domains mapped to 185.11.61[.]243
Screenshot of domains mapped to 185.11.61[.]243

The second IP address was activated more recently on November 25, 2024, and currently hosts 85 unique domains, which are being used to distribute malicious payloads, likely through compromised websites and advertisements. 

- Advertisement - Google News

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

A malvertising campaign, initiated on November 13, 2024, utilized frecadsolutions[.]com, hosted on 185.11.61[.]243.

Subsequently, on November 14, 2024, a similar campaign launched on frecadsolutions[.]cc, leveraging Bitbucket for malicious downloads. 

On November 26, 2024, a new campaign emerged on freecad-solutions[.]net, initially hosted on 185.11.61[.]243 and later migrating to 185.147.124[.]110, which linked to the IP address 185.11.61[.]243, indicating a coordinated effort to distribute malware through deceptive advertisements. 

A third malvertising campaign was launched on freecad-solutions[.]net
A third malvertising campaign was launched on freecad-solutions[.]net

On November 27, 2024, a series of malvertising campaigns commenced, during which the domains frecadsolutions.org and rhino3dsolutions.io, previously hosted on 185.11.61.243, were migrated to 185.147.124.110. 

By taking advantage of vulnerabilities in ad networks, these malicious domains were able to redirect users to malicious websites, which could potentially compromise systems with malware.

Recent malvertising campaigns have leveraged multiple domains and IP addresses, where malicious activity began on November 17th with rhino3dsolutions[.]net hosted on 185.11.61[.]243. 

The ninth malvertising campaign was launched with onshape3d[.]org
The ninth malvertising campaign was launched with onshape3d[.]org

The domain was then migrated to 185.147.124[.]110 on November 26th, launching a new malvertising campaign.

Subsequently, planner5design[.]net, hosted on the same IP address from December 1st to 6th, initiated two separate malvertising campaigns. 

On December 9th, more recently, onshape3d.org, which has also been hosted on 185.147.124.110 since the 1st of December, initiated its very own malvertising campaign.

A tenth malvertising campaign was launched with frecad3dmodeling[.]org
A tenth malvertising campaign was launched with frecad3dmodeling[.]org

On December 8, 2024, a malicious actor hosted the frecad3dmodeling[.]org domain on the IP address 185.147.124[.]110, which was subsequently used in a malvertising campaign launched on December 10, 2024. 

According to Silent Push, to deliver malicious payloads to users who were unaware of the campaign’s intentions, vulnerabilities in web browsers or ad networks were likely exploited.

The provided list comprises IP addresses and domains associated with a malicious advertising infrastructure, which, likely controlled by a threat actor, leverages these resources to distribute harmful advertisements. 

These ads can potentially lead to malware infections, phishing attacks, or other cyber threats.

Organizations and individuals are advised to exercise caution when interacting with content from these sources and implement robust security measures to mitigate risks.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security in 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...