Thursday, January 23, 2025
HomeAndroidHackers Abuse Google Ads To Attacking Graphic Design Professionals

Hackers Abuse Google Ads To Attacking Graphic Design Professionals

Published on

SIEM as a Service

Follow Us on Google News

Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals, as the actor has launched at least 10 malvertising campaigns hosted on two specific IP addresses: 185.11.61[.]243 and 185.147.124[.]110, where these malicious ads, when clicked, redirect users to websites that initiate malicious downloads.

Two IP addresses, 185.11.61.243 and 185.147.124.110, have been associated with a malicious graphic design/CAD malvertising campaign, where the first IP address has been active since July 29, 2024, and currently hosts 109 unique domains. 

Screenshot of domains mapped to 185.11.61[.]243
Screenshot of domains mapped to 185.11.61[.]243

The second IP address was activated more recently on November 25, 2024, and currently hosts 85 unique domains, which are being used to distribute malicious payloads, likely through compromised websites and advertisements. 

2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide

A malvertising campaign, initiated on November 13, 2024, utilized frecadsolutions[.]com, hosted on 185.11.61[.]243.

Subsequently, on November 14, 2024, a similar campaign launched on frecadsolutions[.]cc, leveraging Bitbucket for malicious downloads. 

On November 26, 2024, a new campaign emerged on freecad-solutions[.]net, initially hosted on 185.11.61[.]243 and later migrating to 185.147.124[.]110, which linked to the IP address 185.11.61[.]243, indicating a coordinated effort to distribute malware through deceptive advertisements. 

A third malvertising campaign was launched on freecad-solutions[.]net
A third malvertising campaign was launched on freecad-solutions[.]net

On November 27, 2024, a series of malvertising campaigns commenced, during which the domains frecadsolutions.org and rhino3dsolutions.io, previously hosted on 185.11.61.243, were migrated to 185.147.124.110. 

By taking advantage of vulnerabilities in ad networks, these malicious domains were able to redirect users to malicious websites, which could potentially compromise systems with malware.

Recent malvertising campaigns have leveraged multiple domains and IP addresses, where malicious activity began on November 17th with rhino3dsolutions[.]net hosted on 185.11.61[.]243. 

The ninth malvertising campaign was launched with onshape3d[.]org
The ninth malvertising campaign was launched with onshape3d[.]org

The domain was then migrated to 185.147.124[.]110 on November 26th, launching a new malvertising campaign.

Subsequently, planner5design[.]net, hosted on the same IP address from December 1st to 6th, initiated two separate malvertising campaigns. 

On December 9th, more recently, onshape3d.org, which has also been hosted on 185.147.124.110 since the 1st of December, initiated its very own malvertising campaign.

A tenth malvertising campaign was launched with frecad3dmodeling[.]org
A tenth malvertising campaign was launched with frecad3dmodeling[.]org

On December 8, 2024, a malicious actor hosted the frecad3dmodeling[.]org domain on the IP address 185.147.124[.]110, which was subsequently used in a malvertising campaign launched on December 10, 2024. 

According to Silent Push, to deliver malicious payloads to users who were unaware of the campaign’s intentions, vulnerabilities in web browsers or ad networks were likely exploited.

The provided list comprises IP addresses and domains associated with a malicious advertising infrastructure, which, likely controlled by a threat actor, leverages these resources to distribute harmful advertisements. 

These ads can potentially lead to malware infections, phishing attacks, or other cyber threats.

Organizations and individuals are advised to exercise caution when interacting with content from these sources and implement robust security measures to mitigate risks.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...