Thursday, May 1, 2025
HomeBotnetPop-up Ads & Hundreds of Websites Helping to Distribute Botnets, Cryptocurrency Miners...

Pop-up Ads & Hundreds of Websites Helping to Distribute Botnets, Cryptocurrency Miners and Ransomware

Published on

SIEM as a Service

Follow Us on Google News

A Malicious Software Downloader called ICLoader through Popup Ads and over hundreds of websites are pushing various PUA such as Botnets, cryptocurrency Miners and also a emerging GandCrab ransomware.

Malware Files are sharing via Popup Ads and distributing over Hundreds file sharing websites and fake software sharing sites and advertisement maker websites which all are still alive.

Malicious ICLoader Targeting a specific set of software users and it pop-up malicious ads with those software names in a compromised website that contain a high visitors traffic.

- Advertisement - Google News

There are 3 main sources attackers used to Distribute the ICLoader

  1. Pop-up ads on free file sharing service websites that are used for distributing the malicious software where users can upload the malicious files and generating a download link.
  2. The second method of distributing fake software sharing websites. In this case, attackers create 117 websites and each sites sharing hundreds of malicious software.The sites list detailed descriptions of software and have ‘free download’ buttons to the cracked versions at the bottom of the page and it redirects to downloader software, mainly ICLoader.
  3. Two Torrent sharing websites that mimic real torrent download websites that distributing ICLoader from the link that leads to download ICLoader.

How ICLoader installation works via Popup Ads

Once the victims click the link, it redirects to traffic management server where a user will reach the ICLoader page and link will drop the ICL Downloader.

Also, ICLoader has a different hash value every time it is downloaded from the server and  ICLoader server distribute a zip archive which contains the ICLoader software.

According to TrendMicro, The ICLoader file has the name of the software that the victims originally intended to download, which is part of the ruse to convince victims that the download is legitimate. Once victims execute the ICLoader file, they will see the typical software installation instructions and steps. All of the PUA software we tracked were also signed with a valid COMODO certificate, which adds to the appearance of validity.

Later ICLoader downloads and installs the legitimate software and later it communicates with C&C Server to receive an aditional malicious files.

This ICLoader previously installed either installed or additionally loaded seven different groups of botnets, four different cryptocurrency miners, and the GandCrab ransomware

Cryptocurrency miner download link contains a shortened URL  shortened URLs show that the miner botnet has around 80 thousand victims that constantly load their miner and mine for them every day.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Uncovered RansomHub Operation and it’s Relation With Qilin Ransomware

Security researchers have identified significant connections between two major ransomware-as-a-service (RaaS) operations, with evidence...

New WordPress Malware Disguised as Anti-Malware Plugin Takes Full Control of Websites

The Wordfence Threat Intelligence team has identified a new strain of WordPress malware that...