A threat actor copied a legitimate Windows news website to deliver an infostealer for the CPU-Z processor tool.
The new campaign targeted visitors of the portal called Windows Report and was uncovered by security experts at the cyber firm Malwarebytes.
The website itself was never compromised, but threat actors copied its content to trick users into downloading malicious software.
“This type of website is often visited by geeks and system administrators to read the latest computer reviews, learn some tips and download software utilities,” Malwarebytes said in a blog post.
The campaign utilized Google ads to falsely advertise CPU-Z, a popular Windows tool for troubleshooting. The payload included a digitally signed MSIX installer with a malicious PowerShell script and a loader called FakeBat.
To evade detection, threat actors used cloaking techniques.
“Anyone clicking on the ad and who’s not the intended victim will see a standard blog with a number of articles,” Malwarebytes said, noting it had previously detected another malicious ad using a similar template.
If an actual victim clicked on the link, they would be redirected to another domain, this time mimicking the Windows Report website. The domain used content from the legitimate website and looked almost identical but for a different URL in the address.
According to Malwarebytes, there were several other domains hosted on the same IP address and used in malvertising campaigns. The firm said it blocked the malvertising domains for its customers and notified Google about the takedown.
Similar campaigns previously deceived victims with pagers that replicated software websites like Webex, AnyDesk, or KeePass.
“It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page,” Malwarebytes said.
It said that the incident is part of a larger malvertising campaign that also targets other utility tools such as Notepad++, Citrix, and VNC Viewer.
Malvertising is a type of cyberattack when threat actors embed malicious code in ads to inject the user’s device with malware. Potential consequences for the victims who click on – or simply view – the link range from slower performance to the loss of data or device control.
Malicious ads can also appear on well-known and trusted websites, having been previously spotted on publications like The New York Times and The Atlantic.
More from Cybernews:
Subscribe to our newsletter