PikaBot Targets Enterprises Via Malicious Search AdsMalvertising Service Uses Google Ads and Decoy Pages for Malware Distribution
Cybercriminals increasingly use malicious ads through search engines to deploy new malware targeting businesses, marking a rise in browser-based attacks, including social engineering campaigns.
The latest campaign involves exploiting search ads, and indications suggest the existence of specialized services to aid malware distributors in circumventing Google's security measures.
This tactic enables them to establish decoy infrastructures, reminiscent of previously identified malvertising chains employed to disseminate threats such as FakeBat.
Researchers at Unit42 in February linked PikaBot to a Matanbuchus drop in a malspam campaign attributed to TA577 by Proofpoint. Researchers have seen the threat actor distribute payloads such as QakBot, IcedID, SystemBC, and Cobalt Strike.
This campaign focuses on Google searches for the remote application AnyDesk, and security researcher Colin Cowie identified the distribution chain and confirmed the payload as PikaBot, according to Ole Villadsen.
Another instance of this campaign used an ad pretending to be from the fake persona "Manca Marina" associated with the AnyDesk brand, featuring a decoy website at
The download is a digitally signed MSI installer, noteworthy for having zero detection on VirusTotal when collected. Of particular interest is its ability to evade detection upon execution.
Similarities With FakeBat
The threat actors exploit a tracking URL through a legitimate marketing platform to bypass Google's security checks, redirecting to their custom domain behind Cloudflare. Only clean IP addresses proceed to the next step, researchers said.
Previous malvertising chains, using
onelink.me and similar URL structures, were reported to Google and targeted Zoom and Slack search ads and identified payloads such as FakeBat. Researchers said that this pattern suggests a common process among threat actors, possibly indicative of a malvertising-as-a-service model providing Google ads and decoy pages to malware distributors.