Skip to content

Malicious ads for PuTTY and FileZilla distributing Nitrogen malware

  • by
  • 3 min read

A sophisticated cyber campaign has emerged, targeting system administrators with deceptive advertisements for popular system utilities, including PuTTY and FileZilla, to lure victims into downloading the Nitrogen malware under the guise of legitimate software.

These malicious ads, disguised as sponsored results on Google’s search engine, are localised to North America.

Researchers from Malwarebytes discovered this campaign that has been going on for the past couple of weeks. The malicious campaign involves a multi-step process orchestrated by threat actors to infiltrate private networks, steal sensitive data, and deploy ransomware like BlackCat/ALPHV.

Despite efforts to alert Google to these malicious activities, the company has not taken any action thus far.

Tactics, Techniques and Procedures (TTPs)

The TTPs employed by the hackers include the following:

Luring victims with malicious ads

A sample of the malicious ads. | Source: Malwarebytes

Malicious ads, presented as sponsored results on Google, entice system administrators with fake versions of essential utilities.

Threat actors exploit Google’s ad infrastructure to reach corporate users, leveraging the credibility of tools like PuTTY and FileZilla to deceive victims.

Cloaking and redirect mechanisms

Redirection to another domain. | Source: Malwarebytes

The malvertising infrastructure employs a cloaking technique, directing victims to decoy pages or popular content like the Rick Astley video.

Cloaked pages resemble legitimate sites, enhancing their ability to deceive and manipulate users into downloading malware.

Malware payload delivery

Malware delivery. | Source: Malwarebytes

Upon interaction with the malicious ad, victims unwittingly download and execute the Nitrogen malware.

Nitrogen utilises DLL sideloading, a technique where a legitimate executable launches a malicious DLL, bypassing detection mechanisms.

Defensive measures

Researchers have urged using DNS filtering to block malicious ads and prevent malvertising attacks. Furthermore, companies and individuals can also implement group policies to restrict traffic from suspicious ad networks and employ Endpoint Detection and Response (EDR) solutions to detect and quarantine malicious DLLs.

Researchers suggested enhancing user education on malvertising threats through targeted training simulations along with the above solutions for defenders.

Google Ads have been used to lure victims to download malware for quite a while now. On April 1 this year, it was reported that threat actors were using fake ads of legitimate software like Notion and Slack to distribute malware.

On November 13, 2023, Google sued cybercriminals running malware-laden ads on Bard. In April of the same year, researchers found the BumbleBee malware strain exploiting Google Ads.

In the News: First native Spectre V2 exploit discovered against Linux kernel

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: