Malicious Google Ads Trick WinSCP Users into Installing Malware

Subject : Malicious Google Ads Trick WinSCP Users into Installing Malware
Date : 2023-11-22


  WinSCP is a free, open-source file-transfer application that uses File Transfer Protocol (FTP), Secure Shell File Transfer Protocol (SFTP) and Secure Copy Protocol (SCP) for plain or secure file transfer. The application is designed to work with Windows and supports common Windows desktop features.


  Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER. Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.

  The attack begins with the user searching for “WinSCP” in Google. The ad appears before the legitimate website for WinSCP which is The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com which redirects the user to an attacker-controlled phishing site.

The threat actors are believed to leverage Google's Dynamic Search Ads (DSAs),

which automatically generates ads based on a site's content to serve

the malicious ads that take the victims to the infected site.

The threat actors registered a domain similar to the legitimate in order to appear as legitimate as possible. As you can see in the figure below phishing domain hxxps://winccp[.]net (left) and the legitimate website are nearly identica

Figure 1 : lure website versus legitimate WinSCP website download page

"Traffic from the gaweeweb[.]com website to the fake winsccp[.]net website relies on  a correct referrer header being set properly," the researchers said. "If the referrer is incorrect, the user is 'Rickrolled’. Rickrolled is an internet meme that quickly spread across the internet. Related to Rick Astley's 1987 music video for "Never Gonna Give You Up," Rick Rolling involves luring people in by linking them closer to the topic at hand. But the link inside turned out    to be a video of Astley. and is sent to the infamous Rick Astley YouTube video.” The final payload takes the form of a ZIP file ("") that comes with a setup executable, which, when launched, employs DLL side-loading to load and execute a DLL file named python311.dll that's present within the archive. The DLL, for its part, downloads and executes a legitimate WinSCP installer to keep up the ruse, while stealthily dropping Python scripts ("" and "") in the background to activate the malicious behavior. It's also responsible for setting up persistence.

  "Given the fact that the attackers were leveraging Google Ads to disperse malware,     it can be believed that the targets are limited to anyone seeking WinSCP software,"            the researchers said. This is not the first time Google's Dynamic Search Ads have been abused    to distribute malware. Late last month, Malwarebytes lifted the lid on a campaign that targets users searching for PyCharm with links to a hacked website hosting a rogue installer that paves the way for the deployment of information-stealing malware.


1.To find the original software Searches that include Google Ads should be skipped.

2.Download programs directly from famous websites. and only reliable


The important things is Security systems. We must concern and monitor as usual.
For more information please contact
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)








Weekly Interesting CVE


CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

Severity Rating








Check Point Harmony Endpoint/ZoneAlarm Extreme Security

Permission assignment



Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Update to Version E81.10





Netgate pfSense

Privilege Escalation



An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

5.6.0 and later versions






Cross-site Scripting


Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows Cross-site Scripting (XSS) in the Zimbra Classic Web Client.

Update to Version 8.8.15 Patch 41






Uncontrolled search path


An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges.

Update to Version





McAfee MVISION Endpoint

Server-side request forgery


Server-side request forgery vulnerability in the ePO extension in McAfee MVISION Endpoint prior to 20.11 allows remote attackers trigger server-side DNS requests to arbitrary domains via carefully constructed XML files loaded by an ePO administrator.

Update to Version 20.11


30 November 2023

Viewed 170 time

Engine by