A sophisticated malvertising campaign has been discovered using counterfeit websites disguised as a legitimate Windows news portal to disseminate a harmful installer for CPU-Z, a well-known system profiling tool. This deceptive campaign, as noted by Malwarebytes’ Jérôme Segura, is part of a broader strategy targeting additional utilities like Notepad++, Citrix, and VNC Viewer, utilizing specific domain names and cloaking methods to evade detection.

The campaign is notable for its imitation of WindowsReport[.]com, aiming to deceive users who search for CPU-Z on platforms such as Google. Clicking on the malevolent ads redirects users to a fraudulent portal (workspace-app[.]online), while those not targeted by the campaign encounter a harmless blog with various articles—a tactic known as cloaking.

The rogue website hosts a signed MSI installer containing a pernicious PowerShell script and a loader named FakeBat (or EugenLoader), which facilitates the deployment of RedLine Stealer on the infected system. Segura observes that the creation of a decoy site resembling Windows Report might be deliberate, as users often download software utilities from such portals instead of official websites.

This incident is not isolated. Recently, eSentire reported on an updated Nitrogen campaign linked to BlackCat ransomware attacks, highlighting the recurring misuse of Google Ads for popular software as a conduit for malware distribution. Additionally, eSentire documented two other campaigns using drive-by downloads to spread malware families like NetWire RAT, DarkGate, and DanaBot.

Threat actors are increasingly utilizing adversary-in-the-middle (AiTM) phishing kits such as NakedPages, Strox, and DadSec to circumvent multi-factor authentication and hijack accounts. eSentire also identified a novel attack method, the “Wiki-Slack attack,” which manipulates Slack’s handling of Wikipedia URLs to direct victims to attacker-controlled websites through Wikipedia article defacement and Slack sharing. This strategy relies on a specific formatting quirk in Slack and the positioning of a top-level domain in the Wikipedia article to misdirect victims to harmful sites.