Notepad++ Malvertising on Google ads evade detection for quite sometime.

Malvertising is on the rise, reaching new heights of danger as it infiltrates Google Ads, in Google search where millions of users browse the web. The alarming twist? It all came to light through a seemingly malicious advertising of the code editing tool Notepad++, while using sophisticated techniques to invade detection.

                                                       The Malvertising Attack Framework. Image-source: Malwarebytes


A researcher at Malwarebytes by the name Jerome Segura stated that:

“In recent weeks we have noted an increase in Malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.”

The malware ads which has been spotted to be ongoing for months, indicates how threat actors have seemingly been abusing Google Ads towards their own personal gain, by promoting malicious websites that host and distributes malwares.

Further research indicates that the objective of the threat actor is to deliver a final payload (unknown) to its victims. However, researchers at Malwarebytes have a contrary opinion; saying there is a likely chance that the payload is “cobalt strike”.



Google Ads which is solely for business purpose, allows business owners to bring awareness to their business through ads. Threat actors are seemingly using this to advertise the Notepad++ malware through URL’s that are not related to the software, and displaying false title, with the intent to deceive.

                              Malware advertised via google ads. Image-source: Malwarebytes

In this scenario, the SEO (Search Engine Optimization) tactics in question are manipulated, taking advantage of the fact that titles are significantly larger than URLs. This strategic move lures search engine users into the trap.

As soon as visitors click on any of the ads, a redirection that checks certain information such as IP addresses, executes. This is to enable the filtering of crawlers, VPNs, bots and redirects them to a decoy site that has no malicious file in it.


                                      Decoy page which visitors are redirected to, when filtering checks fails to pass. Image-source: Malwarebytes


However if the checks are passed, and information indicates a legitimate user trying to access the ads, the user is then redirected to “notepadxtreme[.]com” (the use of typo squatting can be noted here); A clone of the legitimate website which features links to download various versions, of the software.

Unsuspecting victim’s who then clicks the malicious file triggers a second system fingerprint check (this is carried out by a JavaScript snippet code, to ensure there are no anomalies or indicator that the connection is carried out from a sandbox).

If these checks are verified, the user is then served an HTA script, which has a unique ID assigned to it (an indicator, for the attacker to track the infected devices). The payload is noticed to be served once per victim, as revisiting the URL triggers an error 404 page.


The Error 404 page is displayed, if the victim who has already installed the malware, revisits the URL for the second time and so on. Image-source: Malwarebytes


Analysis of the HTA (HTml Application), by Malwarebytes showed no useful information as the malware shows no signs of being weaponized at the moment. However, further investigation on virustotal reveals the same file was uploaded on virustotal portal from July.


                                                   Virustotal indicates file was recently uploaded in July for analysis. Image-source: Malwarebytes

Also, Reviewing the file, shows that a remote connection to a domain via a custom port was initiated; likely part of a Cobalt Strike deployment.

While there are no indicators showing the active state of the malware, users are advised to be cyber aware, and take precautionary measures when accessing tools/software applications online. A more adequate approach which involves reviewing the handle, and ensuring its legitimacy, should be adopted.  Detailed information about the malware and indicator of compromise can be read here




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments