Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Google Ads drop FatalRAT malware from fake messenger, browser apps

Find out how Google Ads have been spreading FatalRAT malware recently in fake utility, messenger and browser apps. Learn more about this alarming security issue and how to protect yourself.

Researchers from the Slovak cybersecurity firm ESET have discovered a new malware campaign targeting Chinese-speaking users in East and Southeast Asia.

According to a report published by ESET researchers, hackers are delivering remote access Trojans hidden inside malicious Google ads. These misleading ads appear in Google search results and download Trojans installers.

This should not come as a surprise, as Google Ads and Google Adsense have been abused lately to deliver malware around the world.

Researchers at ESET noted that the attackers remain unidentified. However, it is confirmed that they are targeting Chinese-speaking individuals. They have designed fake websites that look identical to popular apps like WhatsApp, Firefox, or Telegram.

Through these websites, the attackers deliver remote access Trojans, such as FatalRAT, first detected by AT&T researchers in 2021, to hijack the infected device. Some of the spoofed apps include:

  • LINE
  • Signal
  • Skype
  • Youdao
  • Electrum
  • Telegram
  • WhatsApp
  • WPS Office
  • Mozilla Firefox
  • Google Chrome
  • Sogou Pinyin Method

Researchers discovered the attacks between August 2022 and January 2023. The attack starts by purchasing an ad slot appearing in Google search results.

“The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. We reported these ads to Google, and they were promptly removed,” researchers explained.

Users who search for popular apps are directed to rogue websites with typosquatting domains that host trojanized installers. These installers install the actual app as the user requires, to avoid raising suspicion.

Google Ads spreading FatalRAT malware from fake messenger, browser apps
Fake Google Chrome and Telegram websites spreading fake installers infected with FatalRat malware

The FatalRAT malware used in this campaign contains numerous commands to manipulate data from various browsers.

“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” researchers wrote in their technical report published today.

The downloaded installers aren’t hosted on the same server as the sites, but in Alibaba Cloud Object Storage Service, and are digitally signed MSI files. The installers were uploaded to the cloud storage on 6th January 2023.

After the malware is deployed, the attacker gains full control of the device and can execute arbitrary shell commands, run executables, steal data from web browsers, and log keystrokes.

This campaign has no specific targets, as the attackers want to steal exclusive user data, such as web credentials, to sell them on underground hacker forums or launch additional cybercrime campaigns. However, in their report, ESET researchers noted that most victims were located in the following countries:

  • China
  • Taiwan
  • Japan
  • Malaysia
  • Thailand
  • Indonesia
  • Myanmar
  • Philippines
  • Hong Kong

Detection and protection from fake malicious installers

Fake, malicious installers can be a significant threat to your computer and personal data. To detect and protect against them, here are some steps you can take:

  • First and foremost, use common sense when downloading files. Never download software, or anything else, from a third-party site. Download software only from trusted sources: Download software only from reputable websites, and avoid downloading from unverified sources.
  • Verify the authenticity of the website: Check the website’s URL for spelling errors, and look for security badges and trust seals on the site. For example, it’s, not ɢ
  • Use reliable anti-virus software: Use reliable anti-virus software and keep it updated to protect your computer from malicious software.
  • Read reviews and comments: Read reviews and comments about the software before downloading it; this will give you an idea of the software’s authenticity.
  • Scan downloaded files: Use anti-virus software to scan the downloaded file before installing it. You should also use VirusTotal to check whether the file is malicious or if the URL you are about to visit is safe.
  • Use sandboxing software: Use sandboxing software that can run the installer in a virtual environment, keeping your system safe from any potential harm.
  • Enable security features: Enable security features on your computer, such as a firewall, to prevent unauthorized access to your system.
  1. Jupyter infostealer delivered through MSI installer
  2. Fake Zoom installers infect PCs with RevCode RAT
  3. Fake 1Password installer stealing user extract data
  4. Fake Tor browser installer drop malware via YouTube
  5. Fake Windows 11 installers infecting PCs with adware


I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…