Silen Push researchers have identified a series of malvertising campaigns targeting graphic design professionals, taking advantage of Google Search ads to distribute malware. The attacks began in November 2024 and utilized two IP addresses, 185.11.61.243 and 185.147.124.110, to host multiple malicious domains. These ads redirect users to websites that initiate harmful downloads, posing a significant security threat to unsuspecting victims.
Hackers exploit Google ads to target graphic designers
The primary attack vector involves fraudulent domains that mimic legitimate graphic design software, with campaigns launching nearly daily. Notable domains connected to this scheme include frecadsolutions.com, freecad-solutions.net, and rhino3dsolutions.io. Each campaign has reportedly made use of dedicated IP addresses to mask the malicious activity behind seemingly legitimate advertising.
The malvertising campaigns have been continuous since November 13, 2024, and leverage numerous domains to distribute harmful content. The first campaign was hosted on frecadsolutions.com and became active on November 6, 2024. Subsequent campaigns utilized slightly altered domain names to evade detection, with campaigns noted on sites like planner5design.net and variations of freecad-solutions.
As detailed in the findings from Silent Push, the malicious actors have orchestrated a well-structured operation. By exploiting vulnerabilities in ad networks, these attackers redirect users from Google ads to malicious websites that offer deceptive software downloads masquerading as CAD tools. The use of tools hosted on trusted platforms such as Bitbucket adds credibility to their malicious links, increasing the likelihood of downloads by unsuspecting users.
Moreover, Silent Push emphasizes that identifying these threats should be simple through basic domain and IP address investigations, yet the attackers continue to operate undeterred, highlighting potential flaws in Google’s ad monitoring capabilities. Research indicates that up to ten distinct campaigns have utilized the same ad infrastructure, showcasing the attackers’ methodical approach.
Technical overview of the IP addresses and domains
The IP addresses involved, 185.11.61.243 and 185.147.124.110, have seen consistent activity with multiple unique domains mapped to them. The first IP address has been active since July 29, hosting over 109 unique domains. Meanwhile, the second IP started its operations on November 25, 2024, and is currently linked to 85 unique domains designed to distribute malware.
On November 14, 2024, a campaign launched on frecadsolutions.cc, utilizing Bitbucket for file hosting. The pattern continued with the appearance of freecad-solutions.net on November 26, which initially linked back to the first IP but later migrated to the second. This illustrates a coordinated effort among the attackers to maintain their operations despite attempting to conceal their tracks through IP switching.
A series of campaigns continued into December, activating domains like rhino3dsolutions.net and planner5design.net, which saw their hosting migrated between the two malicious IPs. The ongoing nature of these attacks raises concerns over the effectiveness of current protective measures against such sophisticated malvertising schemes.
As for the nature of the threats posed, recent reports suggest that these individuals may also exploit vulnerabilities in web browsers and ad networks, increasing the risk for users who inadvertently click on these ads. The scale and persistence of these campaigns underscore a need for vigilance among graphic design professionals and the general public alike.
Featured image credit: Pankaj Patel/Unsplash
