Researchers have recently uncovered a disturbing trend where a threat actor is utilizing Google Search ads to target graphic design professionals. This malicious actor has initiated at least 10 malvertising campaigns hosted on two specific IP addresses, namely 185.11.61[.]243 and 185.147.124[.]110. When users click on these malicious ads, they are redirected to websites that facilitate the download of harmful software onto their devices.
The first IP address, 185.11.61.243, became active on July 29, 2024, and is currently hosting 109 unique domains. This address has been associated with a series of malvertising campaigns targeting individuals in the graphic design and CAD industries. On the other hand, the second IP address, 185.147.124.110, was activated more recently on November 25, 2024, and is currently hosting 85 unique domains that are being used to distribute malicious payloads through compromised websites and advertisements.
One of the malvertising campaigns initiated on November 13, 2024, utilized the domain frecadsolutions[.]com, which was hosted on the malicious IP address 185.11.61[.]243. Subsequent campaigns on November 14th and 26th featured similar tactics, with the domains frecadsolutions[.]cc and freecad-solutions[.]net being used to lure unsuspecting users into downloading malware.
Additional malvertising campaigns on November 27th witnessed a migration of domains like frecadsolutions.org and rhino3dsolutions.io from 185.11.61.243 to 185.147.124.110. By exploiting vulnerabilities in ad networks, these domains were able to redirect users to malicious websites, posing a significant risk to the users’ systems.
Further campaigns launched in mid-November leveraged domains such as rhino3dsolutions[.]net, planner5design[.]net, and onshape3d[.]org, with the latter being hosted on 185.147.124.110 since the beginning of December. These campaigns aimed to trick users into downloading harmful software onto their devices unknowingly.
On December 8, 2024, the domain frecad3dmodeling[.]org was hosted on the IP address 185.147.124[.]110 and was promptly used in a malvertising campaign initiated on December 10th. Silent Push has reported that vulnerabilities in web browsers and ad networks were likely exploited to deliver malicious payloads to unsuspecting users.
The IP addresses and domains linked to this malicious advertising infrastructure are likely controlled by a threat actor seeking to distribute harmful advertisements. These ads have the potential to infect devices with malware, launch phishing attacks, or expose users to other cyber threats.
It is crucial for organizations and individuals to exercise caution when interacting with content from these sources and to implement robust security measures to protect themselves from falling victim to these malicious campaigns. By staying informed and vigilant, users can reduce the risk posed by these malicious actors and safeguard their online activities.