Fake Slack Ads Deploying Malware Are Introduced Gradually via Google Ads to Avoid Detection

Published on August 22, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Unnamed threat actors patiently developed a malvertising campaign with multiple layering that ultimately deployed malware. The operation targeted users interested in installing the legitimate Slack communication app, a new report from security company Malwarebytes said.

The fake Slack ads’ advertiser information in the Google Ads Transparency Center showed they registered as CVC International Limited and promoted products for the Asian market.

To avoid being immediately flagged, the deceiving ad led to a price page on Slack’s official website in the beginning. Lately, it redirected to a click fraud detection tool, followed by a click tracker. Then, the ad’s final URL became a domain without malicious content: slack-windows-download[.]com. 

However, the security researchers could see the malicious page after tweaking some settings.

Malicious Slack Ad
Image Source: Malwarebytes

The click trackers are followed by one more cloaking domain, resulting in deep layering that makes evaluating an ad harder unless one has specific tools and knowledge of the threat actor’s tactics, techniques, and procedures (TTPs).

This is one of the Google ad ecosystem’s weaknesses, as the Alphabet Inc.-owned service cannot know where users are going after the click tracker since such services can be abused to filter clicks and send traffic to any domain.

Malicious Slack Site
Image Source: Malwarebytes

Clicking the button to get the app triggers the malware binary download from another domain, and researchers say they saw a hint of a parallel campaign targeting Zoom in the file’s name.

The server used for the remote connection was previously used by SecTopRAT, an infostealer RAT, while this payload was previously used in previous malvertising operations, including fake NordVPN ads.

In the past year, hundreds of unique malvertising incidents related to Google search ads were observed. 

Recently, a phishing site masquerading as an official ‘Google Safety Centre’ page deployed malware like Latrodectus and ACR Stealer while pretending to let users download the trusted multi-factor authentication (MFA) app Google Authenticator. 

Simultaneously, a fake ad for Authenticator appeared among Google search results, and the advertiser’s identity was even verified by Google.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: