A recent malvertising campaign has specifically targeted Chinese-speaking users through deceptive Google ads promoting restricted messaging apps like Telegram. The threat actors behind this campaign are exploiting Google advertiser accounts to create malicious ads that lead users to download Remote Administration Trojans (RATs), providing attackers with full control over victims’ machines and enabling the deployment of additional malware.
This campaign, known as FakeAPP, is a continuation of a previous attack that focused on Hong Kong users searching for messaging apps like WhatsApp and Telegram in late October 2023. The latest version of the campaign has expanded to include the messaging app LINE, redirecting users to counterfeit websites hosted on Google Docs or Google Sites.
The threat actor utilizes Google infrastructure to embed links to other sites under their control, delivering malicious installer files that ultimately deploy trojans like PlugX and Gh0st RAT.
Malwarebytes traced the fraudulent ads to two advertiser accounts, Interactive Communication Team Limited and Ringier Media Nigeria Limited, both based in Nigeria. The threat actor appears to prioritize quantity over quality, constantly pushing new payloads and infrastructure as part of their command-and-control strategy.
In a separate development, Trustwave SpiderLabs identified a surge in the use of a phishing-as-a-service (PhaaS) platform called Greatness. This platform allows cybercriminals to create authentic-looking credential harvesting pages targeting Microsoft 365 users. Greatness, available for $120 per month, enables personalization of sender names, email addresses, subjects, messages, attachments, and QR codes, enhancing the relevance and engagement of phishing emails. The platform employs anti-detection measures, including randomizing headers, encoding, and obfuscation, to bypass spam filters and security systems.
Phishing attacks using Greatness involve sending emails with malicious HTML attachments that direct recipients to a fake login page, capturing entered login credentials and sending them to the threat actor via Telegram. Some attack chains leverage attachments to drop malware on victims’ machines for information theft.
While the number of victims is unknown, Greatness is widely used and supported, with a dedicated Telegram community providing information and tips on operating the kit.
Additionally, South Korean companies have faced phishing attacks impersonating tech companies like Kakao to distribute AsyncRAT via malicious Windows shortcut (LNK) files. Malicious shortcut files disguised as legitimate documents continue to be distributed, with users potentially mistaking them for normal documents due to the absence of the ‘.LNK’ extension in the file names.
Fake Messaging Apps Target Chinese Users Through Malicious Google Ads
A recent malvertising campaign has specifically targeted Chinese-speaking users through deceptive Google ads promoting restricted messaging apps like Telegram. The threat actors behind this campaign are exploiting Google advertiser accounts to create malicious ads that lead users to download Remote Administration Trojans (RATs), providing attackers with full control over victims’ machines and enabling the deployment of additional malware.
This campaign, known as FakeAPP, is a continuation of a previous attack that focused on Hong Kong users searching for messaging apps like WhatsApp and Telegram in late October 2023. The latest version of the campaign has expanded to include the messaging app LINE, redirecting users to counterfeit websites hosted on Google Docs or Google Sites.
The threat actor utilizes Google infrastructure to embed links to other sites under their control, delivering malicious installer files that ultimately deploy trojans like PlugX and Gh0st RAT.
Malwarebytes traced the fraudulent ads to two advertiser accounts, Interactive Communication Team Limited and Ringier Media Nigeria Limited, both based in Nigeria. The threat actor appears to prioritize quantity over quality, constantly pushing new payloads and infrastructure as part of their command-and-control strategy.
In a separate development, Trustwave SpiderLabs identified a surge in the use of a phishing-as-a-service (PhaaS) platform called Greatness. This platform allows cybercriminals to create authentic-looking credential harvesting pages targeting Microsoft 365 users. Greatness, available for $120 per month, enables personalization of sender names, email addresses, subjects, messages, attachments, and QR codes, enhancing the relevance and engagement of phishing emails. The platform employs anti-detection measures, including randomizing headers, encoding, and obfuscation, to bypass spam filters and security systems.
Phishing attacks using Greatness involve sending emails with malicious HTML attachments that direct recipients to a fake login page, capturing entered login credentials and sending them to the threat actor via Telegram. Some attack chains leverage attachments to drop malware on victims’ machines for information theft.
While the number of victims is unknown, Greatness is widely used and supported, with a dedicated Telegram community providing information and tips on operating the kit.
Additionally, South Korean companies have faced phishing attacks impersonating tech companies like Kakao to distribute AsyncRAT via malicious Windows shortcut (LNK) files. Malicious shortcut files disguised as legitimate documents continue to be distributed, with users potentially mistaking them for normal documents due to the absence of the ‘.LNK’ extension in the file names.
Archives
Categories
Archives
OpenSilver Expands Support to Mobile Platforms with .NET MAUI Hybrid
March 28, 2025JDK 25: What’s New in the Latest Java Release
March 18, 2025Categories
Meta