Threat Watch

Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps

A new campaign targeting Chinese-speaking individuals in Southeast and East Asia has been discovered using Google Ads to deliver FatalRAT to infected machines. FatalRAT is a remote access Trojan first discovered in 2021 that has the capability to capture keystrokes, execute commands, and steal data stored in web browsers on the infected device.

The Google Ads used in this campaign are typosquatted domains that look very similar to the masqueraded software’s legitimate domain. Ads were found pretending to be downloads for popular software such as Chrome, Firefox, Telegram, and WhatsApp. Once the fake executable is downloaded and executed, it proceeds to use DLL side-loading to load a malicious DLL into a legitimate executable process. When the DLL is loaded, it decrypts, loads, and executes the main FatalRAT payload into memory. The malware then creates scheduled tasks to re-execute this process on startup, as well as to execute an updater included with the malware. This updater checks and downloads additional files from an attacker-controlled bucket in the Alibaba Cloud using the OSSUTIL application. Finally, the legitimate application is also downloaded and installed on to the system, in an attempt to hide the malicious behavior that occurred from the user.

A majority of the victims of this campaign are located in Taiwan, China, and Hong Kong, followed by Malaysia, Japan, and the Philippines. Specific attribution of this campaign is currently unknown, but due to the fake websites being mostly in Chinese, it is believed that users from east Asia are the threat actor’s primary targets.


Malicious Google Ads are becoming popular among threat actors as an infection vector for malware. Due to this, it is highly recommended to use an adblocker software when performing Google searches, particularly when searching for popular applications like Chrome or Telegram. This can help prevent a user from accidentally clicking on one of these malicious advertisement websites as opposed to the software’s legitimate site. Likewise, it is important to always double-check the URL of a website for typos or additional characters before downloading software. This can help prevent accidentally mistyping a URL or falling victim to search order hijack attacks. It is also recommended to install and maintain security software on all devices in an environment, to help prevent or detect malware infections. When prevention of the malicious installation fails, detection can help alert an organization to a potential infection. The infection chain of this campaign uses a number of techniques that can be considered suspicious in normal usage. Programs executing from the ProgramData folder, unauthorized connections to the Alibaba Cloud service, an unknown process creating multiple scheduled tasks, and abnormal processes executing system commands are all behaviors that this campaign exhibits that would be considered suspicious under everyday system usage. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.