Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Malicious Slack Ads (Exploit Kit) – Malware

February 16, 2025
Reading Time: 4 mins read
in Exploits, Malware
Malicious Slack Ads (Exploit Kit) – Malware

Malicious Slack Ads

Type of Malware

Adware

Date of Initial Activity

2024

Motivation

Financial Gain

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

The rise of malvertising has led to an alarming increase in the number of fraudulent ads targeting unsuspecting users on widely used platforms like Google. These deceptive ads, often appearing legitimate, hide malicious intent and can lead to malware infections, data theft, and system compromise. One particularly sophisticated example of such an attack involved fraudulent Slack ads that were designed to lure users into clicking on links that ultimately redirected them to malicious sites. What sets this campaign apart is the patience and technical expertise demonstrated by the threat actors behind it, as well as their ability to circumvent typical security defenses. For several days, a seemingly innocent ad for Slack appeared at the top of Google search results, often above the legitimate Slack website. Initially, clicking on the ad only redirected users to Slack’s official site, leading many to assume the ad was benign. However, closer scrutiny revealed a suspicious pattern: the advertiser’s account was promoting products seemingly targeting the Asian market, with the Slack ad appearing incongruously in the middle. This raised concerns about the legitimacy of the ad and hinted at a possible compromise of the advertiser’s account. The situation escalated as the ad behavior changed, eventually redirecting users to a click tracker before reaching its final malicious destination. This campaign is a prime example of how threat actors use slow cooking tactics, gradually changing the ad’s behavior to evade detection and ensure that it does not immediately trigger red flags. By the time the malicious payload was delivered, the ad had undergone several stages of cloaking and redirection, making it extremely difficult to trace. The attackers took advantage of vulnerabilities in the Google ad ecosystem, using click trackers and cloaking mechanisms to mask the final malicious destination. Once the user was successfully tricked into interacting with the ad, they were redirected to a page designed to impersonate Slack and trick them into downloading malware.

Targets

Information Individuals

How they operate

The Setup: Contextual Ad Placement and Initial Observations
The campaign began with a seemingly legitimate ad for Slack, strategically placed at the top of Google search results for the term “Slack.” At this stage, clicking the ad redirected users to the official Slack website. This harmless behavior, known as “slow cooking,” is a common tactic employed by threat actors to establish legitimacy and avoid immediate detection by automated systems or manual reviews. Further analysis revealed anomalies in the advertiser’s account. While most ads targeted products for the Asian market, the Slack ad appeared out of context. This inconsistency raised suspicions of a compromised advertiser account being used to host the malicious campaign. The ad exploited Google’s built-in ad transparency features, providing misleading legitimacy while evading detection.
Cloaking Mechanisms and Delivery Chains
As the campaign matured, the ad’s behavior shifted. Clicking the ad now initiated a series of redirections starting with a click tracker. These trackers, a legitimate feature in online advertising, were abused to obfuscate the ad’s final destination. After passing through one or more click trackers, users were redirected to a domain resembling Slack, such as slack-windows-download[.]com. Initially, this domain displayed a decoy page with no apparent malicious content. However, the attackers implemented cloaking—a technique that serves different content based on specific conditions, such as the visitor’s IP address, browser settings, or geolocation. When the campaign was fully weaponized, the cloaking mechanism selectively redirected certain users to a malicious page mimicking Slack’s download page. This page hosted a fake download button designed to deliver a malware payload.
Malware Delivery and Payload Analysis
Upon clicking the download button, users unwittingly initiated the download of a malware binary hosted on a different domain. The malware was delivered using a key-based request mechanism, ensuring that only users who traversed the entire ad delivery chain could access the payload. This layered approach added another level of obfuscation, making it challenging for security researchers to analyze the attack. Dynamic analysis of the downloaded file revealed that it established a remote connection to a known command-and-control (C2) server, previously associated with SecTopRAT—a remote access Trojan (RAT) with data-stealing capabilities. This malware enabled the attackers to gain unauthorized access to infected systems, exfiltrate sensitive data, and potentially execute further malicious actions.
Exploiting Ad Ecosystem Weaknesses
The attackers exploited inherent weaknesses in the Google ad ecosystem. By leveraging click trackers and cloaking, they effectively blinded Google and intermediary trackers to the true nature of the campaign. These techniques created a multi-layered delivery chain that required advanced tooling and contextual analysis to uncover. The use of a compromised advertiser account further added to the complexity, enabling the attackers to blend malicious activity with legitimate ad traffic.  
References:
  • Fraudulent Slack ad shows malvertiser’s patience and skills
Tags: Exploit KitGoogleMalicious Slack AdsMalwarePhishingSlackWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial