ClickFix malvertising

“ClickFix” malvertising: crooks rent Google Ads so you’ll download their dodgy installers

Researchers have spotted a sprawling malvertising operation nick-named “ClickFix” that hijacks Google Ads to lure users searching for popular software (Chrome, WhatsApp, Adobe Reader) onto copy-cat sites. The bogus pages serve malicious MSI installers laced with OxtaRAT remote-access malware. Once executed, the payload beacons home, steals browser cookies, crypto-wallet files and screenshots, then waits for further commands. The crooks rotate domains daily, abuse Cloudflare to mask servers and bypass Microsoft SmartScreen by signing binaries with stolen certificates. Victims are mostly in the UK, India and South-East Asia. Experts advise ad-blockers, only downloading software from vendor URLs, and enforcing application-allow-lists.

Think twice before you click that shiny “Download Chrome” advert. Security bods have outed ClickFix, a scam that buys real Google Ads, sends you to a convincing but fake website, then hands you an installer stuffed with OxtaRAT spyware. Lovely.

How the ruse works
1. You Google “WhatsApp desktop”.
2. Sponsored link at the top looks legit, so you click.
3. Copy-cat site serves an MSI signed with someone else’s paperwork.
4. You install, OxtaRAT quietly pinches your cookies, screenshots and crypto wallet.

Why don’t browsers stop it?
The gang swaps domains faster than you can say “patch Tuesday” and hides behind Cloudflare, so reputation filters don’t twig until it’s too late.

Who’s copping it?
Most victims are in the UK and India, but telemetry shows laptops lighting up from Manila to Manchester.
Protect yourself (and your nan)
• Skip sponsored links—type the vendor URL.
• Turn on an ad-blocker or SafeSearch.
• Use an application allow-list so surprise MSIs can’t run.
Remember: if an ad promises one-click fixes, it might just fix you up with malware instead.