Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

April 3, 2025, 7:04 p.m.

Description

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a site mimicking the legitimate RVTools download page. The trojanized file, when executed, installs RVTools but also deploys ThunderShell, allowing attackers to execute commands on compromised machines. Multiple ads from different verified advertisers were used to evade security controls. The campaign highlights the persistent threat of malvertising and the need for stronger ad screening processes and user awareness.

External References

https://fieldeffect.com/blog/thunderstruck-malicious-ads-rvtools-thundershell-payload
https://otx.alienvault.com/pulse/67eec2ff4d0da82ea2ee1e26
Tags
malvertising
powershell
icedid
google ads
c2
remote access tool
2025-04-03
thundershell
rvtools
trojanized software

Date

  • Created: April 3, 2025, 5:18 p.m.
  • Published: April 3, 2025, 5:18 p.m.
  • Modified: April 3, 2025, 7:04 p.m.

Attack Patterns

  • ThunderShell
  • IcedID - S0483
  • T1102.003
  • T1204.001
  • T1059.003
  • T1059.001
  • T1547.001
  • T1071.001
  • T1036.005
  • T1105
  • T1055
  • T1027

Additional Informations

  • United Kingdom of Great Britain and Northern Ireland