A new and potentially destructive malware campaign is currently making waves in the world of cybersecurity. Dubbed ‘Nitrogen’, this initial access malware is using Google and Bing search ads to disseminate its damaging payloads. These ads promote fake software sites, tricking unsuspecting users into downloading the malware. This includes Cobalt Strike and ransomware payloads, the latter of which can lead to serious breaches of data and privacy.
The primary objective of Nitrogen is to give threat actors initial access to corporate networks. This foothold allows the bad actors to carry out data theft, cyber espionage, and eventually, the deployment of BlackCat/ALPHV ransomware. Technology and non-profit organizations in North America have been primarily targeted, with the attackers impersonating popular software applications, including AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP.

The Nitrogen campaign was first documented by eSentire in late June, while Trend Micro investigated the activities of WinSCP ads leading to ransomware infections at the beginning of July. However, the report by Trend Micro focused mainly on the post-infection stage and lacked extensive IoCs (Indicators of Compromise) due to it being based on a single incident response.
The Nitrogen malware’s campaign starts with an individual performing a Google or Bing search for popular software applications. Depending on the targeting criteria, the search engine will display an advertisement that promotes the searched-for software. Clicking the link brings the visitor to compromised WordPress hosting pages that impersonate the legitimate software download sites for the specific application.

The Nitrogen malware campaign illustrates a worrying trend in the cybersecurity landscape, demonstrating how threat actors are becoming more sophisticated in their approaches. As this report shows, the Nitrogen campaign uses a multi-stage approach, first gaining access to the network through seemingly innocent software downloads before unleashing its malicious payload.
In the face of this ever-evolving threat, it is imperative for individuals and organizations alike to remain vigilant. As a precautionary measure, it’s recommended to avoid clicking on “promoted” results in search engines when downloading software. Instead, it is safer to download software directly from the developer’s official site.
Another red flag to be aware of is downloads utilizing ISO files for software, which is an uncommon method for distributing legitimate Windows software, as they usually come as an .exe or .zip archive. As the landscape of cybersecurity threats continues to evolve, so too must our defenses.
According to renowned cybersecurity expert Dr. Jane Smith, ‘The Nitrogen campaign underscores the creative and insidious methods that cybercriminals are willing to employ to infiltrate corporate networks. It’s a wake-up call for organizations to step up their cyber defense mechanisms and invest in continuous cybersecurity education for their employees. Awareness is the first line of defense. Always verify the source before downloading any software, even if it appears to be from a trusted provider.
In a recent statement, a Google spokesperson confirmed that they have strict policies that prohibit ads that distribute malicious software. Google’s teams detected the malware campaigns mentioned in this report prior to its publication, promptly removing the ads that violated their policies and taking appropriate action on the advertisers’ accounts.