ClickCease MadMxShell Malware: Google Ads Malvertising Campaign Alert

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

MadMxShell Malware: Google Ads Malvertising Campaign Alert

Wajahat Raja

May 1, 2024 - TuxCare expert team

In a recent discovery, a malicious campaign has surfaced, employing Google Ads to distribute a newly identified backdoor malware called MadMxShell. This campaign is orchestrated through a network of deceptive domains resembling legitimate IP scanning software, aiming to dupe unsuspecting users into downloading malware onto their systems. In this article, we’ll dive into the MadMxShell Malware and learn more about its infection sequence and protection measures to counter it.


MadMxShell Malware Technique and Distribution

The perpetrators behind this
Google Ads malvertising campaign have employed a tactic known as typosquatting, registering numerous domains closely resembling popular IP scanning tools like Advanced IP Scanner and Angry IP Scanner. These typosquatting domain attacks are then promoted through Google Ads, strategically positioning them at the top of search engine results for specific keywords.

Upon visiting these deceitful sites, users are prompted to download what appears to be legitimate software. However, behind the façade lies a malicious JavaScript code disguised as a ZIP file named “” Inside this archive are two critical components: a DLL file named “IVIEWERS.dll” and an executable file labeled “Advanced-ip-scanner.exe.”


Infection Sequence and Exploitation Tools

Upon execution, the
“Advanced-ip-scanner.exe” file initiates a complex infection sequence utilizing DLL side-loading. This technique involves loading the DLL file and activating the malware’s functions. The DLL file employs a method called process hollowing to inject shellcode into the host process, effectively initiating the infection process.

Further complicating matters, the malware abuses legitimate Microsoft binaries such as OneDrive.exe to sideload additional malicious components like Secur32.dll. These actions are performed clandestinely to evade detection and execute the backdoor functionality seamlessly.


The MadMxShell Backdoor

Named for its utilization of DNS MX queries for command-and-control (C2) communications, the
MadMxShell backdoor is equipped with multifaceted capabilities. It can gather system information, execute commands via cmd.exe, and conduct basic file manipulation operations, all while maintaining persistence on the infected host.

To evade detection by security solutions, the malware employs sophisticated evasion techniques. These include multiple stages of DLL side-loading, DNS tunneling for C2 communication, and anti-dumping mechanisms to thwart memory analysis and forensic investigations.


Uncovering the Threat Actors

Although the origins and motives of the threat actors remain undisclosed, investigative efforts have shed light on their activities.
Recent reports have revealed that two accounts associated with the perpetrators were identified on underground forums, utilizing the email address [email protected]. These forums serve as platforms for nefarious activities, including exchanging Google Ads exploitation techniques for malicious purposes.

The discovery underscores the persistent threat of malicious advertising campaigns leveraging legitimate advertising platforms. By exploiting Google Ads, threat actors can reach a vast audience while evading traditional security measures.


MadMxShell Detection and Removal

In today’s rapidly evolving
digital threat landscape, cybersecurity measures must continuously adapt to protect against emerging risks. In light of this emerging threat, organizations and individuals are urged to exercise caution when downloading software from unfamiliar sources. Implementing robust cybersecurity measures, such as endpoint protection and network monitoring, can help detect and prevent such attacks.


The emergence of the
MadMxShell malware highlights the evolving tactics employed by threat actors to propagate malicious activities. By leveraging deceptive domains and legitimate advertising platforms, these adversaries continue to evade detection and compromise unsuspecting users. Vigilance, coupled with proactive security measures, is essential in combating such threats and safeguarding against potential cyber-attacks.

The sources for this piece include articles in The Hacker News and SC Media.

MadMxShell Malware: Google Ads Malvertising Campaign Alert
Article Name
MadMxShell Malware: Google Ads Malvertising Campaign Alert
Discover how threat actors leverage Google Ads to deploy the MadMxShell malware. Stay informed and protected against this cyber threat.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter