A developer searches for "download VS Code," clicks the top result, and installs what looks like Visual Studio Code. It isn't. It's an infostealer that harvests browser passwords, session tokens, and SSH keys before anyone notices.
The employee wasn't careless. They didn't click a suspicious email link or download a pirated tool. They just searched for something on Google and clicked the first result—which happened to be a malicious ad.
This is malvertising, and it's one of the fastest-growing attack vectors affecting organizations today.
How Malvertising Actually Works
Attackers buy legitimate advertising space on Google, Bing, and social media platforms. They bid on popular search terms—software downloads, troubleshooting guides, AI tools—and get their ads placed above organic results.
The ads look indistinguishable from legitimate ones. The landing pages are polished, often using stolen branding and content from real companies. Some even host their fake downloads on legitimate platforms like GitHub or Google Sites to add credibility.
When you download and run the installer, it might even install the real software—while simultaneously dropping malware in the background.
Common Malvertising Campaigns
Fake AI tool downloads. Attackers are capitalizing on the rush to try new AI tools. Searches for ChatGPT desktop apps (which OpenAI doesn't make), AI image generators, and productivity tools lead to malware-laced installers.
Fake software downloads. Slack, Zoom, VS Code, 7-Zip, VLC—anything popular is being impersonated. The fake sites look identical to real ones.
Fake macOS troubleshooting pages. These are particularly clever. They pose as Apple support articles for common problems (audio issues, slow performance) and instruct users to paste commands into Terminal. Those commands install malware.
Business software impersonation. QuickBooks, Salesforce login pages, Microsoft 365 admin tools—anything a business user might search for.
Why Traditional Defenses Miss This
This is what makes malvertising so effective:
It's not a phishing email. Your email filters won't catch it because the attack starts with a search engine.
The user initiates the action. They're actively looking for the software, so they're primed to download and install it.
The ads are legitimate. Google accepted the advertiser's payment. The ad itself passed Google's review process.
The sites use HTTPS. The lock icon is there. The site looks professional.
It often works. The malware might install the real software alongside itself, so the user doesn't notice anything wrong.
The Real Risk
The malware deployed through malvertising is usually an infostealer. Within minutes of execution, it's collecting:
- Browser passwords and session cookies
- Cryptocurrency wallet files
- SSH keys and credentials
- Documents matching patterns (anything with "password," "backup," "wallet")
- Browser autofill data
This data gets exfiltrated to the attacker's servers. If session cookies are stolen, the attacker can impersonate the user without needing their password—even bypassing MFA.
For a business, one compromised developer workstation can mean:
- Access to source code repositories
- Access to cloud infrastructure (via stolen CLI credentials)
- Access to internal systems (via session hijacking)
- A foothold for lateral movement
What Actually Helps
User Education That's Specific
Generic "don't click suspicious links" training doesn't cover this. Users need to know:
- Ads appear above search results. The first result isn't necessarily the official site.
- Look for "Sponsored" labels. Google marks ads, but the label is subtle.
- Type URLs directly for software downloads. Don't click through search results.
- Official sites end in expected domains. Microsoft is microsoft.com, not microsoftdownload.net.
- No legitimate support page asks you to paste terminal commands. Ever.
Technical Controls
- Endpoint detection and response (EDR). Modern EDR tools can catch infostealers even after installation.
- Browser isolation for high-risk searches on managed devices.
- Application allowlisting where feasible—if users can only run approved software, malicious installers fail.
- DNS filtering that blocks known malicious domains.
- Ad blocking on corporate browsers (controversial but effective).
Software Distribution
- Maintain an internal software catalog with approved download links.
- Use package managers (Homebrew, Chocolatey, apt) instead of manual downloads.
- Deploy software centrally through MDM or configuration management.
A Culture of Verification
The most effective defense is making verification automatic:
"I need to download Slack" → Check the internal software catalog → Download from the official link
Not:
"I need to download Slack" → Google "download Slack" → Click the first result
Building this habit takes repetition and making the right path easier than the wrong one.
The Bottom Line
Malvertising exploits the trust we place in search engines and the urgency we feel when looking for software. It's not a failure of security awareness—it's an attack designed to bypass security awareness.
The defenses that work are layered: education about this specific threat, technical controls that catch malware, and processes that remove the need to search for software downloads in the first place.
Need help with security awareness training that covers real threats like malvertising? Our Training platform delivers practical, current security guidance. Let's talk.
