September 22, 2023

Researchers have spotted a malvertising campaign targeting corporate users who are downloading the widely used web conferencing application, Webex.

The malicious threat actors have purchased an advertisement that mimics Cisco’s branding, and it appears as the top result when conducting a Google search. 

The ad appears completely legitimate at first glance, featuring both the Webex logo and the official website. However, if you click on the menu to the right of the ad, you’ll find additional details that reveal the advertiser to be an individual from Mexico, which is highly unlikely to be associated with Cisco.


The threat actors take advantage of a weakness in Google Ads known as the tracking template, a place where URL tracking information is placed, offering advertisers valuable metrics. Nevertheless, researchers find that it can also be exploited as a filtering and redirection mechanism.

The MSI installer is equipped with anti-sandbox features and will only run in specific environments. The downloaded file exceeds the size limit for many sandboxes and is designed to bypass detection from antivirus products. It initiates multiple processes, including PowerShell, and installs BatLoader from a local source. BatLoader, in turn, drops DanaBot.

It should be noted that Webex itself has not been compromised; instead, threat actors are impersonating reputable brands to deploy malware.

Malvertising continues to target corporate users, in particular, by taking advantage of search engines such as Google that are commonly used to search for and download software. Because the ads look so legitimate, there is little doubt people will click on them and visit unsafe sites.


Loaders such as BatLoader are stealthy and may not be detected by traditional antivirus. A more complete solution such as EDR coupled with an MDR service where human analysts review suspicious activities performed by the malware is a necessity

Indicators of Compromise

Cloaking infrastructure


Decoy site




BatLoader C2




Leave a Reply

%d bloggers like this: