Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a site mimicking the legitimate RVTools download page. The trojanized file, when executed, installs RVTools but also deploys ThunderShell, allowing attackers to execute commands on compromised machines. Multiple ads from different verified advertisers were used to evade security controls. The campaign highlights the persistent threat of malvertising and the need for stronger ad screening processes and user awareness.
OPENCTI LABELS :
powershell,c2,malvertising,icedid,google ads,remote access tool,thundershell,rvtools,trojanized software
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload