Skip Navigation

April 2, 2025 |

Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

By Ryan Slaney

With contributions from Chris Price, High Whitewood, and Damon Toumbourou.

Loading table of contents...

Recently, the Field Effect security operations center (SOC) was alerted to a security incident that highlights a popular trend in cyber threat tactics: the use of malicious sponsored ads to distribute backdoored administrative tools.

In this case, Field Effect MDR prevented compromise after a user attempted to download what they believed was a legitimate copy of RVTools, a popular VMware utility.

Instead, the user was served a tampered version laced with ThunderShell, a PowerShell-based remote access tool (RAT) often leveraged for stealthy command-and-control operations by both ethical and criminal hackers alike. Researchers often refer to it as the ‘SmokedHam’ backdoor when it is weaponized and used maliciously.

Original malicious Google ad

The malicious ad in question was the first result served up when the user searched for “RV Tools” in Google. The ad offered a brief description of the software it allegedly led to, located at the URL https[:]//www.rv-tool.net.

This URL led to a site that contained a detailed description of RVTools and what it offers, boasting that 2,000,000 copies of it had been downloaded. At the bottom of the site, there was a button for the user to download the latest version of the software.

Main Site

Image 1: Site directing users to download ThunderShell backdoor disguised as RVTools.

The download button led to the URL https[:]//server-software.azureedge.net/RBTools4.6.1?q=RVTools.

This redirected to a Dropbox URL (https[:]//www.dropbox.com/slc/fi/vfv7hlfka191j5yu12jfj/RV-Tools-4.6.1.exe?rlkey=sioe6m2hckxc2iu3ewqo116dv&st=e63fzhhq&dl=1) that, when submitted, would download the trojanized RVTools-4.6.1.exe file.

drop box auto download

Image 2: Download of trojanized RVTools file from Dropbox URL.

According to Virus Total, no security vendors have classified the Dropbox URL as malicious or suspicious at this point, making it more likely that security controls that block known bad sites would not block the user from downloading this file.

dropbox VT

Image 3: Virus Total scan results for Dropbox URL

Wider malvertising campaign

The original malicious ad is no longer being shown by Google. However, our team has discovered a series of ads, leading to an identical site with the same URL to the software download, appearing in Google search results daily.

Ad

Image 4: Second malicious sponsored Google ad (March 30, 2025)

second ed

Image 4: Third malicious sponsored Google ad (March 31, 2025)

nasty ad

Image 5: Fourth malicious sponsored Google ad (April 1, 2025)

So far, very few security vendors have classified the domains the ads lead to as suspicious or malicious on Virus Total. The use of multiple ads leading to the same malicious download is likely an attempt by the threat actors to increase their chances of defeating security controls designed to block suspicious downloads based on known bad domains.

Each of the malicious ads were associated with a different verified Google advertiser. The names are different but the “based in” country is always the United Kingdom. Only one ad was ever created with each user account, indicating that the ad accounts are only meant to serve one specific purpose for a short period of time.

Ad Details

Image 6: Details on advertiser associated with malicious ad leading to elitetools[.]link

mitch ross details

Image 7: Details on advertiser associated with malicious ad leading to tool-rv[.]com

The Field Effect Security Intelligence team has reported all the malicious ads to Google.

Payload deployment

Once the trojanized RVTools file is downloaded and executed, it installs a legitimate copy of RVTools. However, it also drops a copy of ‘pythonw.exe’ renamed as ‘unicodedata.exe’, which is then used to run one of two Python scripts named ‘app-get-process.py’ or ‘web-get-process.py’.

These scripts deobfuscate another PowerShell script, which is stored within them as a variable, and run it to decrypt and execute a C# based agent. The code of the C# agent is identical to that of the ThunderShell stager, save for one extra function that essentially does nothing, and was likely left in the final code by mistake.

ThunderShell, sometimes called SmokedHam, is a publicly available post-exploitation framework designed for red teaming and penetration testing. It provides a command-and-control (C2) environment that allows operators to execute commands on compromised machines through a PowerShell-based agent.

ThunderShell is primarily intended for ethical hacking and security assessments but, like many offensive security tools, it’s also abused by threat actors for persistence, lateral movement, and executing arbitrary commands on target systems. Since it operates over PowerShell, it can blend into legitimate network traffic, making detection more challenging.

Once loaded, the ThunderShell agent sends the device username to a C2, located on the URL https[:]//web-app.larij21770.workers.dev/ or https[:]//server-web.sasex59966.workers.dev/ depending on whether the ‘app-get-process.py’ or ‘web-get-process.py’ was originally run, and then waits for further commands from the C2, which could include:

  • ‘delay’ - to change the time the agent waits between receiving and executing commands via the C2. (The delay is to try and decrease the likelihood of detection by spreading out commands over a longer timeframe. There is an initial hardcoded delay period in the agent, however this command can be used to change that delay.)
  • ‘exit’: Stop the agent and exit.
  • The execution of an arbitrary PowerShell command. (The ThunderShell agent executes these commands and returns the output to the C2.)

Conclusion

Malvertising remains a persistent and evolving threat, with cybercriminals continuing to exploit sponsored ads to deliver malicious payloads like ThunderShell.

For example, in September 2023, Field Effect observed IcedID malware being promoted via sponsored Google ads for Webex’s popular virtual meeting software. Instead of downloading just the Webex software, users also installed a PowerShell script that downloaded the IcedID installed from a remote URL.

As long as ad platforms provide a gateway for such attacks, organizations and users will remain vulnerable to these types of campaigns. Although search engines like Google have made strides in improving ad security, the reality is that malicious ads are unlikely to disappear anytime soon. To combat this growing problem, Google and other ad providers must implement stronger screening processes to better identify and block harmful content before it reaches end users.

With the growing popularity of sponsored ads leading to malicious files, organizations must ensure their users have a heightened awareness of this attack vector. Users should only download software that is necessary to carry out their duties and functions as an employee, and only from trusted, allow-listed sources.

Mitigation

It’s likely that threat actors will continue to exploit malvertising techniques to trick users into downloading trojanized software. To mitigate these risks, Field Effect recommends that organizations consider adopting the following best practices:

Download software safely

  • Only download software from official vendor websites or trusted marketplaces.
  • Check that installers are digitally signed by the vendor.
  • Use an internal repository of approved applications for employees.

Block malicious ads & sites

  • Use ad blockers and web filters to prevent exposure to dangerous ads.
  • Implement DNS filtering to block malicious domains.
  • Restrict software installations to IT-approved applications.

Detect & prevent backdoors

  • Monitor PowerShell activity and limit script execution.
  • Use a cybersecurity solution, such as Field Effect MDR, to catch suspicious behavior.
  • Check network traffic for signs of remote access or unusual connections.

Train employees to spot threats

  • Educate staff on signifiers of a malicious ad (spelling mistakes, poor grammar, typo-squatted domains, and inconsistent branding), the risks of this threat, and why they should avoid clicking on sponsored ads for software.
  • Run phishing and social engineering tests to reinforce security awareness.
  • Make it easy for employees to report suspicious links or downloads and regularly remind employees that these processes are in place.

Stay ahead of threats

  • Keep software and systems updated with the latest patches.
  • Subscribe to a threat intelligence newsletter to stay informed on emerging attack methods.
  • Have a response plan ready to contain and remove threats if an incident occurs.

Indicators of compromise

elitetools[.]link

URL contained in the malicious Google ad

tool-rv[.]com

URL contained in the malicious Google ad

rv-tool[.]net

URL contained in the malicious Google ad

server-software.azureedge[.]net

URL for download that redirects to Dropbox URL

dropbox[.]com/slc/fi/vfv7hlfka191j5yu12jfj/RV-Tools-4.6.1.exe?rlkey=sioe6m2hckxc2iu3ewqo116dv&st=e63fzhhq&dl=1

URL hosting trojanized RVTools file

web-app.larij21770.workers[.]dev/

C2

server-web.sasex59966.workers[.]dev/

C2
89acf605d93b6525fdbf8015447297ee75d5708382482e881f312380b852f772 RV-Tools-4.6.1.exe
d6cc4a2f20f13ea0c9507d3ad8d549b5c5073a734ceea453405dcf26ac512abf app-get-process.py
099365fbba7e9d0df00308dc2ebade983cf0858cd829dde443a3638df771a57d web-get-process.py
If you have any questions or comments regarding this analysis, please contact us.
Blog-ThreatIntel-SignUp

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.

Sign up