
Security Intelligence
April 2, 2025 | Security intelligence
By Ryan Slaney
With contributions from Chris Price, High Whitewood, and Damon Toumbourou.
Recently, the Field Effect security operations center (SOC) was alerted to a security incident that highlights a popular trend in cyber threat tactics: the use of malicious sponsored ads to distribute backdoored administrative tools.
In this case, Field Effect MDR prevented compromise after a user attempted to download what they believed was a legitimate copy of RVTools, a popular VMware utility.
Instead, the user was served a tampered version laced with ThunderShell, a PowerShell-based remote access tool (RAT) often leveraged for stealthy command-and-control operations by both ethical and criminal hackers alike. Researchers often refer to it as the ‘SmokedHam’ backdoor when it is weaponized and used maliciously.
The malicious ad in question was the first result served up when the user searched for “RV Tools” in Google. The ad offered a brief description of the software it allegedly led to, located at the URL https[:]//www.rv-tool.net.
This URL led to a site that contained a detailed description of RVTools and what it offers, boasting that 2,000,000 copies of it had been downloaded. At the bottom of the site, there was a button for the user to download the latest version of the software.
Image 1: Site directing users to download ThunderShell backdoor disguised as RVTools.
The download button led to the URL https[:]//server-software.azureedge.net/RBTools4.6.1?q=RVTools.
This redirected to a Dropbox URL (https[:]//www.dropbox.com/slc/fi/vfv7hlfka191j5yu12jfj/RV-Tools-4.6.1.exe?rlkey=sioe6m2hckxc2iu3ewqo116dv&st=e63fzhhq&dl=1) that, when submitted, would download the trojanized RVTools-4.6.1.exe file.
Image 2: Download of trojanized RVTools file from Dropbox URL.
According to Virus Total, no security vendors have classified the Dropbox URL as malicious or suspicious at this point, making it more likely that security controls that block known bad sites would not block the user from downloading this file.
Image 3: Virus Total scan results for Dropbox URL
The original malicious ad is no longer being shown by Google. However, our team has discovered a series of ads, leading to an identical site with the same URL to the software download, appearing in Google search results daily.
Image 4: Second malicious sponsored Google ad (March 30, 2025)
Image 4: Third malicious sponsored Google ad (March 31, 2025)
Image 5: Fourth malicious sponsored Google ad (April 1, 2025)
So far, very few security vendors have classified the domains the ads lead to as suspicious or malicious on Virus Total. The use of multiple ads leading to the same malicious download is likely an attempt by the threat actors to increase their chances of defeating security controls designed to block suspicious downloads based on known bad domains.
Each of the malicious ads were associated with a different verified Google advertiser. The names are different but the “based in” country is always the United Kingdom. Only one ad was ever created with each user account, indicating that the ad accounts are only meant to serve one specific purpose for a short period of time.
Image 6: Details on advertiser associated with malicious ad leading to elitetools[.]link
Image 7: Details on advertiser associated with malicious ad leading to tool-rv[.]com
The Field Effect Security Intelligence team has reported all the malicious ads to Google.
Once the trojanized RVTools file is downloaded and executed, it installs a legitimate copy of RVTools. However, it also drops a copy of ‘pythonw.exe’ renamed as ‘unicodedata.exe’, which is then used to run one of two Python scripts named ‘app-get-process.py’ or ‘web-get-process.py’.
These scripts deobfuscate another PowerShell script, which is stored within them as a variable, and run it to decrypt and execute a C# based agent. The code of the C# agent is identical to that of the ThunderShell stager, save for one extra function that essentially does nothing, and was likely left in the final code by mistake.
ThunderShell, sometimes called SmokedHam, is a publicly available post-exploitation framework designed for red teaming and penetration testing. It provides a command-and-control (C2) environment that allows operators to execute commands on compromised machines through a PowerShell-based agent.
ThunderShell is primarily intended for ethical hacking and security assessments but, like many offensive security tools, it’s also abused by threat actors for persistence, lateral movement, and executing arbitrary commands on target systems. Since it operates over PowerShell, it can blend into legitimate network traffic, making detection more challenging.
Once loaded, the ThunderShell agent sends the device username to a C2, located on the URL https[:]//web-app.larij21770.workers.dev/ or https[:]//server-web.sasex59966.workers.dev/ depending on whether the ‘app-get-process.py’ or ‘web-get-process.py’ was originally run, and then waits for further commands from the C2, which could include:
Malvertising remains a persistent and evolving threat, with cybercriminals continuing to exploit sponsored ads to deliver malicious payloads like ThunderShell.
For example, in September 2023, Field Effect observed IcedID malware being promoted via sponsored Google ads for Webex’s popular virtual meeting software. Instead of downloading just the Webex software, users also installed a PowerShell script that downloaded the IcedID installed from a remote URL.
As long as ad platforms provide a gateway for such attacks, organizations and users will remain vulnerable to these types of campaigns. Although search engines like Google have made strides in improving ad security, the reality is that malicious ads are unlikely to disappear anytime soon. To combat this growing problem, Google and other ad providers must implement stronger screening processes to better identify and block harmful content before it reaches end users.
With the growing popularity of sponsored ads leading to malicious files, organizations must ensure their users have a heightened awareness of this attack vector. Users should only download software that is necessary to carry out their duties and functions as an employee, and only from trusted, allow-listed sources.
It’s likely that threat actors will continue to exploit malvertising techniques to trick users into downloading trojanized software. To mitigate these risks, Field Effect recommends that organizations consider adopting the following best practices:
Download software safely
Block malicious ads & sites
Detect & prevent backdoors
Train employees to spot threats
Stay ahead of threats
elitetools[.]link |
URL contained in the malicious Google ad |
tool-rv[.]com |
URL contained in the malicious Google ad |
rv-tool[.]net |
URL contained in the malicious Google ad |
server-software.azureedge[.]net |
URL for download that redirects to Dropbox URL |
dropbox[.]com/slc/fi/vfv7hlfka191j5yu12jfj/RV-Tools-4.6.1.exe?rlkey=sioe6m2hckxc2iu3ewqo116dv&st=e63fzhhq&dl=1 |
URL hosting trojanized RVTools file |
web-app.larij21770.workers[.]dev/ |
C2 |
server-web.sasex59966.workers[.]dev/ |
C2 |
89acf605d93b6525fdbf8015447297ee75d5708382482e881f312380b852f772 | RV-Tools-4.6.1.exe |
d6cc4a2f20f13ea0c9507d3ad8d549b5c5073a734ceea453405dcf26ac512abf | app-get-process.py |
099365fbba7e9d0df00308dc2ebade983cf0858cd829dde443a3638df771a57d | web-get-process.py |
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.