Google Ads malvertising campaign observed on DEV-0569 gang

Google Ads Malvertisement DEV-0569 Hacker Gang Phishing Malware Royal Ransomware

Microsoft recently published an advisory involving the DEV-0569 group utilising Google Ads in a malvertising attack campaign to spread the Royal ransomware. First spotted in September, the ransomware group had targeted numerous victims, including the UK’s motor racing circuit “Silverstone Circuit.”

The Google Ads malvertising campaign was discovered in the last week of October when the DEV-0569 gang used Google’s advertisement tool to redirect victims to a malicious file download site.

The threat group is known for their malvertising campaigns that use phishing links that redirect users to a malware downloader website that impersonates software or app installers. In some instances, DEV-0569 spams their targets with emails with subjects about fake software updates and other phoney topics.


Microsoft shared their observations on the recent malvertising campaign of DEV-0569 that took advantage of Google Ads.


Based on the reports of the ransomware group’s recent attack campaign, they have used contact forms sent to the targeted companies’ websites to deliver them phishing links. If a victim clicks on it, they will be redirected to a malicious website that hosts fake installer files. The threat group’s use of Google Ads in this campaign effectively aided them in blending in with normal advertisement traffic, which made the operation less suspicious.

Additionally, the Google Ads method applied by the group allowed them to reach more targets and expand their base of potential victims in their malvertising operations.

Aside from the Royal ransomware, the threat group had also delivered the BATLOADER malware in a separate campaign from August to October. This campaign involved them sending phishing emails to their targets and posing as application installers for Adobe Flash Player, AnyDesk, TeamViewer, and Zoom.

If not hosted on a malicious attacker-controlled domain, the BATLOADER malware is stored on legitimate file repositories, such as OneDrive and GitHub.

Even though the DEV-0569 gang is relatively new in the cybercrime landscape, security experts said their members are all experienced hackers who have previously worked on other ransomware groups as affiliates.

As observed in one of the gang’s activities, they encrypt the victims’ files with the [.]Royal file extension. They have also operated callback phishing campaigns, which is uncommon for many ransomware groups to perform.

About the author

Leave a Reply