FIN7 Hackers Abuse Sponsored Google Ads To Deliver MSIX Payloads

Hackers take advantage of sponsored Google Ads as they provide an excellent chance to reach a large audience quickly. 

Injecting malicious links or content into sponsored ads can mislead users into clicking on them, potentially causing malware infections or phishing schemes.

eSentire’s 24/7 SOCs, staffed with elite threat hunters and analysts, rapidly detect, investigate, and respond to threats around the clock has uncovered dangerous threats like the Kaseya breach and more_eggs malware.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Recently, eSentire’s Threat Response Unit (TRU) discovered that FIN7 hackers have been actively abusing the sponsored Google Ads to deliver MSIX payloads.

FIN7 Hackers Abuse Sponsored Google Ads

In April 2024, eSentire’s Threat Response Unit (TRU) detected multiple incidents involving the Russian financially motivated threat group FIN7. 

The actors used malicious websites impersonating major brands like AnyDesk, WinSCP, and Google Meet to deliver NetSupport RAT and DiceLoader malware. 

Victims were lured via sponsored Google Ads to download fake browser extensions disguised as signed MSIX files from “SOFTWARE SP Z O O” and “SOFTWARE BYTES LTD” fronts. While eSentire successfully revoked the malicious certificates from GlobalSign.

Malicious website (Source – eSentire)

These three components, as shown in the MSIX file, would collect system information, record antivirus software titles, and generate GUIDs to create C2 URLs and get extra scripts.

Snippet of the PowerShell payload (Source – eSentire)

When the server response contained “usradm”, it went on to download NetSupport RAT payloads through specific url formats and user agents. 

The downloaded NetSupport archive was extracted to C:\ProgramData\netsupport, where FIN7 executed its RAT executable as a demonstration of their multi-stage infection chain.

The second incident involved a user downloading a fake MSIX “MeetGo” installer, which dropped NetSupport RAT. 

Hours later, the threat actor connected via the RAT, used csvde.exe to export Active Directory computer data and downloaded an “” archive containing svchostc.exe (renamed python.exe) and (Python payload). 

After reconnaissance, a scheduled task was created to persist, which decrypted and injected the DiceLoader malware into memory, communicating with XOR-encrypted C2s embedded in its data section. 

XOR key and encrypted data in DiceLoader payload (Source – eSentire)

This exemplifies FIN7’s abuse of trusted brands, signed MSIX files, and multi-stage payloads like NetSupport RAT, leading to DiceLoader.


Here below we have mentioned all the recommendations:-

  • Deploy Endpoint Detection and Response (EDR) solutions across all devices.
  • Implement Phishing and Security Awareness Training (PSAT) program.
  • Control MSIX execution via AppLocker policies.
  • Report incidents of certificate misuse by threat actors.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.