Researchers identified a threat actor leveraging Google Search ads to target graphic design professionals, as the actor has launched at least 10 malvertising campaigns hosted on two specific IP addresses: 185.11.61[.]243 and 185.147.124[.]110, where these malicious ads, when clicked, redirect users to websites that initiate malicious downloads.
Two IP addresses, 185.11.61.243 and 185.147.124.110, have been associated with a malicious graphic design/CAD malvertising campaign, where the first IP address has been active since July 29, 2024, and currently hosts 109 unique domains.
![Screenshot of domains mapped to 185.11.61[.]243](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjUB3Ax4FqpVyEqQxDnPd3pRKFf4hKtzDWseM0KGbKeutMeTx_3PMIVMrFNYI6Su8LzxGazMULA2qcShy-AOFKd0cacGbFIOEvu_JwbfmdK9qu_19rAMZKw00FMLFlG8mC19yOoVOqSNfjWu7YMiEXiyLdDIkf-zptHhPgQwdLY-Yi9QwogV1wroX-Ccoy/s2145/google-malvertising-screenshot-1-185-11-61-243.webp)
The second IP address was activated more recently on November 25, 2024, and currently hosts 85 unique domains, which are being used to distribute malicious payloads, likely through compromised websites and advertisements.
2024 MITRE ATT&CK Evaluation Results Released for SMEs & MSPs -> Download Free Guide
A malvertising campaign, initiated on November 13, 2024, utilized frecadsolutions[.]com, hosted on 185.11.61[.]243.
Subsequently, on November 14, 2024, a similar campaign launched on frecadsolutions[.]cc, leveraging Bitbucket for malicious downloads.
On November 26, 2024, a new campaign emerged on freecad-solutions[.]net, initially hosted on 185.11.61[.]243 and later migrating to 185.147.124[.]110, which linked to the IP address 185.11.61[.]243, indicating a coordinated effort to distribute malware through deceptive advertisements.
![A third malvertising campaign was launched on freecad-solutions[.]net](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbRgWNc_CQKyskTr5JNuZRl8O5soFbJ4KoaIO_YCEsFS4ukUMxAJWpdxPOQQSj3vg6wtn4shQHxt4fy5_VJrD-Hx3I-5gLvuR58Ml055p24EVvftHS0NOsEmtiMlcpHlE9B5JdL8TktOVtOtUssJQ7aH_9m46j-bE8_mbf0cbVqT6FvQHd-qopeWPob4wy/s1469/google-malvertising-image-5-campaign-3-freecad-solutions-net.webp)
On November 27, 2024, a series of malvertising campaigns commenced, during which the domains frecadsolutions.org and rhino3dsolutions.io, previously hosted on 185.11.61.243, were migrated to 185.147.124.110.
By taking advantage of vulnerabilities in ad networks, these malicious domains were able to redirect users to malicious websites, which could potentially compromise systems with malware.
Recent malvertising campaigns have leveraged multiple domains and IP addresses, where malicious activity began on November 17th with rhino3dsolutions[.]net hosted on 185.11.61[.]243.
![The ninth malvertising campaign was launched with onshape3d[.]org](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzen8eNCjArv0fbUTEdJESVSRcvH7-h2LqKKCyMNp6AZYT5_lVXNLpbiJSknZSDuF5_m9TpxmLEiLJw7mSAV8ulnqa1wrH0ZHTZwOm4h8fbLJTy2s_L5_QSzcSoOq50U37yvhf0nvb8u8VdODhw04MbKZcZxUcTI0QXpQ9-MV7vBs41-cUlnjxnZbNTp_o/s1281/google-malvertising-image-11-campaign-9-onshape3d-org.webp)
The domain was then migrated to 185.147.124[.]110 on November 26th, launching a new malvertising campaign.
Subsequently, planner5design[.]net, hosted on the same IP address from December 1st to 6th, initiated two separate malvertising campaigns.
On December 9th, more recently, onshape3d.org, which has also been hosted on 185.147.124.110 since the 1st of December, initiated its very own malvertising campaign.
![A tenth malvertising campaign was launched with frecad3dmodeling[.]org](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhImfmTGJRnao0S-YW-6AflDeITDhHqzkg_BwdGLHA75r4r-7iQopVEQE9Pc1Q32akju13GZmrKjaGt8uatz7Q0-d0-28X0lqS7N2iaEx6luitJwqxkZF6475YE198EZ-0dlI4wOoTq-SI1MKz8Df2YD5HRXUYC2DnzSfK61MYTef6UjzAHchowmNVQOH1/s720/google-malvertising-image-12-campaign-10-frecad3dmodeling-org.webp)
On December 8, 2024, a malicious actor hosted the frecad3dmodeling[.]org domain on the IP address 185.147.124[.]110, which was subsequently used in a malvertising campaign launched on December 10, 2024.
According to Silent Push, to deliver malicious payloads to users who were unaware of the campaign’s intentions, vulnerabilities in web browsers or ad networks were likely exploited.
The provided list comprises IP addresses and domains associated with a malicious advertising infrastructure, which, likely controlled by a threat actor, leverages these resources to distribute harmful advertisements.
These ads can potentially lead to malware infections, phishing attacks, or other cyber threats.
Organizations and individuals are advised to exercise caution when interacting with content from these sources and implement robust security measures to mitigate risks.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free