A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks.
Dubbed Nitrogen, the "opportunistic" activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos said in a Wednesday analysis.
Nitrogen was first documented by eSentire in June 2023, detailing an infection chain that redirects users to compromised WordPress sites hosting malicious ISO image files that ultimately culminate in the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system.
Then earlier this month, Trend Micro uncovered a similar attack sequence in which a fraudulent WinSCP application functioned as a stepping stone for a BlackCat ransomware attack.
"Throughout the infection chain, the threat actors use uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis," Sophos researchers Gabor Szappanos, Morgan Demboski, and Benjamin Sollman said.