Hackers are sneaking malware into Google Ads, specifically targeting legal professionals searching for document templates. The latest campaign deploys Gootloader malware through sponsored ads that pop up when users search for legal documents like NDAs or lease agreements. Pretty clever, right? These ads look totally legit, sitting right at the top of search results. Because who doesn’t trust Google Ads?
Malware-laden Google Ads target legal pros seeking document templates. Sneaky, sophisticated, and sitting right at the top of search results.
The scam works like this: You search for something specific like “non-disclosure agreement template.” Up pops an ad that seems perfect. You click it and land on a professional-looking site like “lawliner[.]com.” They ask for your email. Seems reasonable. Then boom—you get a message from “lawyer@skhm[.]org” with your “document.” Except it’s actually a ZIP file containing malicious JavaScript. Open that, and you’re toast.
This marks a shift in tactics. Gootloader previously relied on SEO poisoning. Now they’ve built their own infrastructure. More direct. More dangerous.
The technical side is nasty. The JavaScript creates scheduled tasks ensuring the malware sticks around after restart. It steals data and can deploy additional payloads. All while hiding behind legitimate-looking domain names. The obfuscation techniques make it hard for security systems to catch.
Legal professionals aren’t the only targets. Previous campaigns went after niche queries like “California breakroom laws” or even “Bengal cats legality in Australia.” Seriously. The more specific the search term, the less likely it triggers broad malware detection. Users should remain skeptical and rely only on official, reputable sources when downloading any templates or documents. This type of attack is part of the broader trend where supply chain attacks exploit trusted software dependencies to deliver malicious payloads.
The advertiser “MED MEDIA GROUP LIMITED” is either compromised or in on it. Either way, the damage is real. Victims risk having their credentials stolen, personal information compromised, and systems hijacked for botnets.
The whole operation preys on people just trying to get free legal templates. Because who wants to pay a lawyer for a simple NDA? Ironically, the free template might end up costing way more than legal fees ever would. Security experts recommend implementing robust endpoint protection to detect these obfuscated scripts before they can execute their malicious code.
