New Cyber-Threat MadMxShell Exploits Typosquatting and Google Ads

Written by

Security researchers have uncovered a new threat actor leveraging fake domains masquerading as authentic IP scanner software sites. 

Zscaler ThreatLabz uncovered this sophisticated cyber-threat in March 2024 and described the findings in an advisory published on Wednesday. 

The actor registered multiple domains resembling genuine software sites through typosquatting and utilized Google Ads to boost their visibility in search engine results. This strategy aimed to lure unsuspecting victims, primarily IT professionals, into visiting these malicious sites.

The discovered backdoor, named “MadMxShell,” employs intricate methods, including DLL sideloading and DNS tunneling, to communicate with a command-and-control (C2) server. 

Notably, it utilizes DNS MX queries for C2 communication, contributing to its elusive nature. The backdoor’s capability to evade memory forensics and network security solutions adds to its sophistication.

The campaign targets IT security and network administration professionals, a trend aligning with previous attacks by advanced persistent threat (APT) groups like Nobelium. Although attribution remains unclear, this emerging trend highlights the importance of vigilance among IT professionals.

Read more on Nobelium: Microsoft Teams Targeted in Midnight Blizzard Phishing Attacks

The threat actor leveraged malvertising, spoofed software sites and Google Ads to propagate the attack. The malicious sites closely mimic legitimate software sites, with subtle alterations in JavaScript code to redirect users to download malicious files.

The backdoor, analyzed in detail, follows a multi-stage attack chain involving DLL sideloading and process hollowing techniques. It utilizes legitimate executables to execute payload and maintain persistence, evading detection.

The malware supports various commands, indicating a focus on information harvesting and system manipulation.

The infrastructure analysis uncovered domains associated with the threat actor, revealing their modus operandi and possible motives. Open source intelligence (OSINT) research further revealed the actor’s activities on underground forums, shedding light on their techniques and interests.

“While we cannot currently attribute this activity to any known threat actor, we continue to monitor any new developments associated with this threat actor and ensure the necessary protections are in place for our customers against these threats,” reads the Zscaler advisory.

“We also suggest users follow security best practices and exercise caution when clicking on links appearing in Google search engine results. Users must also ensure to download software only from the official website of the developer.”

Image credit: Alex Photo Stock /

What’s hot on Infosecurity Magazine?