Security experts from Palo Alto Networks have recently uncovered a new attack campaign that involves hackers using advanced tactics to distribute malicious code through Google search results.
According to a report by Palo Alto Networks’ Unit 42 cybersecurity department, the hackers manipulated GlobalProtect VPN software and placed deceptive ads on Google Search to entice users into visiting malicious websites. Upon accessing these websites, users are deceived into downloading a malware downloader called WikiLoader, which is disguised as the legitimate GlobalProtect software. Once installed, WikiLoader downloads additional malicious code, steals sensitive information, and grants hackers remote access to the compromised device.
This shift in hacker tactics, from traditional phishing attacks to Search Engine Optimization (SEO) tactics, has broadened the potential scope of victims.
WikiLoader has been observed in operation since late 2022 and is regularly updated with sophisticated techniques to evade security measures. Educational and transportation organizations in the US have fallen victim to this campaign.
Security experts recommend that users exercise caution when downloading software from the internet, particularly from Google search results. It’s crucial to thoroughly verify the legitimacy of the website and the source of any files before downloading them.