π August 11, 2025β|ββ± 5 min readβ|βπ Category: Cyber Threats
In a sophisticated cyberattack, hackers have exploited Google paid ads to distribute malware through fake Tesla websites. These ads, which appeared at the top of Google search results, promised preorders for Tesla’s anticipated Optimus robots, luring users into a trap with counterfeit microsites mimicking Tesla’s design.
The Evolution from Phishing to Malware Distribution
Initially perceived as a phishing scam, the operation has escalated into a malware distribution campaign. Hackers have weaponized these fake Tesla landing pages to deliver custom malware payloads. By registering domains like offers-tesla.com and exclusive-tesla.com, threat actors bypassed traditional email filters and social media monitoring, leveraging Google’s advertising platform for maximum reach.
The Infection Mechanism: A Closer Look
Victims clicking on these ads encountered a seemingly legitimate preorder form. However, upon form submission, malicious scripts were injected, fingerprinting the visitor’s browser and downloading a second-stage loader. This loader, identified as a variant of the “SilentLoader” family, fetched additional modules from the actor-controlled domain caribview.info.
The infection mechanism relies on dynamic script injection and in-memory execution to evade detection. When the victim’s browser renders the fake Tesla page, a malicious script is appended to the checkout page, leveraging the browser’s native capabilities to gather system details and post the fingerprint to a malicious API.
The Role of Dynamic Script Injection
The injected script initiates an XMLHttpRequest to the malicious API, retrieving an encrypted configuration blob. This response contains the URL of the secondary payload and a crypto key, ensuring that signature-based defenses remain oblivious to the download’s true nature. Once in memory, the loader performs a reflective DLL injection into the victim’s browser process, enabling full code execution privileges without leaving traces on disk.
Implications for Cybersecurity
This attack highlights the evolving tactics of cybercriminals, who are increasingly using legitimate platforms like Google Ads to distribute malware. The use of dynamic script injection and in-memory execution poses significant challenges for traditional security measures, emphasizing the need for advanced threat detection and response strategies.
Organizations and individuals must remain vigilant, ensuring robust cybersecurity practices to protect against such sophisticated threats. Regular monitoring of network traffic, coupled with advanced endpoint protection, can help mitigate the risks posed by these evolving cyber threats.
Written by: Jack Hultgren
Cyberix
