Table of Contents
  • Home
  • /
  • Blog
  • /
  • How Attackers Abused Google Search to Distribute Trojanized AnyDesk Installer?
June 3, 2021

How Attackers Abused Google Search to Distribute Trojanized AnyDesk Installer?

How Attackers Abused Google Search To Distribute Trojanized Anydesk Installer

This time threat actors have seen utilizing a well-known Google Ads platform to distribute trojanized AnyDesk installer widely on the internet. The idea behind using Google Ads is to target more number of victims in a short amount of time.Research reveals that this malvertising campaign is believed to have begun as early as April 21, 2021. In this campaign, attackers have used a trojanized AnyDesk installer which masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant and exfiltrate system information from the victims.

Introducing AnyDesk

AnyDesk is a remote desktop application created by AnyDesk Software GmbH. The proprietary software program provides platform independent remote access to personal computers. It offers remote control, file transfer, and VPN functionality.Some main features include:

How Threat Actors Used Google Adds to Distributed Trojanized AnyDesk Installer?

  1. The attack begins when the user clicks on the Google Ads, which servers trojanized AnyDesk installer and download the executable.

  2. Upon the execution of the trojanized AnyDesk installer, it downloads a PowerShell script.

  3. The PowerShell script then reassembles an implant and constructs a ‘POST’ request to send the gathered information to a domain (zoomstatistic[.]com). The implant is able to gather information such as user name, hostname, operating system, IP address, and the current process name.

Targets of AnyDesk Malvertising Campaign

It has been estimated that during the time of this campaign, approximately 300 million users have downloaded this trojanized AnyDesk installer from the malicious site. Researchers were unable to figure out the specific geo regain and set of audions targeted to this campaign. The attack was targeted at a wide range of customers. At this point in time, we also don’t know the organizer or author of this cyber attack.It’s estimated that approximately around 40% of the clicks on the malicious ad turned into installations. Well, it is unknown that what percentage of Google searches for AnyDesk turned into clicks. A 40% installation rate from an ad click shows that this is an extremely successful method to compromise a wide range of potential targets. This attack has proved that Google Ads is an effective way to deliver malware to any set of targets as Google Ads provides the ability to freely choose their target of interest.

Indicators of Compromise of Trojanized AnyDesk Installer

IP Address: 

  • 176.111.174[.]126

  • 176.111.174[.]125 


  • Domohop[.]com

  • Anydesk.s3-us-west-1.amazonaws[.]com

  • zoomstatistic[.]com

  • anydeskstat[.]com

  • Turismoelsalto[.]cl

  • Rockministry[.]org

  • curaduria3[.]com


  • Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100111 Firefox/78.0


  • 357e165be7a54e49f04cccc6d79678364394e33f10a6b3b73705823f549894b5

  • 5fe992b5a823b6200a1babe28db109a3aae1639f0a8b5248403ee1266088eac4

  • 0c1ec49bf46f000e8310ec04ff9f5a820cbb18524acf8e39482ae3ffca14fb59

  • 780a02755873350ceef387fd9ea8c9614d847d5ba7ae3f89d32777b6ec7ee601

How to Detect and Remove This New Trojanized AnyDesk Installer?

Follow these recommendations to reduce the impact of this threat:

  1. Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.

  2. Check Firewall and Internet proxy logs for the given IOCs.

  3. If you find any machine tried communication with the given IOCs, immediately isolate it and check for these things.

    1. Check for unusual accounts created, especially in the administrator’s group

    2. Check for unusual big files on the storage, bigger than five GB

    3. Check for any unusual files added recently in system folders

    4. Check for files using the “hidden” attribute Property

    5. Check for unusual programs launched at boot time in the windows registry

    6. Check all running processes for unusual/unknown entries, especially processes with username “system” and “administrator.”

    7. Check user’s autostart folders

    8. Check for unusual/unexpected network services installed and started

    9. Check for unusual network activity

    10. Check at the opened sessions on the machine

    11. Check for unusual automated tasks

    12. Check for unusual log entries

    13. Check for any rootkit

  4. Run an anti-virus product on the whole disk to check for any malware

If you find this interesting, please visit our site and read more such interesting posts.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription