Bad actors are using Google and Bing’s advertising networks to spread malware in an effort “to compromise business networks.”

Security firm Sophos made the discovery, dubbing the malware campaign “Nitrogen.” Sophos says Nitrogen “is a primarily opportunistic attack campaign abusing Google and Bing ads to target users seeking certain IT tools, with the goal of gaining access to enterprise environments to deploy second-stage attack tools such as Cobalt Strike.”

The company goes on to describe how the malware campaign works:

The observed infection chain starts with malvertising via Google and Bing Ads to lure users to compromised WordPress sites and phishing pages impersonating popular software distribution sites, where they are tricked into downloading trojanized ISO installers.

When downloaded, the installers sideload the malicious NitrogenInstaller DLL containing a legitimate software application bundled with a malicious Python execution environment. The Python package uses Dynamic Link Library (DLL) preloading to execute the malicious NitrogenStager file, which connects to the threat actor’s command-and-control (C2) servers to drop both a Meterpreter shell and Cobalt Strike Beacons onto the targeted system. Throughout the infection chain, the threat actors use uncommon export forwarding and DLL preloading techniques to mask their malicious activity and hinder analysis.

The infection chain involves multiple stages and components, which are still under analysis at this writing.

Cisco AnyConnect, WinSCP, and TreeSize downloads are three that are specifically being targeted by the malware campaign.

Sophos recommends taking basic steps to avoid the malware, such as not clicking download links in search advertisements, using an ad blocker to hide such ads altogether, and making sure downloaded files have the appropriate file extension.

Of course, the report raises significant questions about the security measures — or lack thereof — that Google and Bing’s advertising networks offer.