TL;DR
- We investigated a malvertising campaign that used SEO manipulation and short-lived certificates to deliver signed malware.
- Detection was kicked off by an ASR block in Microsoft Defender.
- The campaign chain moved rapidly from search to payload delivery in under 15 seconds.
- Proper ASR and behavioral detection stopped follow-on execution.
Context: SEO Poisoning and Malvertising
Malvertising refers to the use of legitimate-looking online advertisements to deliver malware to unsuspecting users, often without user interaction. It’s a technique that allows adversaries to reach large audiences through compromised or deceitful ad placements, and it can be extremely hard to defend against because malware can be served even before a user clicks anything.
In 2025, we encountered a case where SEO-poisoned search results and malvertising were combined with weaponized code signing to evade traditional defenses. The result was a multi-stage campaign that looked normal at first glance — until telemetry made the picture clear.
Initial Detection: A Block That Matters
On September 25, our endpoint telemetry reported a suspicious outbound connection blocked by Microsoft Defender’s Attack Surface Reduction (ASR) rules. This wasn’t just a noisy alert — the sequence of events suggested automated redirection and rapid payload delivery, typical of malvertising flows rather than a user-initiated download.
Walking the timeline, we saw:
- A search engine result triggered
- A redirect chain through a newly registered domain
- A payload download and execution attempt
- An ASR rule blocking the connection to command-and-control
All within ~11 seconds — far too fast for a manual interaction.
Technical Analysis: How It Worked
The Malvertising Vector
The redirect chain looked like:
Bing Search -> team.frywow[.]com -> teams-install[.]icu
- The domains were newly registered, and the final TLD was a known abuse candidate.
- Hosting was via Cloudflare CDN space, exploiting reputation to decrease suspicion.
This combines SEO poisoning (influencing search rank) with malvertising redirects — a pattern we’ve seen in related campaigns where high search rankings funnel victims to malicious content.
Signed Malware: Certificate Abuse
A concerning element was the use of a legitimate code-signing certificate for the malware binary:
- Signed executable:
MSTeamsSetup.exe - Issuer: Microsoft-trusted CA
- Certificate validity: 2–3 days
- Signer: an unrelated company profile
Using short-lived, valid certificates is a growing evasion technique: as soon as traditional checks verify signatures, behavioral or certificate-anomaly detection often isn’t in place to catch such rapid abuse.
We observed this pattern not just once — similar short-lived certificates appeared in other infrastructure linked to this campaign, which suggests a semi-automated signing pipeline.
Detection Success: Behavioral Controls Win
Because the payload was signed, traditional AV signatures might have missed it. What saved the day was:
- ASR rules blocking suspicious connections
- Behavioral telemetry that correlated rapid redirects with suspicious domain profiles
Without these layers, further payloads could have executed or contacted command-and-control. The detection worked exactly as designed — capturing not just a hash or binary name, but the context in which it appeared.
Defensive Takeaways
From this investigation, several concrete lessons emerged:
Certificate-Anomaly Detection
Track and alert on:
- Short-lived certificates (e.g., <7 days)
- First-seen signing entities
- Certificates used on unusual installers
Network Behavior Indicators
- Watch for rapid redirects from search to newly registered domains
- Flag download patterns originating from TLDs common in abuse reports
ASR & Behavioral Telemetry
These capabilities, when tuned, can catch what signature-only tools miss — particularly for signed malware using legitimate trust signals.
Indicators of Note
Domains
teams-install.icu— final delivery domainteam.frywow.com— redirect gatenickbush24.com— C2 candidate
Executable
MSTeamsSetup.exe— signed malicious installer
Signer
- Certificate used by “KUTTANADAN CREATIONS INC.”
Final Thoughts
Malvertising continues to evolve — blurring the line between “technical trickery” and “abuse of trust.” When SEO manipulation, cloud infrastructure reputation, and code-signing certificates are woven together, defenders must adopt a multi-layered view of telemetry that prioritizes context over single signals.
This case was stopped before execution, but the techniques used here are likely to persist and adapt. Observability, behavioral detection, and anomaly profiling remain essential pieces of a resilient defense.