Project Hyphae

IT’s a Trap! Nitrogen Ransomware Sneaks in Through the ‘Ad’ Door

Share This Post

The “Nitrogen” ransomware campaign, a new malicious scheme identified by Sophos, targets IT professionals by using fake advertisements for popular IT tools on Google and Bing. Clicking on these fraudulent ads, coined as “malvertisements”, leads users to compromised WordPress sites and phishing pages imitating software download pages such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. The downloaded software comes bundled with a trojanized Python package containing initial access malware, setting the stage for further attacks.

Although no successful cases have been documented, numerous technology companies and nonprofits in North America have been affected. The campaign highlights a unique strategy of directly targeting IT personnel who are closest to an organization’s sensitive systems. The criminals are betting on the high potential returns, despite the low hit rate, due to the targeted audience’s proximity to critical network infrastructure.

While the exact intentions of the attackers are not clear, it’s believed that access might be used to plant ransomware into the target’s network. Therefore, IT professionals are advised to exercise extreme caution when downloading software tools, ensuring they visit the legitimate sites directly and verify the HTTPS certificate before downloading any tools.

Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link:

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.