How Google Ads For GIMP's Official Website Exposed PCs To Malware

google ad gimp website malware news
A Reddit user looking download and install the free image editor GIMP has discovered a devious malware campaign using contextual Google search ads to trick unsuspecting users into installing the RedLine stealer malware. The user who uncovered and reported this campaign almost fell prey to it himself, until Windows Defender made him think twice about running the executable file he downloaded after clicking on the first search result for GIMP. As it turned out, the top search result was an ad that sent the user to a malicious clone of the official GIMP website, even though the result was listed as “,” which is the domain name for the official website.

One method threat actors use to distribute malware is known as SEO poisoning, with SEO standing for search engine optimization. SEO poisoning leverages various SEO techniques, such as filling a webpage’s source code with tons of keywords, to raise a malicious website’s ranking within the search results. If a threat actor manages to game the search results in this way and place a malicious website near the top of the search results, users may visit the malicious website and download malware without realizing it. However, this newly discovered malware campaign demonstrates that threat actors don’t need to employ SEO tactics to place a malicious website at the top of the search results if they can instead pay Google to do that for them.

google search showing malicious ad news
Google search results showing malicious ad as the top result (click to enlarge) (source: ZachIngram04)

Prior to reporting the ad to Google as malicious, a Reddit user found that searching Google for “gimp” returned a set of listings topped by what appears to be an official ad for the free image editor. The ad even contains the official website’s domain name,, as well as the same description as the listing for the official website directly below the ad.

However, rather than sending users to the official GIMP website, the ad instead sent users to a malicious copy of the GIMP website at a misspelled domain name. Most likely, the contextual advertisement was actually submitted to Google by a threat actor, rather than someone on the GIMP development team.

Initially, users who clicked on the download button on the malicious website were sent to Dropbox to download an executable file named “Setup.exe.” After uploading this file to VirusTotal and discovering that it contained malware, the Reddit user who discovered the scheme reported the ad to Google as malicious, prompting the company to terminate the ad.

malicious gimp download page news
Malicious download page looks almost identical to the legitimate download page (click to enlarge)

The threat actor behind the malware campaign then responded by simply submitting another visually identical ad that redirects users to a malicious clone of the GIMP website at a domain name with a different misspelling of Rather than sending users to Dropbox, the download button on this second malicious website sends users to a download page that appears almost identical to the legitimate download page on the official GIMP website.

The GIMP for Windows download buttons on this webpage fetch the malicious Setup.exe file from the Discord content deliver network (CDN), while redirecting users to the tutorials page on the official GIMP website. This updated download process appears more trustworthy than a random Dropbox download page, but the downloaded file is equally as malicious. Running this executable file installs the RedLine stealer malware, which collects valuable information from infected systems, then uploads it to a command-and-control (C2) server operated by threat actors.

In order to avoid being fooled by a scheme like this one, users should check domain names in the address bar before downloading software to make sure they are visiting legitimate websites. Many software developers also provide hash values on their websites, which users can check against the hash value of downloaded files before running them to verify the integrity of the downloaded files. In the case of this fake GIMP campaign, the threat actor simply copied the official GIMP website almost verbatim, leaving the correct hash value on the download page. Anyone who checked the malicious executable file against the hash value listed on the website would find that the sums don’t match, indicating that he file isn’t legitimate. Checking hash values may seem like a tedious extra step, but it really can save you from unknowingly installing malware on your systems.