Nitrogen via Google ad for Advanced IP Scanner

Nitrogen, tested on May 3, 2024

Malvertising, the use of ads to deliver malware, has become very popular in the past couple of years. This is especially true for ads that appear on search results pages for Google, and to a lesser extent Bing.

The threat we are looking at today lures potential victims (likely system administrators) with an ad for Advanced IP Scanner, a popular networking tool. The malicious download leads to Nitrogen, a piece of malware that is used as initial access for ransomware deployment.

Distribution (Google ad->Phishing site->Download ZIP)

We searched on Google for the keywords ‘advanced ip scanner’ and saw the ad shown below. In this case, the threat actors used minimal effort as the domain name is clearly different than the official site, and the ad contains typos.

When you click on the ad, you are redirected through the decoy domain seen in the ad URL. This technique is known as cloaking and enables the threat actors to trick Google into thinking the ad is clean. Let’s pretend we are not a real user, by changing some of our browser settings to appear as a crawler. We see a website that looks real, although no one has ever heard about it before!

Threat actors go to great lengths to create these decoy pages, but often times they use AI to have them build those sites for them. Now, let’s return to the ad and click on it from a genuine user profile: we get a totally different final URL!

To understand what happened here, let’s look at the network traffic from the Google ad, to this page. We see that the saltysour[.]com domain immediately redirected us (via a 302 HTTP code) to a different site that impersonates the real Advanced IP Scanner website.

Real site: advanced-ip-scanner[.]com

Fake site: advanced-ip-scan[.]org

We press the download button and a file called is retrieved from what looks like a WordPress site, which is rather suspicious. We extract the content of that Zip archive and see the following.

While the setup.exe file is legitimate, it sideloads a malicious DLL (python311.dll) which calls back to a command control and server. This is a signature move from a threat known as Nitrogen. This piece of malware is used as part of a longer attack chain which leads to ransomware. In fact, Nitrogen is associated with the deployment of the BlackCat (ALPHV) ransomware.

Process flow


ThreatDown customers were already protected against this attack:

  • The phishing website was detected via web protection
  • The malicious DLL (Nitrogen) was detected via our AI-driven automated signature system
  • The command and control server (C2) for Nitrogen was already detected by web protection


If you want to protect your users from a number of web based threats, it is crucial to scrutinize online ads. Downloading software by clicking on a search ad is a risky behavior because brands can be impersonated quite easily. You have several options here:

  • you can block ads across the board which will make a malvertising attack very unlikely
  • you can provide an internal repository from where you employees will download the software programs they need

We highly recommend web protection which goes beyond a simple ad blocker. ThreatDown gives you that extra piece of mind by blocking malicious infrastructure used by malvertisers as well as command and control servers that threat actors rely on.

Remember to treat such intrusions timely as Nitrogen is not the final payload in this attack chain. Threat actors will use it to profile victims before deploying ransomware.

Indicators of Compromise (IOCs)

Cloaking site


Phishing site


Payload URL


Payload SHA256


Nitrogen SHA256


Nitrogen C2