PCMag editors select and review products independently. If you purchase through affiliate links, we may earn commissions, which help support our essay.

Another Google search query has been SEO poisoned, meaning that searching for a specific phrase and clicking on a top link could lead to Windows. malwareaccording to a recent report from cybersecurity company Sophos.

A fake forum site may appear at the top of Google search results if you search for something like “Are Bengal cats legal in Australia?” Clicking on this forum link will trigger the download of a .zip file containing malware. A malicious file link will also appear on the web page itself on the post from a fake admin.

This malware is a new variant of the “GootLoader” malware, which can then be used to deploy ransomware or banking Trojans on a victim’s machine. The malware uses a combination of “scheduled tasks”, JavaScript files and PowerShell to infect and remain on a PC.

The malicious files contain a fair amount of obfuscated code, as well as fake licensing information, to make the files appear legitimate to less tech-savvy users. It even claims that it is Microsoft software in one of the JavaScript files, which is false.

Different versions of GootLoader malware have existed online for years, usually infecting computers via SEO poisoning. The GootKit has more widely existed for at least a decade.

Earlier versions of GootLoader malware also leverage JavaScript to execute their attacks and can prime a computer for Cobalt strike malware payload or REvil ransomware. Sometimes malicious JS files appear as contracts, important documents, or other software or files.

Unfortunately, just because a site appears near or at the top of Google search results doesn’t always mean it’s safe to click through. Both SEO poisoning and malicious Google ads are used to trick unsuspecting victims into clicking or installing something that is not what it appears to be. This summer, “DeerStealer” malware was hidden in “verified” Google ads for fake authenticator apps, several cybersecurity companies have discovered.