The group known as BlackCat, also called ALPHV, has been engaging in malvertising campaigns to trick individuals into visiting fake websites that imitate the official WinSCP file-transfer application for Windows. However, these pages distribute installers infected with malware instead of legitimate content.
WinSCP, a widely used free and open-source application for SFTP, FTP, S3, SCP client, and file management, possesses SSH file transfer capabilities and receives around 400,000 weekly downloads on SourceForge alone.
BlackCat is exploiting the popularity of this program to infiltrate the computers of system administrators and IT professionals, thus gaining initial access to valuable corporate networks. Trend micro analysts recently discovered this previously unknown method of spreading the ALPHV ransomware. They identified advertisements promoting the fake pages on both Google and Bing search platforms.