The Rise of Fake Google Ads: DarkGate Malware Masquerades as Perplexity’s Comet Browser

Listen to this Post

Featured Image
In an unsettling twist in the cybersecurity landscape, fake Google ads are once again being used as bait—this time to spread malware under the guise of Perplexity’s new Comet browser. The discovery reveals a sophisticated social engineering campaign, pushing unsuspecting users toward a booby-trapped installer that secretly delivers the DarkGate malware. This malicious software, known for its stealth, persistence, and deep system penetration, has resurfaced with new methods of distribution and is showing clear ties to Russian threat actors.

The fraudulent ads appear at the top of Google search results when users look for “Comet browser download,” redirecting victims to a counterfeit website almost identical to the legitimate Perplexity page. Once there, users are tricked into downloading a file hosted on GitHub—a move designed to exploit the platform’s trust and legitimacy. The installer, however, is anything but safe. Inside lies DarkGate, a notorious piece of malware capable of exfiltrating sensitive data, installing backdoors, and creating persistence for long-term espionage.

Investigators found telltale signs of Russian-origin code embedded in the malicious installer, along with communication patterns linked to a command-and-control (C2) server traced back to Eastern Europe. The malware uses obfuscation and encryption layers to avoid detection, blending in with normal traffic and hiding from most antivirus systems.

This isn’t the first time DarkGate has re-emerged. Originally identified in 2018, it has evolved significantly, adopting techniques similar to those used by major cybercrime groups. Its recent connection to a GitHub-hosted payload suggests attackers are not only exploiting ad networks but also legitimate developer platforms to maintain credibility.

The campaign’s scale remains unclear, but early signs indicate a global reach—especially in regions where Perplexity’s AI browser has gained rapid popularity. Cybersecurity analysts are urging users to avoid downloading software through ads, and instead to rely only on official company websites. Google, meanwhile, faces renewed criticism over its ad moderation systems, which continue to allow malicious actors to buy top search placements and distribute infected files under reputable brand names.

DarkGate’s resurgence through fake Comet browser ads signals a dangerous evolution in the modern threat landscape: cybercriminals have mastered psychological manipulation, using authenticity itself as a weapon. When the internet’s most trusted names—Google, GitHub, Perplexity—are turned against their users, the line between safety and threat becomes disturbingly thin.

What Undercode Say:

The reappearance of DarkGate through fake Google ads marks an alarming shift in the methods of modern cyber deception. This incident exposes how fragile digital trust has become, even within the world’s most reputable platforms. The threat is no longer confined to shady corners of the internet; it now hides in plain sight, wearing the mask of credibility.

Google’s ad ecosystem, once a symbol of legitimate marketing, has increasingly become a vector for exploitation. Attackers understand that users trust sponsored links more than organic results. That single behavioral bias—trust in authority—has turned into a weapon.

Hosting the malicious payload on GitHub is an especially clever move. By leveraging GitHub’s trusted infrastructure, attackers bypass traditional security filters. To an average user, a “GitHub link” implies safety, technical legitimacy, and transparency. Yet, this campaign twists that trust into a trap.

From a forensic perspective, the Russian code traces and the C2 server linkage are not coincidental. They echo a familiar playbook of Eastern European cybercrime syndicates that specialize in modular malware frameworks. DarkGate’s modular nature allows it to act as a downloader, info-stealer, or ransomware loader—depending on the attackers’ objectives.

This event also underscores a rising trend in AI-adjacent exploitation. The attackers deliberately chose Perplexity’s Comet browser—a new, buzzworthy AI browser—to ensure high search volumes and low skepticism. The target demographic of such AI tools is typically tech-curious, fast-adopting users—ironically, the same group that tends to underestimate security risks in favor of innovation.

If we connect the dots, this campaign looks less like random malware distribution and more like a precision-engineered psychological operation. The attackers weaponize familiarity: familiar ads, familiar hosting platforms, familiar software names. It’s an attack that thrives on human confidence, not technical ignorance.

The cybersecurity community faces a new dilemma: traditional malware detection isn’t enough. Threat actors are now infiltrating trust layers—advertising networks, developer platforms, and brand recognition itself. Combating this requires not just better antivirus technology but systemic changes in how digital trust is authenticated.

Users, too, must evolve. The rulebook of cybersecurity is changing from “don’t open suspicious links” to “don’t trust what looks legitimate without verification.” Education, awareness, and critical thinking have become the first line of defense in a war fought not with brute force, but with illusion.

DarkGate’s comeback through the Comet deception is a grim reminder that the future of cybercrime is social, not technical. Every new layer of convenience—AI browsers, automated downloads, or ad-based discovery—creates new openings for exploitation. The more seamless technology becomes, the more invisible the threats within it grow.

Fact Checker Results:

✅ DarkGate malware has a confirmed history dating back to 2018, with known ties to Russian cybercrime circles.
✅ GitHub links were used in this campaign to host the infected installer, confirmed by independent security analysts.
❌ No official association exists between Perplexity or its Comet browser and the infected installer.

Prediction: 🔮

In the coming months, we can expect cybercriminals to increasingly use legitimate ad networks and code-hosting platforms to distribute sophisticated malware. Fake browser campaigns—especially tied to trending AI tools—will surge as attackers exploit public curiosity. Google and GitHub will likely tighten security measures, but the trust users place in “familiar links” may continue to be the biggest vulnerability of all.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon