Most IT leaders picture a breach starting the same way: a suspicious email, a sketchy link, maybe a fake invoice. Someone clicks, the attacker gets in, and the team scrambles to clean up the damage.
That model keeps evolving.
Our Apex Security team recently responded to an incident that began with something far more ordinary than a phishing email. An employee ran a normal Google search for a popular note-taking app. The search surfaced a convenient AI-generated answer. That answer pointed them to a download page that looked exactly like the real product. No weird sender. No attachment. Just everyday research, a helpful-looking AI response, and an installer that appeared completely legitimate.
The file ran. The client's endpoint detection and response (EDR) agent did not stop it.
Below is what happened, why it worked, and what it means for the way you defend your business. This is the second installment in our series on how attackers exploit the tools your team already trusts. The first looked at malvertising through advertisement networks. This one moves a step further, into the search results and AI answers themselves.
In This Article:
Email phishing is still the most common way attackers get in, and training your team to recognize it remains non-negotiable. This case study, though, is about something no amount of inbox vigilance would have caught. Attackers have moved upstream, into the search results your team relies on every day, and now into the AI-generated answers that sit on top of those results.
The underlying technique is called SEO poisoning (search engine optimization poisoning). Attackers study the terms people search for, then manipulate rankings and infrastructure so that their malicious page appears where a trusted result should be. The newer twist is artificial intelligence. When a search returns a generated summary, or when an assistant recommends a download, attackers want that answer to point at infrastructure they control.
This is not theoretical. In May 2026, Microsoft Threat Intelligence documented a campaign it described as AI search result poisoning, an extension of traditional SEO poisoning in which LLM-generated responses surfaced links to attacker-controlled domains and ultimately delivered malware through pages that impersonated legitimate utilities (Microsoft Security Blog). Federal authorities have flagged the same pattern from the other direction. CISA and the FBI have published joint advisories tying fake software downloads and drive-by installs to initial access for ransomware operators (CISA).
What makes this dangerous for businesses is not only the delivery method. It is what happens after the download runs.
Endpoint detection and response (EDR) may generate a detection in the event of an incident, but EDR often does not capture the full extent of what was executed on a target host.
A commodity loader may execute and connect to adversary infrastructure for additional instructions. Certain follow-on actions or payloads may be detected by EDR, but the original foothold can remain active and undetected
That is exactly the pattern our team reconstructed in the incident below.
Our Apex Security team began investigating after suspicious network traffic surfaced in a client environment. Forensic analysis traced it back to a single Google search. What follows is the full reconstruction, in our analysts' own words.
CastleLoader is modular loader and a commodity Malware-as-a-Service (Maas). CastleLoader typically enables the adversary with initial host access and subsequent payload delivery.
SEO (search engine optimization) poisoning continues to be a choice technique for many threat actors and groups.
Essentially, adversaries leverage popular search terms, and in some cases paid advertisements, to drive their website to the top of a common search result.
Adversaries now appear to be leveraging the output from edge LLM models, such as Gemini, to better target victims.
In this incident, Apex Security Operations responded to suspicious traffic that stemmed from a user that executed a Google search which provided a convenient Gemini response and subsequently sent them to an adversary-hosted landing page that deploys a Python variant of CastleLoader.
Figure 1 - Apex Forensic Analysis - Delivery Reconstruction
“cool apps to install on Windows”
Yes, this was the initial Google search the user executed that pointed them to Gemini output. The user pasted “note-taking tool Obsidian” into a subsequent Google search which directed them to the adversary-hosted landing page that masqueraded as the Obsidian note taking application.
The landing page was not live at the time of our analysis. It appears the adversary promptly pulled it following some success.
Figure 2 - Apex Forensic Analysis - Delivery Reconstruction
Shortly after the user visits the adversary-hosted landing page, the file ObsidianSetup-2026-5.75.02664-win-x64.exe is seen downloaded to disk and is subsequently executed. Unfortunately, this file, along with several others, were deleted from disk and not recoverable for our analysis.
Figure 3 - Apex Forensic Analysis - Payload Execution
As you can see, the executable spawned pythonw.exe (headless Python). Also, a directory traffic1kris was created in c:\programdata\ which hosted Python application data and contained the adversary’s Python bytecode.
Figure 4 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (System Profiling)
Figure 5 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (GetIpGeo)
Figure 6 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (C2 Domain)
Figure 7 - Apex Forensic Analysis - Decompiled Python Bytecode Sample (Self Delete)
Figure 8 - Apex Forensic Analysis - Python Implant C2 Connectivity
The Python implant established persistence through the creation of a Windows Shortcut file (.lnk) in the startup directory.
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe.lnk
Shortly after the execution of the Python implant, NetSupport Manager, which is a widely abused Remote Access Tool (RAT) was deployed and executed.
Figure 9 - Apex Forensic Analysis - NetSupport RAT Execution Indicators
Unfortunately, the NetSupport Manager files were also deleted and were not recoverable. This is unfortunate as the configuration files often contain fallback or secondary C2 server destinations.
A scheduled task was created for NetSupport RAT persistence.
Figure 10 - Apex Forensic Analysis - NetSupport RAT Persistence
The full execution chain our analysts reconstructed from the artifacts above:
The group behind the development of CastleLoader commodity malware has been labeled as TAG-150 and called GrayBravo.
Our thoughts are that TAG-150 is likely selling CastleLoader to Initial Access Brokers (IABs) that are then selling secondary access through NetSupport RAT to ransomware affiliates. This is quite common and nothing new.
We assess, with low confidence, that the name, traffic1kris, seen in multiple locations throughout our analysis of files and code, may be the alias of the initial access broker.
Adversaries are pairing traditional SEO poisoning tactics with AI output to deliver malicious payloads at scale.
A major takeaway we observed in this instance is that the client-deployed EDR product did not mitigate or prevent the execution of the initial payload, Python bytecode, or the secondary NetSupport deployment.
Forensic analysis is always required to understand the extent of an incident.
The uncomfortable truth is that standard antivirus, basic endpoint detection, and spam filters, the tools most small and mid-sized businesses rely on, were never designed to catch this class of attack. No email reached an inbox. No user ignored a warning. A diligent employee did normal research and trusted the answer their search engine handed back.
Consider the environment your team operates in:
Related: estimate the cost of a data breach for your organization with our cybersecurity calculator.
The broader point holds. Many of these incidents do not begin with a bad click. They begin with normal business activity in an environment where attackers have quietly poisoned the infrastructure your team trusts, which now includes the AI layer sitting on top of search.
Detection of this class of attack requires a fundamentally different approach to endpoint security. File scanning is not enough. Alert monitoring is not enough. What it requires is continuous behavioral monitoring: a real-time view of what processes actually do, not just what files sit on disk.
Two facts from this case sit uncomfortably together. The client had EDR deployed. The EDR did not stop the attack. It did not block the malicious installer, the in-memory Python loader, or the NetSupport RAT that followed. Our forensic analysis is what reconstructed the full chain and confirmed the true extent of the compromise.
Cyber criminals are growing more sophisticated, and they deliberately engineer payloads to slip past traditional EDR technology. That is the gap a managed forensic program is built to close. We don't just look for bad files; we monitor the behavior of your computer's memory. When an application starts trying to inject code into other processes or quietly spawn a hidden interpreter, our system is built to flag and kill it, then preserve the evidence.
When a memory anomaly appears, our analysts do not dismiss it as noise. They pull the thread until the full attack chain is understood, because that is the only way to know what an attacker actually touched.
Apex Security's approach includes:
This is not a threat aimed at careless people. The lures in these campaigns, note-taking apps, PDF tools, productivity utilities, and AI assistants, mirror the exact software your team searches for to get work done. The attack works precisely because the download looks like something an employee genuinely needs.
Our analysts are trained to recognize these "fake software" lure patterns and to understand how they map to real workflows in regulated industries. A manufacturing engineer looking for a file converter and a healthcare administrator searching for a scheduling tool are exactly the users these campaigns are built to reach. That industry context is not incidental. It is core to spotting threats that generic security operations centers miss.
One of the most dangerous gaps in incident response is not technical. It is operational. When a breach escalates, most providers require you to negotiate a new contract, track hourly billing, and wait for emergency availability while an active threat spreads through your network.
Apex Security removes that friction. Full-scale Incident Response is included as a standard feature, with no retainer fees and no hourly emergency billing. Your dedicated technicians already know your environment, and they are trained to spot the specific "fake software" lures that target manufacturing, healthcare, and financial workflows. When your environment needs forensic investigation, the team is already in place.
If your business relies on standard antivirus or an unmonitored EDR agent, the case above is a direct preview of your exposure. A single employee searching for a common tool on a work device, on your network, is all it takes.
The indicators of compromise from this campaign are listed below. If you are a current Apex client, these have already been pushed to your environment. If you are not, treat this as a look at what continuous forensic monitoring catches that most tools miss.
Domain IOCs (do not visit, block at your firewall and DNS):
IP Address IOCs (block at your firewall):
File Hash IOCs:
This research was produced by the Compass Apex Security team. Apex Security delivers forensic-grade cyber defense, continuous human-led investigation, and audit-ready reporting for regulated and high-risk organizations. Learn more about Apex Security or book an assessment.