BATLOADER, the notorious malware loader, was seen exploiting Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif. In their ads, attackers fake legitimate apps and services such as Adobe, Tableau, ChatGPT, Spotify, and Zoom. Other samples of BATLOADER display enhanced capability to establish persistence inside compromised networks.