The Google search engine has detected the appearance of fraudulent advertising entries displayed in the first places of search results and aimed at distributing malware under the guise of promoting the free graphics editor GIMP. The advertising link is designed in such a way that users have no doubt that the transition will be made to the official website of the project www.gimp.org, but in reality it is forwarded to the domains gilimp.org or gimp.monster controlled by attackers.
The content of the sites that open is the same as the original gimp.org site, but when attempting to download, it is redirected to the Dropbox and Transfer.sh services, through which the Setup.exe file with malicious code is sent. The discrepancy between the transition address and the URL shown in Google results is explained by the peculiarities of setting up ads in the Google AdSense network, in which it is possible to set separate URLs for display and transition (it is understood that an intermediate forwarding can be used for the transition to evaluate the effectiveness of advertising). Google's policy is that the ad block and landing page must use the same domain, but compliance with the rules does not appear to be pre-verified and is regulated at the level of response to complaints.
Source: opennet.ru