Malware stored on Google Sites sends data to a MySQL server.

Buzz

Ngày cập nhật gần nhất: 15/4/2026

Security researchers have recently discovered malware stored on Google Sites platform for website construction, enabling attackers to steal information, data sent to MySQL servers they control.

Known as LoadPCBanker, the malicious software (malware) is disguised as an executable file masquerading as a PDF file containing hotel reservation details and stored in the File Cabinet storage space for Google Site.

The extracted PDF file is named 'PDF Reservations Details MANOEL CARVALHO hospedagem familiar detalhes PDF.exe', indicating cybercriminals targeting victims who speak English and Portuguese.

On April 12th, researchers at Netskope reported Google-related websites hosting malware. The samples are still active and downloadable at the time of writing.

The malware was detected by 47 out of 66 antivirus tools on the VirusTotal platform.

In response to BleepingComputer, researchers at Netskope stated: 'Threats have been leveraging Google's classic Google Sites to create a website, then using file templates to upload payloads, ultimately sending result URLs to potential targets'.

Upon execution, the fake PDF file will create a directory and download payloads libmySQL50.DLL, otlook.exe, and cliente.dll from the Kinghost file hosting website.

Otlook.exe is named so to mimic Microsoft's Outlook email application and steal potentially screenshotable information, with stolen data stored on the clipboard and keystroke logged.

It also features functions for downloading files containing login credentials and connection details for SQL databases receiving stolen information. Files are continuously updated with new access details.

Data leakage will be completed with the help of the DLL component, this library facilitates connections to the database server.

The database record indicates two available tables: one containing information about infected computers and the other containing stolen clipboard data.

During analysis, we discovered that the threat actors were particularly interested in monitoring specific systems and capturing screenshots of the victim's computer in this attack. We noticed this because there were numerous infected computer responses. At the time of writing, the threat actors are actively monitoring 20 malware-infected hosts.

Researchers believe this malware has been around since early 2014. Recent campaigns have been active since February 2019.

It's unclear whether the mastermind behind all the attacks or the malware code is shared with other cybercriminals.

To protect your data, download the best antivirus software 2019 here.

Mytour's content is for customer care and travel encouragement only, and we are not responsible.

For errors or inappropriate content, please contact us at: [email protected]