A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a site mimicking the legitimate RVTools download page. The trojanized file, when executed, installs RVTools but also deploys ThunderShell, allowing attackers to execute commands on compromised machines. Multiple ads from different verified advertisers were used to evade security controls. The campaign highlights the persistent threat of malvertising and the need for stronger ad screening processes and user awareness.