A new ransomware attack, known as the Nitrogen Malware Campaign, has been identified. Starting in late July 2023, it uses Google or Bing ads to lure users into downloading fake software that gives hackers access to your system. The most recent imitation is of a popular disk-space managing app called TreeSize Free.


What is TreeSize?

TreeSize is a trusted application that helps you manage space on your Windows computer by organising folders by size.

It’s become an extremely popular programme because it allows you to see which folders are using the most space and helps you to delete unnecessary files on your hard drive.

TreeSize is a well-established and popular program that has been going since 1996. It’s considered to be very safe to use, if downloaded from the official site. The official site for TreeSize is


How does the ransomware attack happen?

The ransomware attack works through ads shown on Google or Bing promoting downloads for TreeSize. These lead to counterfeit websites, which closely resemble the genuine ones.

Clicking the download link on the website introduces malware onto your machine. This will give hackers access to your computer, even if you aren’t aware it’s happening.


Are any other software titles affected?

This attack was originally spotted mimicking the popular file sharing program called WinSCP in early July, however, hackers are now putting up fake websites for a number of popular programs.

AnyDesk, Cisco AnyConnect VPN, WinSCP and TreeSize have all been imitated in these malicious adverts.

To be clear, all of these are genuine and safe products as long as they are downloaded from their official websites.


What should I do to prevent this?

Firstly, be extra cautious when downloading any of the following software: AnyDesk, Cisco AnyConnect VPN, TreeSize, or WinSCP.

Don’t download software from the ads section on Google or Bing; use their regular organic listings instead.

Double-check the website address to ensure it’s genuine. Malicious or fake websites will have a slight difference in spelling and can be spotted if you look carefully.

Next, make sure you have the latest antivirus definitions and Windows updates on your machines for better protection. Please note that this isn’t a guarantee of protection in this case, as the software that hackers use to gain remote access to your machine can still go undetected.

Most importantly, don’t download anything if you’re even slightly unsure. Always listen to your instincts and step away from the screen for a few minutes before making a decision.

Lastly, please feel free to reach out to the Coretek team if you need any help or a second opinion- we’re always glad to assist.


Final thoughts

To summarise, be extra vigilant when downloading Any Desk, Cisco AnyConnect VPN, TreeSize or WinSCP.

If in doubt, don’t hesitate to ask us for advice. If you’d like further details about this attack, check out the following article which includes screenshots and further warning signs: