- Google’s advertising domain became the perfect cover for a malware distribution chain
- Malware reconstructed fake company pages using real logos posted online
- Five attack stages were executed almost entirely within memory, leaving almost no trace behind.
Cybersecurity researchers warn of a malware campaign that uses Google’s advertising infrastructure to disguise malicious activities.
Huntress research found that the operation begins with malicious spam emails containing HTML attachments designed to redirect users into a carefully layered infection chain.
The campaign attracted attention because the retargeting process initially went through ad.doubleclick.net, a legitimate advertising and tracking domain owned by Google that is widely trusted by all security systems.
Malware Chain Hides Behind Trusted Infrastructure
This routing method is important because many email gateways and web filtering systems rarely treat Google ad domains as suspicious or potentially malicious destinations.
The attachment itself contained almost no meaningful content beyond a hidden redirect that forwards victims to additional infrastructure controlled by the attackers.
Once users interacted with the page, the operation was dynamically reconstructed using data that was automatically extracted from the recipient’s email address during execution.
If the user downloads the attachment, the infection chain quickly moves from social engineering techniques to the hidden execution of malware within Windows.
The downloaded files are based on JScript, PowerShell, .NET reflective loading, and in-memory execution methods designed to reduce detection.
The malware avoids leaving traditional files behind while executing several stages directly within active memory.
This campaign is credible because it goes the extra mile to generate personalized branding, automatically pulling company logos from online sources.
It also collects location details and local time information, which helps make scam pages appear more credible to recipients.
Researchers say the malware focused heavily on stealth.
Huntress identified a five-stage sequence involving HTML redirects, JScript loaders, PowerShell scripts, .NET components, and additional hidden payload deployment activities afterwards.
The malware looks for debugging environments, sandbox systems, and forensic analysis tools before continuing its execution sequence.
If it detects these tools, it terminates its activity immediately and sometimes forces infected systems to reboot. no additional warning messages.
Additionally, the malware interferes with Windows security monitoring through native API-level modifications that directly affect AMSI and ETW telemetry systems.
It attempts to hide by injecting malicious code into legitimate Microsoft-signed utilities, including InstallUtil.exe and MSBuild.exe.
This technique allows the operation to merge malicious behavior within trusted Windows processes that global enterprise security recognizes as legitimate.
There is also a communication infrastructure that relies on dynamic DNS services and non-standard network ports capable of changing rapidly after defensive countermeasures arise elsewhere.
The malware also collected hardware details from infected systems, including processor identifiers, antivirus products, motherboard information, and graphics hardware manufactured by Nvidia and AMD.
The entire operation appears structured for long-term unauthorized access because persistence mechanisms repeatedly restart malicious processes after the system is rebooted or shut down.
Unfortunately, Huntress did not conclusively identify the ultimate operational objective. However, the structure suggests preparations for extensive remote intrusion activities.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
