- Google’s advertising domain became the perfect cover for a malware distribution channel
- The malware reconstructed fake company pages using real logos posted online.
- Five attack steps took place almost entirely in memory, leaving almost no trace
Cybersecurity researchers are warning of a malware campaign that uses Google’s advertising infrastructure to hide malicious activity.
Research by Huntress revealed that the operation begins with malicious spam emails containing HTML attachments designed to redirect users into a carefully layered infection chain.
The campaign gained attention because the redirect process initially went through ad.doubleclick.net, a legitimate advertising and tracking domain owned by Google and widely recognized by security systems.
The malware chain hides behind reliable infrastructure
This routing method is important because many email gateways and web filtering systems rarely treat Google advertising domains as suspicious or potentially malicious destinations.
The attachment itself contained almost no meaningful content beyond a hidden redirect redirecting victims to additional infrastructure controlled by the attackers.
Once users interacted with the page, the operation dynamically reconstructed itself using data automatically extracted from the recipient’s email address at runtime.
If the user downloads the attached archive, the infection chain quickly moves from social engineering techniques to the execution of malware hidden within Windows.
Uploaded files rely on JScript, PowerShell, .NET reflective loading, and in-memory execution methods designed to reduce detection.
The malware avoids leaving traditional files behind while executing multiple steps directly in active memory.
This campaign is credible because it goes the extra mile to generate personalized branding, automatically extracting company logos from online sources.
It also gathers location details and local time information, helping fraudulent pages appear more credible to recipients.
Researchers say the malware was heavily focused on stealth
Huntress identified a five-step sequence involving HTML redirects, JScript loaders, PowerShell scripts, .NET components, and additional hidden payload deployment activities.
The malware checks debugging environments, sandboxes, and forensic analysis tools before continuing its execution sequence.
If it detects these tools, it immediately terminates its activity and sometimes forces infected systems to restart. without additional warning messages.
Additionally, the malware interferes with Windows security monitoring via native API-level changes directly affecting AMSI and ETW telemetry systems.
It attempts to hide itself by injecting malicious code into legitimate utilities signed by Microsoft, including InstallUtil.exe and MSBuild.exe.
This technique allows the operation to mix malicious behavior within trusted Windows processes that global enterprise security recognizes as legitimate.
There is also a communications infrastructure that relies on dynamic DNS services and non-standard network ports, capable of rapidly evolving after defensive countermeasures emerge elsewhere.
The malware also collected hardware information from infected systems, including CPU identifiers, antivirus products, motherboard information, and graphics hardware manufactured by Nvidia and AMD.
The entire operation appears structured for long-term unauthorized access, as persistence mechanisms repeatedly restart malicious processes after system reboots or shutdowns.
Unfortunately, Huntress did not conclusively identify the final operational objective. However, the structure suggests preparations for extensive remote intrusion activities.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
