Advanced Malspam Campaign Leverages Google DoubleClick to Bypass Enterprise Security

June 6, 2026

A highly sophisticated malspam campaign has been identified targeting enterprise environments by weaponizing Google’s DoubleClick ad-tracking infrastructure. By routing malicious redirects through this high-reputation domain, the attackers successfully bypass traditional Secure Email Gateways (SEGs) and URL reputation filters that inherently trust Google-owned assets.

Technical analysis conducted by Huntress reveals a complex, five-stage infection chain designed to perform environmental reconnaissance, dismantle local EDR/AV protections, and ultimately deploy process-hollowed payloads.

The Attack Vector: Reputation Hijacking and Dynamic Lures

Attack path diagram
Visual representation of the multi-stage attack path. (Source: Huntress)

The intrusion begins with a malicious HTML attachment, often localized (e.g., Bestellung_2026.html). Upon execution, the file utilizes a zero-second meta-refresh to redirect the browser to a legitimate ad.doubleclick[.]net URL. This transition is seamless to the user and appears benign to most automated security scanners.

Once the redirect is complete, the infrastructure performs “on-the-fly” personalization. The page parses the victim’s email address directly from the URL fragment and dynamically reconstructs a convincing corporate environment. It achieves this by pulling real-time branding assets—such as company logos—via third-party services like Clearbit, logo.dev, and Google Favicons. This eliminates the need for hardcoded data, allowing the campaign to scale infinitely across different organizations without changing the core codebase.

To further mask its intent, the page leverages ipapi[.]co to display the victim’s actual city and local time. If the script fails to detect a specific email fragment, it silently redirects the user to Bing, a tactic specifically designed to frustrate automated sandbox analysis engines.

The Infection Chain: From JScript to Process Hollowing

The transition from lure to infection occurs when the user clicks a fraudulent “Download PDF” button, which instead delivers a ZIP archive containing a heavily obfuscated JScript file. The subsequent stages are as follows:

  1. Initial Dropper: The JScript moves to C:\Users\Public\, repairs a Base64-encoded blob, and drops an encoded PowerShell script.
  2. Defensive Tripwire: The PowerShell stager performs connectivity checks and aggressively scans for debugging and analysis tools such as Wireshark, Any.Run, or OllyDbg. If a sandbox environment is detected, the script executes Restart-Computer -Force, effectively killing the analysis session by rebooting the host.
  3. The .NET Loader: Once the environment is deemed “safe,” a .NET loader is pulled from an attacker-controlled server. This component is the most aggressive, performing low-level system tampering.
Malicious HTML attachment
Example of the malicious HTML lure. (Source: Huntress)

This loader targets the core of Windows security. It patches the Antimalware Scan Interface (AMSI) at the native API level—specifically targeting NtManageHotPatch on Windows 11 24H2 builds—and silences Event Tracing for Windows (ETW) by patching EtwEventWrite within ntdll.dll. By neutralizing these telemetry streams, the malware operates in total “blindness” relative to the OS.

Finally, the loader establishes persistence via RunOnce registry keys disguised with NVIDIA-themed naming conventions. It utilizes RunPE process hollowing to inject its final payload into legitimate, Microsoft-signed processes such as InstallUtil.exe or MSBuild.exe, making detection via standard process monitoring extremely difficult.

Huntress researchers noted that Command and Control (C2) communication is conducted over raw TCP (port 7211) to DDNS-based servers using AES-encrypted payloads. Interestingly, during its initial beaconing phase, the malware utilizes WMI to enumerate the host’s GPU hardware (specifically NVIDIA and AMD).

Indicators of Compromise (IoCs)

Indicator Type Description
xtadts.ddns[.]net / afxwd.ddns[.]net (Port 7211) C2 Domain Active loader C2 servers using DDNS for rapid IP rotation.
pengajian.muliastudy[.]com/images/edu/u.php URL Direct endpoint for the malicious ZIP archive delivery.
catalogo.castrouria[.]com Domain Host for bl.txt (the packed loader for injection).
%USERPROFILE%\AppData\LocalLow\LocalLow Windows\Program Rules\Program Rules NVIDEO\ File Path NVIDIA-themed staging directory used for persistence.
D5B7247C...64759B5 (and 4 siblings) SHA-256 Hardcoded C2 TLS certificate pins.
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ...) User-Agent Anomalous IE8 User-Agent used for payload retrieval.

Security Note: Domains have been defanged to prevent accidental execution.

Recommended Mitigation Strategies

  • Endpoint Hardening: Use Group Policy to configure script files (.js, .vbs, .hta) to open in Notepad by default, preventing accidental execution.
  • Advanced Email Security: Ensure your email gateway utilizes deep attachment sandboxing and link rewriting that can follow redirects into high-reputation domains.
  • Behavioral Monitoring: Create SIEM alerts for wscript.exe spawning encoded PowerShell processes, particularly from the C:\Users\Public\ directory.
  • Process Auditing: Monitor for script files executing as child processes of explorer.exe or unexpected MSBuild.exe activity.
  • Email Authentication: Enforce strict SPF, DKIM, and DMARC policies to mitigate the effectiveness of initial spoofing attempts.
Tags
June 6, 2026

Related Articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked

May 17, 2025

BeyondTrust Tools RCE Vulnerability Allows Attackers Execute Arbitrary Code

June 17, 2025

Roundcube Flaws Let Attackers Execute Malicious Scripts

December 19, 2025

Nginx UI Vulnerabilities Let Attackers Download Full System Backups

March 9, 2026
© Copyright 2026, All Rights Reserved  |  PlanetJon
Back to top button
Q Qbjf