- Google’s ad domain became the perfect cover for a malware delivery chain
- The malware rebuilt fake company pages using real logos pulled live online
- Five attack stages ran almost entirely inside memory, leaving almost no trace
Cybersecurity researchers are warning about a malware campaign which uses Google’s ad infrastructure to disguise malicious activities.
Research from Huntress found the operation begins with malicious spam emails carrying HTML attachments designed to redirect users toward a carefully layered infection chain.
The campaign drew attention because the redirect process initially passed through ad.doubleclick.net, a legitimate Google-owned ad and tracking domain trusted widely across security systems.
The malware chain hides behind trusted infrastructure
This routing method matters because many email gateways and web filtering systems rarely treat Google ad domains as suspicious or potentially malicious destinations.
The attachment itself contained almost no meaningful content beyond a hidden redirect forwarding victims toward additional infrastructure controlled by attackers.
Once users interacted with the page, the operation rebuilt itself dynamically using data that was automatically extracted from the recipient’s email address during execution.
If the user downloads the attached archive, the infection chain shifts rapidly from social engineering techniques to concealed malware execution inside Windows.
The downloaded files rely on JScript, PowerShell, reflective .NET loading, and in-memory execution methods designed to reduce detection.
The malware avoids leaving traditional files behind while executing several stages directly inside active memory.
This campaign is believable because it goes the extra mile to generate custom branding, automatically pulling company logos from online sources.
It also gathers location details and local time information, helping the fraudulent pages appear more believable to recipients.
Researchers say the malware focused heavily on stealth
Huntress identified a five-stage sequence involving HTML redirects, JScript loaders, PowerShell scripts, .NET components, and additional concealed payload deployment activities afterward.
The malware checks for debugging environments, sandbox systems, and forensic analysis tools before continuing its execution sequence.
If it detects these tools, it terminates its activity immediately and sometimes forces infected systems to restart without additional warning messages.
Furthermore, the malware interferes with Windows security monitoring through native API level modifications affecting AMSI and ETW telemetry systems directly.
It attempts to hide by injecting malicious code into legitimate Microsoft-signed utilities, including InstallUtil.exe and MSBuild.exe afterward.
This technique allows the operation to blend malicious behaviour inside trusted Windows processes that global enterprise security recognizes as legitimate.
There is also a communication infrastructure that relies on dynamic DNS services and nonstandard network ports capable of changing rapidly after defensive countermeasures emerged elsewhere.
The malware also collected hardware details from infected systems, including processor identifiers, antivirus products, motherboard information, and graphics hardware manufactured by Nvidia and AMD.
The entire operation appears structured for long-term unauthorized access because persistence mechanisms repeatedly relaunch malicious processes after system restarts or shutdown events.
Unfortunately, Huntress did not identify the final operational objective conclusively. However, the structure suggests preparations for extensive remote intrusion activities.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.