- Google’s ad domain became the perfect cover for a malware supply chain
- The malware rebuilt fake company pages using real logos pulled live online
- Five attack phases ran almost entirely inside memory and left almost no traces
Cybersecurity researchers warn of a malware campaign that uses Google’s advertising infrastructure to hide malicious activity.
Research by Huntress showed that the operation begins with malicious spam emails with HTML attachments designed to redirect users towards a carefully layered infection chain.
The campaign attracted attention because the redirect process initially went through ad.doubleclick.net, a legitimate Google-owned advertising and tracking domain that is highly trusted across security systems.
The malware chain hides behind trusted infrastructure
This routing method is important because many email gateways and web filtering systems rarely treat Google ad domains as suspicious or potentially malicious destinations.
The attachment itself contained almost no meaningful content beyond a hidden redirect that forwards victims towards additional infrastructure controlled by attackers.
When users interacted with the page, the action dynamically rebuilt itself using data automatically extracted from the recipient’s email address during execution.
If the user downloads the attached archive, the infection chain quickly switches from social engineering techniques to stealthy malware execution inside Windows.
The downloaded files rely on JScript, PowerShell, reflective .NET loading, and in-memory execution methods designed to reduce detection.
The malware avoids leaving behind traditional files while performing multiple steps directly in active memory.
This campaign is credible because it goes the extra mile to generate custom branding that automatically pulls company logos from online sources.
It also collects location and local time information, which helps the fraudulent pages appear more credible to recipients.
Researchers say the malware focused heavily on stealth
Huntress identified a five-step sequence involving HTML redirects, JScript loaders, PowerShell scripts, .NET components, and additional hidden deployment activities afterward.
The malware searches for debugging environments, sandbox systems, and forensic analysis tools before continuing its execution sequence.
If it detects these tools, it terminates its activity immediately and sometimes forces infected systems to reboot without further warnings.
Additionally, the malware interferes with Windows security monitoring through native API level changes that directly affect AMSI and ETW telemetry systems.
It tries to hide by injecting malicious code into legitimate Microsoft-signed utilities, including InstallUtil.exe and MSBuild.exe afterward.
This technique allows the operation to mix malicious behavior into trusted Windows processes that global enterprise security recognizes as legitimate.
There is also a communications infrastructure that relies on dynamic DNS services and non-standard network ports that are capable of changing quickly after defensive countermeasures appear elsewhere.
The malware also collected hardware details from infected systems, including processor identifiers, antivirus products, motherboard information, and graphics hardware manufactured by Nvidia and AMD.
The entire operation appears to be structured for long-term unauthorized access because persistence mechanisms repeatedly restart malicious processes after system reboots or shutdown events.
Unfortunately, Huntress did not definitively identify the final operational target. However, the structure suggests preparations for extensive remote intrusion activities.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
