A sophisticated new malspam campaign is actively exploiting Google’s DoubleClick ad-tracking infrastructure to bypass enterprise email security gateways.
Discovered by researchers at Huntress, the attack utilizes highly personalized dynamic lures to initiate a complex, five-stage infection chain that actively dismantles local defenses before deploying process-hollowed payloads.
The attack chain begins with a malicious HTML attachment, commonly named Bestellung_2026.html (German for “order”). Opening the file triggers a zero-second meta-refresh redirect to a legitimate ad.doubleclick[.]net URL.
Because DoubleClick is a high-reputation domain owned by Google, most secure email gateways (SEGs) and URL reputation filters allow the traffic through without further inspection, Huntress said.
Once redirected, the campaign employs on-the-fly personalization to build a highly convincing, dynamically generated lure.
Malspam Campaign Abuses DoubleClick
The page extracts the target’s email address from the URL fragment and reconstructs the employer’s branding by fetching the company logo in real time via Clearbit, logo.dev, and Google Favicons. No organization-specific data is hardcoded, making the infrastructure highly scalable and cheap to operate.
To further establish false legitimacy, the page leverages ipapi[.]co to display the victim’s local time and city. If no email fragment is detected, the page silently redirects to Bing, effectively frustrating automated analysis engines.
Clicking the lure’s “Download PDF” button delivers a ZIP archive containing a heavily obfuscated JScript file. The infection then progresses through five distinct stages: HTML lure, JScript dropper, PowerShell stager, .NET loader, and process-hollowed payload.
Upon execution, the JScript relocates to C:UsersPublic, repairs a base64 blob, and drops an encoded PowerShell script. This script acts as a defensive tripwire.
It performs connectivity checks against Google and aggressively hunts for sandbox tooling like Wireshark, any.run, or OllyDbg. If analysis environments are detected, the script executes Restart-Computer -Force to deliberately reboot the host and disrupt triage.
The campaign’s most technically aggressive component is a .NET loader retrieved from an attacker-controlled server. Once the environment is deemed safe, the loader systematically dismantles local security controls.
It patches the Antimalware Scan Interface (AMSI) at the native API level, targeting NtManageHotPatch on Windows 11 24H2 builds, and silences Event Tracing for Windows (ETW) telemetry by patching EtwEventWrite in ntdll.dll.
The loader also disables Microsoft Defender’s real-time protection and establishes persistence via RunOnce registry keys disguised with NVIDIA-themed names, and utilizes standard RunPE process hollowing to inject the final payload into legitimate, Microsoft-signed processes like InstallUtil.exe or MSBuild.exe.
The Huntress researchers stated that the command and Control (C2) communication occurs over raw TCP (port 7211) to DDNS-based servers using AES-encrypted messages. During its initial beacon, the malware specifically enumerates attached NVIDIA and AMD GPUs via WMI.
Indicators of Compromise
| Indicator | Type | Description |
|---|---|---|
xtadts.ddns[.]net / afxwd.ddns[.]net — Port 7211 | C2 Domain | Active loader C2 servers; DDNS-based for rapid IP rotation block at the firewall and DNS level |
pengajian.muliastudy[.]com/images/edu/u.php | URL | Direct payload delivery endpoint serving the malicious ZIP archive high-confidence block |
catalogo.castrouria[.]com | Domain | Serves bl.txt (packed loader injected into InstallUtil.exe / MSBuild.exe) |
%USERPROFILE%AppDataLocalLowLocalLow WindowsProgram RulesProgram Rules NVIDEO | File Path | NVIDIA-themed staging directory reliable host-based hunting artifact |
D5B7247C...64759B5 (+ 4 sibling hashes) | SHA-256 | Hardcoded C2 TLS certificate pins fingerprint loader traffic at the network layer |
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64...) | User-Agent | Hardcoded IE8 UA used for payload retrieval is anomalous in any modern environment, an easy SIEM rule |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Mitigation
- Configure Group Policy to force script files (
.js,.vbs,.hta) to open in Notepad by default, neutralizing execution without user action. - Deploy email gateway sandboxing capable of inspecting attachments and links prior to delivery.
- Alert on
wscript.exespawning encoded PowerShell from theC:UsersPublicdirectory. - Monitor for script files executing as child processes of
explorer.exe. - Implement strong SPF, DKIM, and DMARC policies to reduce exposure to spoofing.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
