Cybercriminals have found a new way to sneak malware past email security tools, and this time they are hiding behind a name that most systems trust without question.
A recent malspam campaign has been caught using Google’s own DoubleClick ad-tracking infrastructure to route victims toward a fileless .NET loader, a type of malware that runs almost entirely in memory and leaves very little trace behind for investigators.
Malspam, short for malicious spam, has been a go-to method for attackers for years. It typically involves sending emails with booby-trapped attachments or links designed to start an infection the moment someone clicks.
What sets this campaign apart is how cleverly the attackers disguised the early stages to avoid triggering alarms, leaning on real, high-reputation web services as cover throughout the delivery chain.
Researchers at Huntress identified this campaign in May 2026 after their SOC team responded to a .NET loader infection.
Huntress said in a report shared with Cyber Security News (CSN), the attack begins with a malspam email carrying a malicious HTML file named Bestellung_2026.html, which is German for “purchase order,” suggesting the attackers may have specifically targeted German-speaking businesses.
The HTML attachment contains a zero-second meta-refresh redirect that silently pushes the victim’s browser to a Google DoubleClick click-tracking URL on ad.doubleclick[.]net.
Since this is a legitimate, widely trusted Google-owned domain, most email gateways and URL-reputation filters do not flag it. By the time the victim reaches attacker-controlled infrastructure, the most suspicious part of the chain is already well behind them.
What follows is a personalized lure page that reads the victim’s email from the URL, pulls in the company logo live, and shows the viewer’s city and local time to feel convincing.
The victim sees a button to download what looks like a PDF, but clicking it delivers a ZIP archive containing the real payload instead.
Malspam Attack Uses Google DoubleClick Redirects
The ZIP contains a JScript file that serves as the first stage of a five-step infection chain. The script relocates itself to a stable directory, then decodes and drops an obfuscated PowerShell script.
The PowerShell stage downloads a .NET loader from a remote server, which runs entirely in memory using .NET reflection.
The loader injects itself into legitimate, Microsoft-signed system tools like InstallUtil.exe or MSBuild.exe, giving it cover under processes that Windows itself fully trusts.
At no point does the main payload write a recognizable malicious file to disk, making it extremely difficult for traditional antivirus tools to detect.
Defense Evasion and Persistence Techniques
Once inside a trusted process, the loader works to blind Windows’ built-in defenses. It patches both AMSI and ETW, the two main telemetry engines Windows relies on to spot suspicious behavior, at the native memory level.
Security tools that depend on those systems stop receiving useful signals before the attacker has even established persistence on the machine.
The loader then sets up persistence through Windows registry Run keys and scheduled tasks, using NVIDIA-themed folder names to blend in with what looks like routine driver activity.
It communicates to two command-and-control servers over a non-standard port using AES encryption, and can pull down additional payloads or execute commands entirely from memory.
Huntress recommends that organizations configure a Group Policy Object to force script file types like .js, .vbs, and .hta to open in Notepad by default rather than execute.
Deploying email authentication controls including SPF, DKIM, and DMARC, along with a gateway that sandboxes attachments before delivery, can stop this chain at the first stage.
Regular phishing awareness training also remains critical, since the human layer is still the most consistently exploited entry point in campaigns like this.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File | Bestellung_2026.html | Malicious HTML attachment |
| Domain | fostercareintheus.optimizationprime[.]com | Redirector stage |
| Domain | bth.startthewave[.]org | Delivery kit host |
| URL | pengajian.muliastudy[.]com/images/edu/u.php | Serves the ZIP archive payload |
| File | A021185521S210008-11521.zip | Delivery ZIP archive served by malspam kit |
| File | A021185521S210008-11521.js | JavaScript loader |
| File | ktncm.js | JavaScript loader (relocated copy) |
| File | zkrbx.txt | Staging file |
| File | gglhn.txt | Staging file |
| File | nlbzl.ps1 | PowerShell dropper |
| File | shmvg_01.ps1 | PowerShell stager |
| Domain | andrefelipedonascime1778799406970.2241107.meusitehostgator[.]com[.]br | Serves 01.txt, 02.txt, 03.txt staging files |
| Path | %USERPROFILE%\AppData\LocalLow\LocalLow Windows\Program Rules\Program Rules NVIDEO | Loader’s NVIDIA-themed staging directory |
| Domain | catalogo.castrouria[.]com | Serves bl.txt (packed loader) |
| SHA-256 | D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5 | C2 certificate pin |
| SHA-256 | C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6 | C2 certificate pin |
| SHA-256 | C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18 | C2 certificate pin |
| SHA-256 | F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348 | C2 certificate pin |
| SHA-256 | E91FB249AA97BE5C7931E430781167EDFE7BA804720B5F643E6AB70B7E6E74DD | C2 certificate pin |
| Domain | xtadts.ddns[.]net | Loader’s C2 server 1 |
| Domain | afxwd.ddns[.]net | Loader’s C2 server 2 |
| Port | 7211 | C2 communication port |
| String | P@55w0rd! | Hardcoded AES password for C2 comms derivation via PBKDF2 |
| User-Agent | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0…) | Hardcoded IE8 User-Agent used by loader for payload retrieval |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
