Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Cybercriminals have found a new way to sneak malware past email security tools, and this time they are hiding behind a name that most systems trust without question.

A recent malspam campaign has been caught using Google’s own DoubleClick ad-tracking infrastructure to route victims toward a fileless .NET loader, a type of malware that runs almost entirely in memory and leaves very little trace behind for investigators.

Malspam, short for malicious spam, has been a go-to method for attackers for years. It typically involves sending emails with booby-trapped attachments or links designed to start an infection the moment someone clicks.

What sets this campaign apart is how cleverly the attackers disguised the early stages to avoid triggering alarms, leaning on real, high-reputation web services as cover throughout the delivery chain.

Researchers at Huntress identified this campaign in May 2026 after their SOC team responded to a .NET loader infection.

Huntress said in a report shared with Cyber Security News (CSN), the attack begins with a malspam email carrying a malicious HTML file named Bestellung_2026.html, which is German for “purchase order,” suggesting the attackers may have specifically targeted German-speaking businesses.

The HTML attachment contains a zero-second meta-refresh redirect that silently pushes the victim’s browser to a Google DoubleClick click-tracking URL on ad.doubleclick[.]net.

Attack path (Source – Huntress)

Since this is a legitimate, widely trusted Google-owned domain, most email gateways and URL-reputation filters do not flag it. By the time the victim reaches attacker-controlled infrastructure, the most suspicious part of the chain is already well behind them.

What follows is a personalized lure page that reads the victim’s email from the URL, pulls in the company logo live, and shows the viewer’s city and local time to feel convincing.

The victim sees a button to download what looks like a PDF, but clicking it delivers a ZIP archive containing the real payload instead.

Malspam Attack Uses Google DoubleClick Redirects

The ZIP contains a JScript file that serves as the first stage of a five-step infection chain. The script relocates itself to a stable directory, then decodes and drops an obfuscated PowerShell script.

That dropper checks whether the victim is online, and if the machine appears offline, it forces a reboot rather than simply exiting. It also scans for known analysis tools like Wireshark and any.run, rebooting the machine if any are detected, a deliberate move to frustrate security researchers.

The PowerShell stage downloads a .NET loader from a remote server, which runs entirely in memory using .NET reflection.

Malicious HTML attachment (Source – Huntress)

The loader injects itself into legitimate, Microsoft-signed system tools like InstallUtil.exe or MSBuild.exe, giving it cover under processes that Windows itself fully trusts.

Contents of A021185521S210008-11521.js (Source – Huntress)

At no point does the main payload write a recognizable malicious file to disk, making it extremely difficult for traditional antivirus tools to detect.

Defense Evasion and Persistence Techniques

Once inside a trusted process, the loader works to blind Windows’ built-in defenses. It patches both AMSI and ETW, the two main telemetry engines Windows relies on to spot suspicious behavior, at the native memory level.

Security tools that depend on those systems stop receiving useful signals before the attacker has even established persistence on the machine.

The loader then sets up persistence through Windows registry Run keys and scheduled tasks, using NVIDIA-themed folder names to blend in with what looks like routine driver activity.

It communicates to two command-and-control servers over a non-standard port using AES encryption, and can pull down additional payloads or execute commands entirely from memory.

Huntress recommends that organizations configure a Group Policy Object to force script file types like .js, .vbs, and .hta to open in Notepad by default rather than execute.

Deploying email authentication controls including SPF, DKIM, and DMARC, along with a gateway that sandboxes attachments before delivery, can stop this chain at the first stage.

Regular phishing awareness training also remains critical, since the human layer is still the most consistently exploited entry point in campaigns like this.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Bestellung_2026.html Malicious HTML attachment
Domain fostercareintheus.optimizationprime[.]com Redirector stage
Domain bth.startthewave[.]org Delivery kit host
URL pengajian.muliastudy[.]com/images/edu/u.php Serves the ZIP archive payload
File A021185521S210008-11521.zip Delivery ZIP archive served by malspam kit
File A021185521S210008-11521.js JavaScript loader
File ktncm.js JavaScript loader (relocated copy)
File zkrbx.txt Staging file
File gglhn.txt Staging file
File nlbzl.ps1 PowerShell dropper
File shmvg_01.ps1 PowerShell stager
Domain andrefelipedonascime1778799406970.2241107.meusitehostgator[.]com[.]br Serves 01.txt, 02.txt, 03.txt staging files
Path %USERPROFILE%AppDataLocalLowLocalLow WindowsProgram RulesProgram Rules NVIDEO Loader’s NVIDIA-themed staging directory
Domain catalogo.castrouria[.]com Serves bl.txt (packed loader)
SHA-256 D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5 C2 certificate pin
SHA-256 C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6 C2 certificate pin
SHA-256 C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18 C2 certificate pin
SHA-256 F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348 C2 certificate pin
SHA-256 E91FB249AA97BE5C7931E430781167EDFE7BA804720B5F643E6AB70B7E6E74DD C2 certificate pin
Domain xtadts.ddns[.]net Loader’s C2 server 1
Domain afxwd.ddns[.]net Loader’s C2 server 2
Port 7211 C2 communication port
String P@55w0rd! Hardcoded AES password for C2 comms derivation via PBKDF2
User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0…) Hardcoded IE8 User-Agent used by loader for payload retrieval

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.