Listen to this Post
Introduction: When Trust Becomes the Weakest Link
Cybercriminals have always searched for ways to hide in plain sight, but a newly uncovered malware campaign demonstrates just how dangerous that strategy has become. Security researchers at Huntress have revealed a sophisticated attack chain that abuses Google’s trusted DoubleClick advertising infrastructure to bypass email security systems and deliver malware directly to unsuspecting victims.
What makes this operation particularly alarming is not only its technical sophistication but also its ability to personalize attacks automatically. Instead of creating individual phishing pages for each target, attackers dynamically generate convincing company-branded portals in real time, making every victim believe the message was specifically crafted for them.
The campaign highlights a growing cybersecurity challenge. Organizations spend millions securing email gateways and endpoint protection platforms, yet attackers increasingly exploit legitimate services that businesses trust every day. By weaponizing Google’s advertising ecosystem, these threat actors have effectively transformed trust itself into an attack vector.
Campaign Overview: A Multi-Stage Malware Operation
According to Huntress researchers, the attack begins with a malicious HTML attachment named Bestellung_2026.html, with “Bestellung” translating to “order” in German.
The file appears harmless at first glance. However, embedded within it is a zero-second meta refresh redirect that immediately sends victims to a legitimate Google DoubleClick tracking URL.
Because DoubleClick is a highly trusted Google-owned service, most email security gateways, URL reputation scanners, and web filters allow the traffic without raising alarms. This creates an ideal delivery mechanism for malicious actors seeking to bypass traditional defenses.
Rather than hosting suspicious URLs directly inside phishing emails, attackers leverage Google’s reputation as a shield, significantly increasing the likelihood that targets will interact with the content.
Dynamic Personalization Makes Every Victim a Target
One of the most impressive and concerning aspects of this campaign is its ability to customize phishing pages on demand.
The malicious landing page extracts the victim’s email address directly from the URL fragment. Once obtained, the script identifies the user’s company domain and automatically reconstructs a highly convincing corporate-branded page.
The page dynamically retrieves logos and branding assets from services including:
Clearbit
logo.dev
Google Favicons
This means attackers never need to manually create company-specific phishing pages.
Changing a single email address in the URL instantly rebrands the entire website, making the attack infinitely scalable while maintaining a personalized appearance.
The result is a phishing experience that appears remarkably authentic, increasing the likelihood of successful compromise.
Psychological Manipulation Through Localized Information
Beyond corporate branding, the attackers introduce additional social engineering elements designed to increase trust.
The phishing page queries ipapi.co to determine:
Victim city location
Local time zone information
Geographic context
Displaying accurate local information creates the illusion that the portal is legitimate and aware of the user’s environment.
Researchers also observed a defensive feature built into the phishing kit. If no email address is present in the URL, the page silently redirects visitors to Bing.
This seemingly simple behavior serves an important purpose: frustrating automated security crawlers and sandbox environments that attempt to analyze malicious websites without providing victim-specific parameters.
Stage One: The Malicious ZIP Archive
Victims are encouraged to click a button labeled “PDF herunterladen” or “Download PDF.”
Instead of receiving a PDF document, they download a ZIP archive containing an obfuscated JScript file.
At this point, the infection chain transitions from phishing into malware execution.
The attack unfolds through five distinct stages:
HTML lure page
JScript dropper
PowerShell stager
.NET loader
Process-hollowed payload
Each stage is designed to evade detection while preparing the environment for the next phase.
Stage Two: JScript and PowerShell Deployment
Once executed, the JScript component relocates itself into:
C:UsersPublic
The script repairs a deliberately corrupted Base64 payload and extracts an encoded PowerShell script.
Before proceeding further, the malware performs internet connectivity verification by contacting Google services.
The malware then aggressively checks for security analysis tools including:
Wireshark
OllyDbg
Any.Run
Immunity Debugger
If these tools are detected, the malware executes:
Restart-Computer -Force
The forced reboot disrupts malware analysts, delays investigation efforts, and prevents deeper behavioral analysis.
Stage Three: Advanced .NET Loader Operations
The downloaded loader, retrieved as 03.txt, represents the campaign’s most technically advanced component.
Before executing its payload, the loader conducts extensive environmental checks.
It searches for:
Virtual machine artifacts
Sandbox indicators
Debugging tools
Azure Guest Agent
RDP clipboard services
Cloud-hosting evidence
If suspicious analysis conditions are identified, the malware either exits silently or reboots the system.
In many cases, only small forensic artifacts such as:
vm.txt
Debugger.txt
remain behind.
This minimizes evidence available to investigators.
AMSI and ETW Neutralization
Once the environment is deemed safe, the loader begins disabling Windows security mechanisms.
Its first major target is
The malware patches AMSI functionality directly at the native API layer, specifically targeting Windows 11 24H2 implementations.
It then disables Event Tracing for Windows (ETW) by modifying:
EtwEventWrite
inside ntdll.dll.
The modification effectively transforms the function into:
xor rax, rax
ret
This simple alteration prevents Windows telemetry from recording malicious activity.
With AMSI and ETW compromised, defenders lose two critical visibility layers.
Defender Evasion and Persistence Mechanisms
The malware proceeds to weaken endpoint protection even further.
Actions include:
Disabling Microsoft Defender real-time monitoring
Creating system-wide exclusion paths
Modifying registry Run keys
Establishing RunOnce persistence
Creating scheduled tasks
The scheduled tasks operate at randomized intervals between eight and eleven minutes.
To avoid suspicion, the malware uses NVIDIA-themed folder names and registry entries that appear legitimate during casual inspection.
This blending technique reduces the likelihood of detection by administrators and incident responders.
Process Hollowing and Living-Off-The-Land Techniques
Instead of dropping easily detectable executable files, the attackers inject their payload into trusted Microsoft-signed binaries.
Common targets include:
InstallUtil.exe
MSBuild.exe
The malware employs RunPE process hollowing techniques using APIs such as:
CreateProcessA
ZwUnmapViewOfSection
VirtualAllocEx
WriteProcessMemory
ResumeThread
Because the malicious code runs inside legitimate Windows processes, many traditional security products struggle to identify the threat.
This technique remains one of the most effective methods for bypassing behavioral defenses.
Encrypted Command-and-Control Communications
The final payload establishes communication with attacker infrastructure using raw TCP connections over port 7211.
Observed command-and-control servers include:
xtadts.ddns[.]net
afxwd.ddns[.]net
Communications are protected through:
AES encryption
Protobuf serialization
PBKDF2-derived keys
RSA key exchange
The use of Dynamic DNS infrastructure enables rapid IP rotation.
Even if defenders block a malicious IP address, attackers can quickly reassign domains to new infrastructure with minimal cost.
Hardware Fingerprinting and Host Profiling
Upon successful execution, the malware performs extensive system reconnaissance.
Information collected includes:
CPU identifiers
Disk serial numbers
Motherboard serial numbers
GPU details
The malware specifically targets:
NVIDIA GTX series
NVIDIA RTX series
AMD Radeon hardware
Information is gathered through both WMI queries and direct Windows registry access.
These fingerprints help attackers uniquely identify infected systems and track victims across campaigns.
Key Indicators of Compromise
Command-and-Control Infrastructure
xtadts.ddns[.]net
afxwd.ddns[.]net
Payload Delivery
pengajian.muliastudy[.]com/images/edu/u.php
Loader Infrastructure
catalogo.castrouria[.]com
Host Artifacts
%USERPROFILE%AppDataLocalLowLocalLow WindowsProgram RulesProgram Rules NVIDEO
Suspicious User-Agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64...)
The presence of Internet Explorer 8 user agents in modern environments should immediately trigger security investigations.
Mitigation Strategies Organizations Should Implement
Organizations can significantly reduce exposure by implementing layered defenses.
Recommended actions include:
Configure .js, .vbs, and .hta files to open in Notepad by default
Deploy attachment and URL sandboxing before message delivery
Implement SPF, DKIM, and DMARC
Monitor for PowerShell launched from C:UsersPublic
Alert on explorer.exe spawning script interpreters
Hunt for suspicious scheduled tasks
Monitor AMSI tampering attempts
Investigate ETW patching behavior
Block suspicious Dynamic DNS infrastructure
Enforce application allowlisting policies
Deep Analysis: Why This Campaign Is Particularly Dangerous
This campaign demonstrates a significant evolution in phishing operations. Historically, attackers relied on obviously malicious domains, cloned websites, and simple malware droppers. Here, however, legitimate infrastructure becomes the primary weapon.
The abuse of DoubleClick exposes a major blind spot in modern security architecture. Security products increasingly depend on domain reputation, assuming that trusted domains are safe. Attackers understand this assumption and are exploiting it effectively.
From a technical perspective, the attack chain combines several modern offensive security techniques into a single operation:
Security Investigation Commands
Identify suspicious PowerShell activity:
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational
Review scheduled tasks:
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}
Inspect Defender exclusions:
Get-MpPreference
Check startup persistence:
reg query HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Analyze active TCP connections:
netstat -ano
Investigate process ancestry:
Get-Process
Search for suspicious JScript files:
Get-ChildItem -Path C:\ -Filter .js -Recurse
Monitor WMI activity:
Get-WinEvent -LogName Microsoft-Windows-WMI-Activity/Operational
Review AMSI-related events:
Get-WinEvent -LogName Microsoft-Windows-Windows Defender/Operational
Linux defenders analyzing captured malware can leverage:
strings sample.bin
file sample.bin objdump -x sample.bin tcpdump -i any journalctl -xe grep -Ri "ddns" / yara malware_rules.yar sample.bin clamscan -r / ps aux lsof -i
The
Most concerning is the
This represents the future of large-scale cybercrime: highly personalized attacks delivered through trusted infrastructure and protected by enterprise-grade evasion techniques.
What Undercode Say:
This operation should serve as a warning to organizations that reputation-based security alone is no longer sufficient.
The attackers never needed to compromise Google.
They only needed to abuse trusted Google infrastructure.
That distinction is critical.
Security teams often whitelist reputable domains.
DoubleClick, Microsoft, Google, Amazon, and Cloudflare domains frequently bypass deeper inspection because blocking them could disrupt business operations.
Threat actors understand this operational reality.
The campaign demonstrates a shift from malware-focused attacks toward trust-focused attacks.
The phishing page itself is remarkably efficient.
There are no hardcoded company templates.
There is no need for custom development per victim.
Everything is generated dynamically.
That reduces attacker costs dramatically.
At the same time, it increases credibility.
The use of local city information adds psychological pressure.
Victims subconsciously trust interfaces that appear familiar.
The anti-analysis logic is equally noteworthy.
Many malware families simply terminate when sandboxes are detected.
This campaign reboots the system.
That behavior actively interferes with investigation workflows.
The AMSI bypass strategy also deserves attention.
Directly modifying security telemetry functions shows a mature understanding of Windows internals.
The use of process hollowing remains effective because organizations continue to trust Microsoft-signed binaries.
Signed processes are not necessarily safe processes.
The command-and-control architecture is also designed for resilience.
Dynamic DNS dramatically lowers infrastructure costs.
Defenders can no longer rely solely on IP blocking.
Behavioral detection becomes essential.
The NVIDIA-themed persistence artifacts reveal another trend.
Modern malware increasingly disguises itself as gaming software, graphics drivers, and performance tools because these applications are common across enterprise and home environments.
Perhaps the most important lesson is that phishing is no longer merely an email problem.
It has evolved into a multi-stage intrusion framework.
The email only initiates the compromise.
The real attack occurs after trust is established.
Organizations that focus exclusively on email filtering will continue to struggle against campaigns like this.
Future defenses must emphasize behavior, telemetry, anomaly detection, and zero-trust principles.
The era of trusting a domain simply because it belongs to a major technology company is rapidly coming to an end.
✅ Huntress researchers documented a campaign using Google DoubleClick redirect infrastructure to facilitate malware delivery and phishing workflows.
✅ The attack chain includes multiple stages involving JScript, PowerShell, .NET loaders, persistence mechanisms, and process hollowing techniques commonly observed in advanced malware operations.
✅ Dynamic branding through third-party logo retrieval services and victim-specific customization significantly increases phishing effectiveness and aligns with modern social engineering trends.
Prediction
(+1) Security vendors will increasingly inspect trusted redirect services such as advertising and analytics platforms rather than relying solely on domain reputation scores.
(+1) Organizations will accelerate deployment of behavioral EDR and XDR solutions capable of detecting AMSI tampering, ETW patching, and process hollowing activities.
(+1) Email security gateways will adopt deeper attachment detonation and redirect-chain analysis to identify threats hidden behind legitimate services.
(-1) Attackers will continue exploiting highly trusted cloud platforms because reputation-based filtering remains common across many enterprise environments.
(-1) Dynamic DNS infrastructure and automated phishing personalization will become more prevalent, making large-scale campaigns harder to block through traditional indicators alone.
(-1) Malware operators will further invest in anti-analysis capabilities, increasing incident response complexity and reducing visibility for defenders who rely on legacy detection methods.
▶️ Related Video (74% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
