Targeting Through Trusted Infrastructure
A sophisticated malspam campaign has been discovered exploiting Google’s DoubleClick advertising redirect system to distribute a fileless .NET loader. Security researchers at Huntress identified the campaign in May 2026 after detecting infections in their security operations center. The attack begins with a malicious email carrying an HTML attachment titled “Bestellung_2026.html,” suggesting the operators specifically targeted German-speaking businesses. This HTML file contains a zero-second meta-refresh redirect that silently sends the victim’s browser to a legitimate DoubleClick tracking URL on ad.doubleclick.net, a domain trusted by most email security tools.
Infection Chain and Stealth Mechanisms
After the initial redirect, victims arrive at a highly personalized lure page that reads their email address from the URL, dynamically loads the company logo, and displays the viewer’s city and local time to appear authentic. The page offers a button to download what appears to be a PDF, but instead delivers a ZIP archive containing the actual payload. The ZIP holds a JScript file that initiates a five stage infection process. This file relocates itself to a stable directory, then executes an obfuscated PowerShell script. The dropper checks for internet connectivity and, if the system appears offline, forces a reboot before proceeding. The final fileless .NET loader runs entirely in memory, leaving minimal forensic traces for investigators to analyze.
Source: Cyber Security News
