CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 08, 2026

Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader

Cybersecurity News Archived Jun 08, 2026 ✓ Full text saved

Cybercriminals have found a new way to sneak malware past email security tools, and this time they are hiding behind a name that most systems trust without question. A recent malspam campaign has been caught using Google’s own DoubleClick ad-tracking infrastructure to route victims toward a fileless .NET loader, a type of malware that runs […] The post Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader By Tushar Subhra Dutta June 8, 2026 Cybercriminals have found a new way to sneak malware past email security tools, and this time they are hiding behind a name that most systems trust without question. A recent malspam campaign has been caught using Google’s own DoubleClick ad-tracking infrastructure to route victims toward a fileless .NET loader, a type of malware that runs almost entirely in memory and leaves very little trace behind for investigators. Malspam, short for malicious spam, has been a go-to method for attackers for years. It typically involves sending emails with booby-trapped attachments or links designed to start an infection the moment someone clicks. What sets this campaign apart is how cleverly the attackers disguised the early stages to avoid triggering alarms, leaning on real, high-reputation web services as cover throughout the delivery chain. Researchers at Huntress identified this campaign in May 2026 after their SOC team responded to a .NET loader infection. Huntress said in a report shared with Cyber Security News (CSN), the attack begins with a malspam email carrying a malicious HTML file named Bestellung_2026.html, which is German for “purchase order,” suggesting the attackers may have specifically targeted German-speaking businesses. The HTML attachment contains a zero-second meta-refresh redirect that silently pushes the victim’s browser to a Google DoubleClick click-tracking URL on ad.doubleclick[.]net. Attack path (Source – Huntress) Since this is a legitimate, widely trusted Google-owned domain, most email gateways and URL-reputation filters do not flag it. By the time the victim reaches attacker-controlled infrastructure, the most suspicious part of the chain is already well behind them. What follows is a personalized lure page that reads the victim’s email from the URL, pulls in the company logo live, and shows the viewer’s city and local time to feel convincing. The victim sees a button to download what looks like a PDF, but clicking it delivers a ZIP archive containing the real payload instead. Malspam Attack Uses Google DoubleClick Redirects The ZIP contains a JScript file that serves as the first stage of a five-step infection chain. The script relocates itself to a stable directory, then decodes and drops an obfuscated PowerShell script. That dropper checks whether the victim is online, and if the machine appears offline, it forces a reboot rather than simply exiting. It also scans for known analysis tools like Wireshark and any.run, rebooting the machine if any are detected, a deliberate move to frustrate security researchers. The PowerShell stage downloads a .NET loader from a remote server, which runs entirely in memory using .NET reflection. Malicious HTML attachment (Source – Huntress) The loader injects itself into legitimate, Microsoft-signed system tools like InstallUtil.exe or MSBuild.exe, giving it cover under processes that Windows itself fully trusts. Contents of A021185521S210008-11521.js (Source – Huntress) At no point does the main payload write a recognizable malicious file to disk, making it extremely difficult for traditional antivirus tools to detect. Defense Evasion and Persistence Techniques Once inside a trusted process, the loader works to blind Windows’ built-in defenses. It patches both AMSI and ETW, the two main telemetry engines Windows relies on to spot suspicious behavior, at the native memory level. Security tools that depend on those systems stop receiving useful signals before the attacker has even established persistence on the machine. The loader then sets up persistence through Windows registry Run keys and scheduled tasks, using NVIDIA-themed folder names to blend in with what looks like routine driver activity. It communicates to two command-and-control servers over a non-standard port using AES encryption, and can pull down additional payloads or execute commands entirely from memory. Huntress recommends that organizations configure a Group Policy Object to force script file types like .js, .vbs, and .hta to open in Notepad by default rather than execute. Deploying email authentication controls including SPF, DKIM, and DMARC, along with a gateway that sandboxes attachments before delivery, can stop this chain at the first stage. Regular phishing awareness training also remains critical, since the human layer is still the most consistently exploited entry point in campaigns like this. Indicators of Compromise (IoCs):- Type Indicator Description File Bestellung_2026.html Malicious HTML attachment Domain fostercareintheus.optimizationprime[.]com Redirector stage Domain bth.startthewave[.]org Delivery kit host URL pengajian.muliastudy[.]com/images/edu/u.php Serves the ZIP archive payload File A021185521S210008-11521.zip Delivery ZIP archive served by malspam kit File A021185521S210008-11521.js JavaScript loader File ktncm.js JavaScript loader (relocated copy) File zkrbx.txt Staging file File gglhn.txt Staging file File nlbzl.ps1 PowerShell dropper File shmvg_01.ps1 PowerShell stager Domain andrefelipedonascime1778799406970.2241107.meusitehostgator[.]com[.]br Serves 01.txt, 02.txt, 03.txt staging files Path %USERPROFILE%\AppData\LocalLow\LocalLow Windows\Program Rules\Program Rules NVIDEO Loader’s NVIDIA-themed staging directory Domain catalogo.castrouria[.]com Serves bl.txt (packed loader) SHA-256 D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5 C2 certificate pin SHA-256 C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6 C2 certificate pin SHA-256 C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18 C2 certificate pin SHA-256 F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348 C2 certificate pin SHA-256 E91FB249AA97BE5C7931E430781167EDFE7BA804720B5F643E6AB70B7E6E74DD C2 certificate pin Domain xtadts.ddns[.]net Loader’s C2 server 1 Domain afxwd.ddns[.]net Loader’s C2 server 2 Port 7211 C2 communication port String P@55w0rd! Hardcoded AES password for C2 comms derivation via PBKDF2 User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0…) Hardcoded IE8 User-Agent used by loader for payload retrieval Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Web App and API Attacks are Rising: Are You Blind to AI Web Attacks? Join Free WAAP Security Webinar  CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets Dashlane Password Manager User Accounts Locked Following Brute-Force Attacks Microsoft Unveils Always-On AI Agent Scout to Integrate With Teams, Outlook, and More Latest News Cyber Security New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root Cyber Security News New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords Cyber Security News UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data Cyber Security News New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access Cyber Security WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 08, 2026
    Archived
    Jun 08, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗