Malware Campaign Abuses Google Ad Domain to Bypass Enterprise Security

Cybersecurity firm Huntress has uncovered an active malware campaign exploiting Google’s own advertising infrastructure to smuggle malicious payloads past enterprise security systems. The operation uses ad.doubleclick.net — a legitimate, widely trusted Google-owned domain — as a stepping stone in a multi-stage infection chain, effectively blinding many conventional email gateways and web filters.

How the Attack Unfolds

The campaign begins with malicious spam emails carrying HTML attachments. When opened, these attachments silently redirect victims through Google’s ad domain before forwarding them to attacker-controlled infrastructure — a routing choice that exploits the implicit trust most security systems extend to Google properties.

The fraudulent landing pages are dynamically generated, automatically extracting data from the victim’s email address to produce custom-branded pages complete with real company logos pulled live from the web. Location data and local time information are also harvested to make the pages appear more convincing.

If the victim downloads the attached archive, the infection chain escalates rapidly into a concealed, multi-stage execution sequence inside Windows.

A Five-Stage, Largely Fileless Attack Chain

Huntress identified five distinct stages in the attack sequence:

The malware operates almost entirely in-memory, deliberately avoiding writing traditional files to disk to minimize forensic traces. This approach significantly reduces detection rates for conventional endpoint security tools.

Advanced Evasion and Anti-Analysis Techniques

The malware actively scans for debugging environments, sandbox systems, and forensic analysis tools before proceeding. If any such tools are detected, it immediately terminates — and in some cases forces a system restart without warning.

To further evade detection, the malware tampers with Windows security telemetry through native API modifications targeting AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) — two core components of Microsoft’s security monitoring stack.

It then injects malicious code into legitimate Microsoft-signed binaries, including InstallUtil.exe and MSBuild.exe, allowing hostile behaviour to masquerade as trusted Windows processes.

Persistent Access and Infrastructure Designed for Longevity

The campaign’s communication layer relies on dynamic DNS services and non-standard network ports, enabling attackers to rapidly rotate infrastructure in response to defensive countermeasures.

The malware also performs detailed hardware fingerprinting of infected systems, collecting processor identifiers, motherboard data, antivirus product names, and GPU information from Nvidia and AMD hardware.

Persistence mechanisms ensure malicious processes are automatically relaunched after system restarts or shutdown events, indicating the operation is structured for sustained, long-term unauthorized access.

Final Objective Still Unknown

Huntress has not yet conclusively identified the campaign’s ultimate goal. However, researchers note that the overall architecture — stealth, persistence, hardware profiling, and evasion depth — strongly suggests preparation for extensive remote intrusion and espionage activities.

For CISOs and security teams, this campaign underscores a critical blind spot: trusted third-party domains, including those operated by Google, can no longer be assumed safe by default within filtering and detection pipelines.