Malspam Uses Google DoubleClick for Fileless . Attack Redirects
A new malspam campaign is exploiting Google DoubleClick redirects to deploy a sophisticated fileless .NET loader, according to Malicious HTML attachment (Source – Huntress) The loader injects itself...
A new malspam campaign is exploiting Google DoubleClick redirects to deploy a sophisticated fileless .NET loader, according to
The loader injects itself into legitimate, Microsoft-signed system tools like InstallUtil.exe or MSBuild.exe, giving it cover under processes that Windows itself fully trusts.
At no point does the main payload write a recognizable malicious file to disk, making it extremely difficult for traditional antivirus tools to detect.
Defense Evasion and Persistence Techniques
Once inside a trusted process, the loader works to blind Windows’ built-in defenses. It patches both AMSI and ETW, the two main telemetry engines Windows relies on to spot suspicious behavior, at the native memory level.
Security tools that depend on those systems stop receiving useful signals before the attacker has even established persistence on the machine.
The loader then sets up persistence through Windows registry Run keys and scheduled tasks, using NVIDIA-themed folder names to blend in with what looks like routine driver activity.
It communicates to two command-and-control servers over a non-standard port using AES encryption, and can pull down additional payloads or execute commands entirely from memory.
Huntress recommends that organizations configure a Group Policy Object to force script file types like .js, .vbs, and .hta to open in Notepad by default rather than execute.
Deploying email authentication controls including SPF, DKIM, and DMARC, along with a gateway that sandboxes attachments before delivery, can stop this chain at the first stage.
Regular phishing awareness training also remains critical, since the human layer is still the most consistently exploited entry point in campaigns like this.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File | Bestellung_2026.html | Malicious HTML attachment |
| Domain | fostercareintheus.optimizationprime[.]com | Redirector stage |
| Domain | bth.startthewave[.]org | Delivery kit host |
| URL | pengajian.muliastudy[.]com/images/edu/u.php | Serves the ZIP archive payload |
| File | A021185521S210008-11521.zip | Delivery ZIP archive served by malspam kit |
| File | A021185521S210008-11521.js | JavaScript loader |
| File | ktncm.js | JavaScript loader (relocated copy) |
| File | zkrbx.txt | Staging file |
| File | gglhn.txt | Staging file |
| File | nlbzl.ps1 | PowerShell dropper |
| File | shmvg_01.ps1 | PowerShell stager |
| Domain | andrefelipedonascime1778799406970.2241107.meusitehostgator[.]com[.]br | Serves 01.txt, 02.txt, 03.txt staging files |
| Path | %USERPROFILE%AppDataLocalLowLocalLow WindowsProgram RulesProgram Rules NVIDEO | Loader’s NVIDIA-themed staging directory |
| Domain | catalogo.castrouria[.]com | Serves bl.txt (packed loader) |
| SHA-256 | D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5 | C2 certificate pin |
| SHA-256 | C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6 | C2 certificate pin |
| SHA-256 | C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18 | C2 certificate pin |
| SHA-256 | F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348 | C2 certificate pin |
| SHA-256 | E91FB249AA97BE5C7931E430781167EDFE7BA804720B5F643E6AB70B7E6E74DD | C2 certificate pin |
| Domain | xtadts.ddns[.]net | Loader’s C2 server 1 |
| Domain | afxwd.ddns[.]net | Loader’s C2 server 2 |
| Port | 7211 | C2 communication port |
| String | P@55w0rd! | Hardcoded AES password for C2 comms derivation via PBKDF2 |
| User-Agent | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0…) | Hardcoded IE8 User-Agent used by loader for payload retrieval |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.