Cybercriminals are employing new techniques to bypass email security systems by leveraging trusted platforms. A recent malspam campaign has been identified using Google’s DoubleClick ad infrastructure to direct victims to a fileless .NET loader, a sophisticated form of malware that operates almost entirely in memory.
Malspam Campaign Mechanics
Malicious spam, or malspam, is a well-known tactic for distributing malware. Traditionally, it involves emails with harmful attachments or links. This campaign stands out due to its use of reputable web services as camouflage, reducing detection risks. Identified by Huntress in May 2026, the campaign begins with an email containing a malicious HTML file named ‘Bestellung_2026.html,’ indicating a possible focus on German-speaking businesses.
The HTML file includes a zero-second meta-refresh redirect, steering the victim’s browser to a Google DoubleClick URL. This legitimate domain is mainly trusted, allowing the malware to proceed to attacker-controlled infrastructure without raising alarms.
Execution and Delivery Method
Upon reaching the attacker’s infrastructure, the victim encounters a crafted web page that uses their email, company logo, and local information to enhance credibility. When the user attempts to download a seemingly innocuous PDF, they receive a ZIP file harboring the actual malware.
This ZIP file contains a JScript file, initiating a multi-step infection chain. The script relocates to a stable directory, then decodes and executes an obfuscated PowerShell script. This script checks for network connectivity and, if offline or analyzed by certain tools, forces a system reboot to complicate security efforts.
Defense Evasion Tactics
The PowerShell script downloads a .NET loader that functions entirely in memory, using .NET reflection to avoid detection. It integrates into legitimate system processes like InstallUtil.exe, making it difficult for traditional antivirus solutions to identify.
To evade detection, the loader manipulates Windows’ AMSI and ETW telemetry engines, blinding these systems to suspicious activity. It establishes persistence using registry keys and scheduled tasks, disguised as routine NVIDIA driver activity. Encrypted communication with command-and-control servers allows for further payload delivery and command execution.
Preventive Measures and Recommendations
Huntress advises configuring Group Policy Objects to open script file types like .js and .vbs in Notepad by default, preventing execution. Implementing email authentication protocols such as SPF, DKIM, and DMARC, alongside sandboxing attachments, can halt this threat in its early stages. Regular phishing awareness training remains essential, as human error is a frequent vulnerability.
For organizations, staying vigilant and updating security protocols is crucial to defending against evolving cyber threats like this malspam campaign. By understanding the mechanisms and implementing robust defenses, companies can significantly reduce their risk of infection.
