Experts warn hackers are hiding malware inside Google's own ad systems
here's what we know
Date:
Wed, 10 Jun 2026 21:25:00 +0000
Description:
Hackers routed a multi-stage malware campaign through Google's ad infrastructure, using dynamic branding and in-memory execution to evade detection entirely.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Google's ad domain became the perfect cover for a malware delivery chain The malware rebuilt fake company pages using real logos pulled live online Five attack stages ran almost entirely inside memory, leaving almost no trace Cybersecurity researchers are warning about a malware campaign which uses Google s ad infrastructure to disguise malicious activities.
Research from Huntress found the operation begins with malicious spam emails carrying HTML attachments designed to redirect users toward a carefully layered infection chain. The campaign drew attention because the redirect process initially passed through ad.doubleclick.net, a legitimate
Google-owned ad and tracking domain trusted widely across security systems. Latest Videos From Watch full video here: The malware chain hides behind trusted infrastructure This routing method matters because many email
gateways and web filtering systems rarely treat Google ad domains as suspicious or potentially malicious destinations.
The attachment itself contained almost no meaningful content beyond a hidden redirect forwarding victims toward additional infrastructure controlled by attackers. You may like Your marketing stack is an attack surface is
security watching? Huge hacking campaign uses spoofed Ghidra, dnSpy, and SpiderFoot security tools to harvest ad revenue and serve malware Hackers hijack Google Ads to spread phishing campaign spoofing top GoDaddy tool
Once users interacted with the page, the operation rebuilt itself dynamically using data that was automatically extracted from the recipient's email
address during execution.
If the user downloads the attached archive, the infection chain shifts
rapidly from social engineering techniques to concealed malware execution inside Windows. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
or sponsors By submitting your information you agree to the Terms &
Conditions and Privacy Policy and are aged 16 or over.
The downloaded files rely on JScript, PowerShell, reflective .NET loading,
and in-memory execution methods designed to reduce detection.
The malware avoids leaving traditional files behind while executing several stages directly inside active memory.
This campaign is believable because it goes the extra mile to generate custom branding, automatically pulling company logos from online sources. What to read next This legit-looking software is actually antivirus-killing adware
New cyber scam abuses Microsoft Teams to steal your data Pushpaganda exploits Google Discover to spread malicious notifications
It also gathers location details and local time information, helping the fraudulent pages appear more believable to recipients. Researchers say the malware focused heavily on stealth Huntress identified a five-stage sequence involving HTML redirects, JScript loaders, PowerShell scripts, .NET components, and additional concealed payload deployment activities afterward.
The malware checks for debugging environments, sandbox systems, and forensic analysis tools before continuing its execution sequence.
If it detects these tools, it terminates its activity immediately and sometimes forces infected systems to restart without additional warning messages.
Furthermore, the malware interferes with Windows security monitoring through native API level modifications affecting AMSI and ETW telemetry systems directly.
It attempts to hide by injecting malicious code into legitimate Microsoft -signed utilities, including InstallUtil.exe and MSBuild.exe afterward.
This technique allows the operation to blend malicious behaviour inside trusted Windows processes that global enterprise security recognizes as legitimate.
There is also a communication infrastructure that relies on dynamic DNS services and nonstandard network ports capable of changing rapidly after defensive countermeasures emerged elsewhere.
The malware also collected hardware details from infected systems, including processor identifiers, antivirus products, motherboard information, and graphics hardware manufactured by Nvidia and AMD .
The entire operation appears structured for long-term unauthorized access because persistence mechanisms repeatedly relaunch malicious processes after system restarts or shutdown events.
Unfortunately, Huntress did not identify the final operational objective conclusively. However, the structure suggests preparations for extensive remote intrusion activities. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/experts-warn-hackers-are-hiding-malware -inside-googles-own-ad-systems-heres-what-we-know
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)