iGEN
Visit IGEN World Explore IGEN Expo
EXPLORE UPGRADE PLANS
BREAKING
Cass Report: Freight Volume Recovery On Track for Second Half of 2026 India Receives 32% Deficient Rains During June 1-15, IMD Data Shows ANNAM.AI and Syngenta Partner to Deliver AI-Driven Climate-Smart Agriculture to Indian Farmers Microsoft CEO Satya Nadella warns AI dominance could 'hollow out entire industries' Open-source Discord alternatives: What Stoat and Element actually fix - Engadget India launches producer price index; wholesale inflation gauge to be phased out in five years India, UK work to resolve issues holding up trade pact implementation, says official ‘Let the oil flow’: What Trump’s possible peace deal with Iran, Strait of Hormuz opening mean for India Samsung MAX VPN Shuts Down June 15, 2026, Leaving 50 Million Users Seeking Alternatives Why UK data sovereignty is the next competitive advantage for digital industries Cass Report: Freight Volume Recovery On Track for Second Half of 2026 India Receives 32% Deficient Rains During June 1-15, IMD Data Shows ANNAM.AI and Syngenta Partner to Deliver AI-Driven Climate-Smart Agriculture to Indian Farmers Microsoft CEO Satya Nadella warns AI dominance could 'hollow out entire industries' Open-source Discord alternatives: What Stoat and Element actually fix - Engadget India launches producer price index; wholesale inflation gauge to be phased out in five years India, UK work to resolve issues holding up trade pact implementation, says official ‘Let the oil flow’: What Trump’s possible peace deal with Iran, Strait of Hormuz opening mean for India Samsung MAX VPN Shuts Down June 15, 2026, Leaving 50 Million Users Seeking Alternatives Why UK data sovereignty is the next competitive advantage for digital industries
Home ›› Technology ›› Cybersecurity ›› Malware Chain Concealed in Trusted Windows Tools
iGEN
Technology Cybersecurity

Malware Chain Concealed in Trusted Windows Tools

A sophisticated malware campaign exploits Google's ad infrastructure to disguise its activities, embedding itself within trusted Windows tools. This five-stage attack leverages legitimate processes to evade detection.

iG
iGEN Editorial
June 10, 2026
Malware Chain Concealed in Trusted Windows Tools

Cybersecurity researchers have uncovered a sophisticated malware campaign that cleverly exploits Google's ad infrastructure to disguise its malicious activities. This operation, identified by Huntress, begins with spam emails containing HTML attachments that redirect users through ad.doubleclick.net, a legitimate Google-owned domain. This approach allows the malware to bypass many security systems that typically trust Google domains.

The Five-Stage Attack

The malware campaign unfolds in five distinct stages, each designed to operate stealthily within a system's memory. The stages involve:

  1. HTML Redirects: Initial redirection through trusted domains.
  2. JScript Loaders: Loading scripts to prepare the system for further stages.
  3. PowerShell Scripts: Executing commands to manipulate system settings.
  4. .NET Components: Utilizing reflective loading to execute code without files.
  5. Payload Deployment: Final stage where the malware executes its primary functions.

This sequence is engineered to avoid detection by traditional security measures, as it leaves minimal traces on the system.

Stealth and Evasion Techniques

The malware employs several techniques to remain undetected:

  • In-Memory Execution: By operating almost entirely in memory, the malware avoids creating files that could be flagged by antivirus software.
  • Dynamic Branding: It dynamically pulls company logos and other data to create convincing fake pages.
  • API Modifications: Alters Windows security monitoring APIs like AMSI and ETW to prevent detection.

These methods allow the malware to blend into legitimate processes, such as InstallUtil.exe and MSBuild.exe, making it difficult for security systems to identify malicious activity.

Long-Term Intrusion Capabilities

The campaign appears structured for long-term unauthorized access. It collects detailed hardware information, including processor and graphics details from Nvidia and AMD products, and uses dynamic DNS services to maintain communication with its control servers. This infrastructure supports persistent access, even after system restarts.

Implications for Enterprises

For enterprise technology leaders, this malware campaign underscores the importance of scrutinizing even trusted domains and processes. The use of legitimate infrastructure like Google's ad systems and Windows tools highlights the need for advanced threat detection solutions that can identify unusual behavior patterns rather than relying solely on domain or process trust.

Organizations must ensure their cybersecurity measures are robust enough to detect such sophisticated threats, potentially involving AI-driven anomaly detection and enhanced endpoint security protocols.

Sources: TechRadar – Main Feed

Keep Reading

Recommended Stories

Microsoft Disables 73 GitHub Repos After Malware Breach Technology

Microsoft Disables 73 GitHub Repos After Malware Breach

Microsoft has disabled 73 GitHub repositories after hackers used stolen credentials to plant malware. The breach affected multiple organizations, including Azure, and led to significant disruptions. Microsoft is investigating and has notified affected customers.

June 9, 2026
Phishing campaign exploiting Google Cloud links reaches 12,000 servers worldwide Technology

Phishing campaign exploiting Google Cloud links reaches 12,000 servers worldwide

An investigation by Comparitech revealed a coordinated phishing and spam network spanning 12,704 servers across 55 countries. Attackers use Google Cloud Storage links to evade detection, with fake New York Times pages as decoys. 99.8% of servers run end-of-life software, and 89% had no prior abuse history, indicating a rapidly rotating infrastructure aimed at bypassing traditional security tools.

June 11, 2026
Linux Kernel Vulnerability: A Single Character Threat Technology

Linux Kernel Vulnerability: A Single Character Threat

A logic inversion bug in the Linux kernel, identified as CVE-2026-23111, allows privilege escalation, affecting major distributions like Debian, Ubuntu, and RHEL. The vulnerability highlights challenges in managing AI-driven bug reports.

June 9, 2026
Oracle Warns of Critical PeopleSoft Vulnerability Exploited by ShinyHunters, Affecting Hundreds of Organizations Technology

Oracle Warns of Critical PeopleSoft Vulnerability Exploited by ShinyHunters, Affecting Hundreds of Organizations

Oracle has issued a security advisory for a critical remote code execution vulnerability (CVE-2026-35273, CVSS 9.8) in PeopleSoft versions 8.61 and 8.62. The extortion group ShinyHunters is exploiting it, claiming to have breached over 100 organizations and exfiltrated data from ~300 instances. Google's Mandiant reported zero-day exploitation between May 27 and June 9, 2026, and alerted over 100 potentially vulnerable entities.

June 15, 2026