Malspam Campaign Abuses DoubleClick to Deploy Stealthy .NET Loader

A Huntress analysis details an active malspam campaign that leverages Google DoubleClick redirects and on-the-fly personalization to bypass email gateways and deliver a five-stage infection chain (HTML lure → JScript dropper → PowerShell stager → .NET loader → process-hollowed payload). The malware performs sandbox detection (including forcing reboots), patches AMSI and ETW, disables Defender, establishes NVIDIA-themed persistence, and communicates over AES-encrypted raw TCP to DDNS C2 servers; the report provides IOCs and mitigation recommendations.