Attackers Abuse Google DoubleClick Domain

Attackers are abusing Google's DoubleClick domain to bypass security tools and deliver a remote access trojan, evading detection using a trusted service.

Security researchers have identified a new malspam campaign that cleverly abuses Google's DoubleClick service to distribute malware. The attack begins with a malicious email containing a link. When a user clicks this link, they are not immediately sent to a malicious website. Instead, their traffic is first routed through the legitimate googleads.g.doubleclick.net domain. This initial step is designed to bypass security tools, as traffic from a trusted Google domain is often automatically allowed. Only after this legitimate redirect does the user's browser get forwarded to an attacker-controlled server, which then delivers the final payload. The malware in this campaign has been identified as the DesckVB Remote Access Trojan (RAT).

This technique is significant because it exploits the inherent trust that security systems place in major internet infrastructure. By using a high-reputation domain as a stepping stone, attackers can effectively "launder" their malicious traffic, making it much harder for standard security filters and firewalls to detect the threat. This method highlights a sophisticated evolution in attack vectors, moving beyond simple malicious links to complex, multi-stage redirection chains that leverage legitimate services. For IT and security teams, this means that simply blocking known bad domains is no longer sufficient. It underscores the need for security solutions that can analyze the entire chain of redirects and identify suspicious behavior, even when it involves trusted domains.