Attackers used legitimate ad infrastructure to hide malicious links and avoid email defenses.
Security researchers identified a targeted phishing campaign dubbed Operation Poseidon that abuses Google’s advertising tracking infrastructure to distribute EndRAT malware. According to Cybersecurity News, attackers embedded malicious destinations inside legitimate Google Ads click tracking URLs, allowing phishing emails to pass security checks and appear as normal advertising traffic. The campaign has been attributed to the Konni APT group and primarily targeted organizations by impersonating financial institutions and human rights groups.
The attack chain began with spear phishing emails containing links that routed victims through Google’s ad.doubleclick.net domain before redirecting them to compromised WordPress sites hosting malicious ZIP archives. Inside the archives were shortcut files that launched AutoIt scripts disguised as PDF documents. These scripts loaded the EndRAT malware directly into memory, avoiding traditional file-based detection. Researchers also found that the attackers rotated infrastructure frequently by reusing compromised websites for both malware delivery and command and control, which reduced the effectiveness of domain blocking and blacklist-based controls.
Security analysts said the spear phishing campaign was built to bypass detection long before any user interaction took place. Reporting cited by Cybersecurity News in January 2026 described how attackers padded emails with hidden text to confuse spam filters, while transparent tracking pixels were used to confirm recipient engagement. Analysts also found unique identifier strings and internal build references embedded in the malware, pointing to a coordinated operation linked to the Konni APT ecosystem. Researchers said the campaign further relied on legitimate advertising infrastructure, “significantly lowering detection probability,” and increasing the likelihood that targets would engage with the messages.
Paubox has observed a steady pattern of phishing campaigns that rely on Google’s own platforms to appear legitimate. Recent activity has included emails impersonating Google support, Google Tasks notifications, and Google Cloud service messages, all designed to blend into normal traffic and pass basic security checks.
Across these campaigns, the common thread is the use of trusted Google infrastructure as the entry point. Links resolve through real Google services before redirecting victims elsewhere, which helps the messages land in inboxes and reduces early suspicion. That same trust thread is at play in campaigns abusing Google Ads tracking domains, where malicious destinations are hidden behind advertising and analytics URLs that users and security tools see every day.
Threat actors are abusing trusted online services to mask malicious activity. Google’s Threat Analysis Group has previously reported that attackers frequently exploit advertising platforms, URL shorteners, and analytics services to blend phishing traffic into normal user behavior. These techniques complicate detection because security tools often treat such infrastructure as low risk by default, forcing defenders to rely more heavily on behavioral analysis and user awareness.
They are widely trusted, heavily used, and less likely to be blocked by security controls, which allows malicious traffic to blend in.
The phishing links initially resolve to legitimate advertising domains, reducing the likelihood that filters flag the message as malicious.
EndRAT provides remote access, allowing attackers to collect system data, execute commands, and maintain persistence on compromised systems.
Shortcut files can execute scripts while appearing harmless and often bypass attachment filtering rules.
They can inspect URL parameters, restrict execution of shortcut files, monitor outbound traffic for unusual redirection patterns, and train users to verify unexpected document delivery.