New Spear-Phishing Campaign Abuses Google Ads to Deliver EndRAT Malware

Security researcher has documented Operation Poseidon, a sophisticated spear-phishing campaign attributed to the Konni APT group that weaponizes legitimate Google Ads infrastructure to distribute EndRAT malware.

The campaign demonstrates advanced exploitation of ad-click redirection mechanisms integrated into the Google advertising ecosystem, bypassing traditional email security controls and URL reputation systems.

Campaign Overview

The threat actor exploits DoubleClick’s ad-tracking infrastructure, acquired by Google in 2008 for $3.1 billion, to establish credibility before redirecting users to external servers that distribute malware.

By embedding command-and-control (C2) addresses within advertising redirection URLs, attackers mask malicious traffic as legitimate ad traffic, thereby significantly reducing the likelihood of detection during initial access.

Researchers identified internal build path artifacts embedded within malicious AutoIt scripts: D:3_Attack WeaponAutoitBuild__Poseidon – Attackclient3.3.14.a3x.

This OPSEC failure reveals the threat actor’s internal operational naming convention and development environment structure, indicating Operation Poseidon functions as a distinct operational unit within the Konni infrastructure.

The campaign combines multiple sophisticated evasion techniques. Spear-phishing emails contain meaningless English sentences inserted via CSS display: none attributes, confusing AI-based detection systems while remaining invisible to users.

A 1×1 pixel web beacon (kppe[.]pl) tracks email opens using Base64-encoded recipient identifiers, confirming target viability before payload delivery.

Attackers exploited NAVER advertising URLs (mkt.naver[.]com) in May-July 2025, but recent campaigns consolidated operations around Google’s infrastructure.

The redirection chain flows: legitimate advertising URL → embedded C2 parameter → WordPress-hosted malware → LNK file execution → AutoIt script → EndRAT in-memory execution.

Victims received malicious ZIP archives containing LNK (Windows shortcut) files disguised as legitimate documents.

Filenames impersonated South Korean financial institutions with official-sounding requests: “Request for Submission of Explanation Materials_20250430TS5869570S.zip” and “Wire Transfer and Transaction History Confirmation(20250722).zip.”

December 2025 attacks pivoted to North Korean human rights organization impersonation, recruiting lecturers for awareness academies.

This thematic variation maintains targeting consistency against the South Korean financial sector and human rights communities while demonstrating operational flexibility.

LNK file execution triggers AutoIt3.exe, which processes a disguised PDF script containing the EndRAT (AutoItRAT) variant. The EndRAT codebase includes hardcoded identifiers: endServer9688, endClient9688, endServerFile9688, endClientFile9688.

Recent samples removed internal “Poseidon – Attack” strings, indicating that the threat actor was aware of detection signatures following initial public attribution.

Version tracking (client 3.3.14) confirms that continuous malware maintenance is a commercial-grade framework rather than campaign-specific tooling.

The malware loads entirely into memory, evading disk-based signature analysis while establishing bidirectional C2 communication for command receipt and data exfiltration.

Infrastructure correlation analysis identified network asset reuse across multiple Konni campaigns. Cross-linked email delivery hosts, web beacon domains, and C2 infrastructure demonstrate unified operational management.

Geographic distribution of legitimate websites (Japan, Europe, Southeast Asia) matches historical Konni obfuscation patterns.

The combination of LNK-based execution, AutoIt scripting, North Korean human rights thematic content, financial institution impersonation, and infrastructure reuse patterns correlates with four previously documented Konni operations: Android remote wipe tactics, National Police Agency/Human Rights Commission impersonation, expanded threat universe analysis, and AutoIt-based defense evasion techniques.

Organizations should implement behavior-based Endpoint Detection and Response (EDR) solutions capable of identifying abnormal process trees following LNK execution.

Rather than blocking legitimate advertising domains, security teams should strengthen behavior detection for post-click redirection flows and for anomalous file download patterns within the advertising infrastructure.

Archive file formats (ZIP containing LNK) should undergo enhanced security assessment; attachment-based access should be blocked by default for emails impersonating financial institutions or human rights organizations.

Implementing pre-click verification and user warning banners for files containing administrative keywords (“explanatory materials,” “transaction details,” “consent forms”) will reduce the success rate of social engineering.

Critical MTTR reduction requires correlation analysis integrating file-based indicators (IoC), malware signatures, machine learning models, and behavioral analytics.

Indicators of Compromise

MD5 Hashes (malicious samples):

f5842320e04c2c97d1f69cebfd47df3d,

6a4c3256ff063f67d3251d6dd8229931,

8b8fa6c4298d83d78e11b52f22a79100,

303c5e4842613f7b9ee408e5c6721c00,

639b5489d2fb79bcb715905a046d4a54,

908d074f69c0bf203ed225557b7827ec,

0171338d904381bbf3d1a909a48f4e92,

0777781dedd57f8016b7c627411bdf2c,

94935397dce29684f384e57f85beeb0a,

a9a52e2f2afe28778a8537f955ee1310,

a58ef1e53920a6e528dc31001f302c7b,

ad6273981cb53917cb8bda8e2f2e31a8,

d4b06cb4ed834c295d0848b90a109f09,

d6aa7e9ff0528425146e64d9472ffdbd

C2 Infrastructure:

109.234.36[.]135, 144.124.247[.]97, 77.246.101[.]72, 77.246.108[.]96

Command and Control Domains:

aceeyl[.]com, althouqroastery[.]com, anupamaivf[.]com, appointment.]media, creativepackout[.]co, encryptuganda[.]org, genuinashop[.]com, igamingroundtable[.]com, jlrandsons.co[.]uk, kppe[.]pl, kyowaind.co[.]jp, nationalinterestparty[.]com, optique-leclercq[.]be, pomozzi[.]com, sparkwebsolutions[.]space, tatukikai[.]jp, vintashmarket[.]com

EDR platforms must visualize complete attack storylines from email attachment extraction through LNK execution to C2 communication , enabling rapid endpoint isolation and infrastructure-wide threat hunting before privilege escalation and lateral movement occur.

Genians Security Center has documented Operation Poseidon represents mature APT tradecraft combining infrastructure sophistication, technical evasion, and social engineering precision.

Detection requires multi-layered defense centered on threat actor TTPs rather than isolated IoC-based blocking policies alone.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post New Spear-Phishing Campaign Abuses Google Ads to Deliver EndRAT Malware appeared first on Cyber Security News.