{"id":1147,"date":"2026-06-03T22:11:52","date_gmt":"2026-06-03T22:11:52","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1147"},"modified":"2026-06-03T22:11:52","modified_gmt":"2026-06-03T22:11:52","slug":"google-doubleclick-abused-in-new-malspam-campaign-to-deliver-desckvb-rat","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1147","title":{"rendered":"Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Jun 03, 2026<\/span><\/span>Malware \/ Microsoft Defender<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have flagged a new malspam campaign that makes use of Google’s DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT<\/b>.<\/p>\n

\u00abBefore the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as suspicious,\u00bb Huntress researchers Anna Pham and Adam Mooney said<\/a> in a report shared with The Hacker News.<\/p>\n

\u00abFrom there, the victim is passed into a malspam kit that personalizes itself on the fly using the victim’s email address, dynamically pulling in company branding and location details to make the page feel convincing without requiring the operators to handcraft a lure for each target.\u00bb<\/p>\n

What makes this attack noteworthy is that it eliminates the need for having a bespoke kit for each targeted organization, thereby making these operations more scalable and cost-effective. The end goal of the campaign is to drop DesckVB RAT, a .NET-based trojan that has been active in the wild since February 2026.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The attack begins when an unsuspecting user opens an HTML file that’s attached to a phishing email. The file triggers a meta-refresh browser redirect to a Google DoubleClick Campaign Manager click-tracking URL, from where the user is steered to another redirector, which decodes the Base64-encoded email address and leads the victim to a landing page containing a \u00abDownload PDF\u00bb button.<\/p>\n

<\/p>\n

Clicking the button causes the server to respond with a ZIP archive that initiates the rest of the infection chain. This is achieved by means of a JavaScript loader, whose main responsibility is to retrieve and execute a .NET RAT while flying under the radar. The script extracts and runs a PowerShell script, which then fetches a .NET loader from an external server.<\/p>\n

The loader acts as a stager that verifies it’s not being analyzed, neutralizes the machine’s security controls, sets up persistence, and then ultimately downloads and runs the RAT payload by using a technique called process hollowing that involves injecting the malware into Microsoft-signed processes.<\/p>\n

\"\"<\/a><\/div>\n

Once launched, the trojan communicates with a command-and-control (C2) server over raw TCP sockets, carries out system reconnaissance, and configures Microsoft Defender exclusions. The trojan also patches Antimalware Scan Interface (AMSI<\/a>) and Event Tracing for Windows (ETW<\/a>) at the native API level at the outset in an effort to blind Windows telemetry before persistence is established on the host by setting up Run and RunOnce Registry entries, along with placing a loader responsible for launching the RAT in the user’s Startup folder.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The malware comes with capabilities to extract data, run commands, and deploy additional payloads, granting the attackers full control over the infected machines, while simultaneously taking steps to fly under the radar by terminating and rebooting the machine if it detects an analysis tool or determines that it’s running in a sandboxed environment.<\/p>\n

\u00abThis is a strong reminder of why defence in depth matters,\u00bb Huntress said. \u00abConfiguring a Group Policy Object (GPO) in Active Directory to force script files such as .vbs, .hta, and .js to open in Notepad by default can stop a threat actor at the very first stage, preventing additional payloads from ever being dropped.\u00bb<\/p>\n

\u00abOn the email security front, organizations should consider deploying DMARC, DKIM, and SPF records to reduce the likelihood of spoofed or malicious emails reaching end users. Beyond that, an email gateway solution capable of sandboxing attachments and links before delivery adds another meaningful layer of protection.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Jun 03, 2026Malware \/ Microsoft Defender Cybersecurity researchers have flagged a new malspam campaign that makes use of Google’s DoubleClick domain as a way to evade detection and ultimately…<\/p>\n","protected":false},"author":1,"featured_media":1148,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1233,6,529,1892,1890,2,1891,264],"class_list":["post-1147","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-abused","tag-campaign","tag-deliver","tag-desckvb","tag-doubleclick","tag-google","tag-malspam","tag-rat"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1147","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1147"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1147\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1148"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}