Summary Points
- Attackers utilize Google DoubleClick domains in malspam campaigns to covertly deliver a .NET-based RAT called DesckVB, evading detection by blending with legitimate web traffic.
- The malware chain employs dynamic, personalized lures, and multi-stage loaders with process hollowing to execute and hide malicious payloads inside signed Microsoft processes.
- The RAT provides full control over infected systems, capable of data extraction, persistence, disabling security features, and deploying additional payloads, while actively avoiding detection through anti-analysis techniques.
Threat Overview, Attack Techniques, and Targets
Cybersecurity researchers have identified a new malspam campaign that uses Google’s DoubleClick domain to deliver malware. The campaign targets users by sending phishing emails with attached HTML files. When the user opens the file, it causes a browser redirect through a DoubleClick URL. After that, the user is sent to a malicious landing page with a “Download PDF” button.
Clicking this button downloads a ZIP archive. A JavaScript loader inside the archive then fetches a PowerShell script. The script downloads a .NET loader that verifies it is not being analyzed or sandboxed. The loader then disables security controls, sets up persistence, and downloads a remote access trojan (RAT) called DesckVB. This .NET-based RAT has been active since February 2026. The attack uses process hollowing to inject the malware into legitimate Windows processes, making it harder to detect.
The attack mainly targets individual users who respond to the phishing emails. The campaign’s goal is to infect their computers with DesckVB RAT, giving attackers full control over the compromised machines.
Impact, Security Implications, and Remediation Guidance
The malware allows attackers to steal data, run commands, and deploy more payloads. It can disable security tools, making the infected machines more vulnerable. The RAT also communicates with a command-and-control server to receive instructions. Because the malware can detect analysis tools and sandbox environments, it can evade detection more effectively.
This campaign highlights the need for strong cybersecurity defenses. Organizations should apply defense-in-depth strategies. This includes configuring group policies to block scripts from running automatically and deploying email security tools like DMARC, DKIM, and SPF. These measures can prevent malicious emails from reaching users. Additionally, sandboxing email attachments and links before they reach inboxes can reduce the risk of infection.
If you suspect your systems are affected or need detailed guidance, it is best to contact security vendors or relevant authorities. They can provide specific remediation steps tailored to your environment.
Expand Your Tech Knowledge
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Access comprehensive resources on technology by visiting Wikipedia.
ThreatIntel-V1
