Full Report
Cybersecurity researchers have flagged a new malspam campaign that makes use of Google's DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT. "Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as
Analysis Summary
# Tool/Technique: DesckVB RAT & DoubleClick Redirection Campaign
## Overview
This campaign utilizes a multi-stage delivery mechanism that leverages the reputation of Google’s DoubleClick domain to bypass email security filters. The ultimate goal is the deployment of **DesckVB RAT**, a .NET-based Remote Access Trojan designed for data exfiltration, system surveillance, and persistent unauthorized access.
## Technical Details
- **Type**: Malware family (.NET Remote Access Trojan)
- **Platform**: Windows
- **Capabilities**: Persistence, defense evasion (AMSI/ETW patching), process injection, and remote command execution.
- **First Seen**: February 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Attachment]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (AMSI/ETW Patching)
- [T1055.012 - Process Injection: Process Hollowing]
- [T1202 - Indirect Command Execution] (DoubleClick redirection)
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- **[TA0011 - Command and Control]**
- [T1095 - Non-Application Layer Protocol] (Raw TCP Sockets)
## Functionality
### Core Capabilities
- **System Reconnaissance**: Gathering host data to identify the target environment.
- **Remote Shell**: Executing arbitrary commands on the infected host.
- **Data Exfiltration**: Extracting sensitive files and information.
- **Payload Deployment**: Ability to download and execute additional malicious modules.
### Advanced Features
- **Telemetry Blinding**: Patches the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) at the native API level.
- **Security Software Evasion**: Automatically configures Microsoft Defender exclusions for its own files.
- **Anti-Analysis**: Periodically checks for sandboxes or analysis tools; if detected, the malware terminates its process or reboots the machine.
- **Dynamic Lures**: The malspam kit uses Base64-encoded email addresses to customize landing pages with victim-specific branding on the fly.
## Indicators of Compromise
- **File Hashes**: *Not specifically provided in the article text; typically includes SHA256 of the .NET loader and the DesckVB payload.*
- **File Names**: `Download PDF` (button lure), various `.js` and `.ps1` stagers.
- **Registry Keys**:
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
- **Network Indicators**:
- `adclick[.]g[.]doubleclick[.]net` (Abused for redirection)
- Various defanged C2 server IPs/domains communicating via raw TCP.
- **Behavioral Indicators**:
- `powershell.exe` spawning from a JavaScript file.
- Process hollowing into Microsoft-signed processes.
- Unexpected modifications to Microsoft Defender exclusion lists.
## Associated Threat Actors
- Unknown (Attributed to a sophisticated malspam operator specializing in scalable kit deployment).
## Detection Methods
- **Signature-based detection**: Scanning for the .NET-based DesckVB binary and associated PowerShell stagers.
- **Behavioral detection**: Monitoring for AMSI/ETW patching activities and unauthorized modifications to Registry "Run" keys.
- **YARA rules**: Focus on the specific native API patching sequences used to blind ETW/AMSI.
## Mitigation Strategies
- **Script Handling**: Configure GPOs to force `.vbs`, `.js`, and `.hta` files to open in Notepad by default to prevent accidental execution.
- **Email Security**: Implement DMARC, DKIM, and SPF records to prevent spoofing.
- **Access Control**: Use the principle of least privilege to prevent malware from modifying Defender exclusions or system-level registry keys.
- **Attachment Filtering**: Use email gateways capable of sandboxing and "detonating" attachments before they reach the user.
## Related Tools/Techniques
- **Process Hollowing**: A common injection technique used by various RATs to hide in memory.
- **Living off the Land (LotL)**: Use of PowerShell and JavaScript to facilitate the initial infection stages.