Back

DesckVB RAT Campaign Exploits Google DoubleClick for Malspam Delivery

Severity: High (Score: 67.5)

Sources: Huntress, Feeds.4Sysops

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: desckvb, malspam, google, doubleclick, deliver, abused, distribute

Severity indicators: rat

Summary

In May 2026, a malspam campaign utilizing the Google DoubleClick domain was identified, delivering the DesckVB remote access trojan (RAT). The attack begins with an HTML email attachment that redirects users through Google's infrastructure to a dynamically branded phishing page. This automated kit personalizes the lure by pulling in company logos and location details based on the recipient's email address, enhancing its believability. Once a victim interacts with the lure, the DesckVB RAT executes a multi-stage malware delivery process, primarily operating in memory to evade detection. The RAT can control infected systems remotely, allowing attackers to harvest data and execute commands. This campaign highlights the increasing sophistication of malspam operations, which are becoming more scalable and harder to detect. Security professionals are urged to remain vigilant against such evolving threats. Key Points: • DesckVB RAT is delivered via malspam leveraging Google DoubleClick for evasion. • The attack uses automated phishing techniques to personalize lures for victims. • Once executed, the RAT operates primarily in memory, reducing detection risks.

Detailed Analysis

**Impact** The campaign targets organizations globally through personalized malspam emails, leveraging recipient-specific company branding and location data to increase click rates. The DesckVB RAT enables attackers to gain full remote control over infected systems, risking data exfiltration, operational disruption, and potential follow-on activities such as crypto mining. No specific sectors or exact victim counts were provided. **Technical Details** Initial access is achieved via malspam emails containing an HTML attachment with a zero-second meta-refresh redirect through Google DoubleClick’s ad.doubleclick[.]net domain, used to evade security filters. The payload chain involves JavaScript, JScript, obfuscated PowerShell, and .NET components that assemble and execute the RAT primarily in memory. The RAT performs AV and GPU enumeration via WMI and registry reads before establishing C2 communications. Indicators include the malicious HTML file Bestellung_2026.html and DoubleClick URLs with campaign identifiers such as dc_trk_aid=466016770. **Recommended Response** Block or closely monitor traffic to ad.doubleclick[.]net URLs containing suspicious campaign parameters and base64-encoded email fragments. Deploy detections for obfuscated PowerShell and WScript.exe execution patterns, and inspect inbound emails for HTML attachments with meta-refresh redirects. Enhance email filtering to detect personalized malspam and monitor for unusual WMI queries or GPU enumeration activity. No specific CVEs or patches were identified in the reports.

Source articles (2)

  • Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT — Huntress · 2026-06-03
    In May 2026, the Huntress SOC responded to a DesckVB RAT infection that began with a malspam . Short for “malicious spam,” malspam is email crafted to deliver malware or trick a user into taking an ac…
  • Google DoubleClick abused to distribute DesckVB RAT via automated phishing — Feeds.4Sysops · 2026-06-03
    A new malspam campaign leverages the legitimate Google DoubleClick domain to bypass security filters and deliver the DesckVB remote access trojan. The attack begins with an HTML attachment that redire…

Timeline

  • 2026-05-01 — DesckVB RAT malspam campaign launched: A new malspam campaign began, utilizing Google DoubleClick to deliver the DesckVB RAT through personalized phishing emails.
  • 2026-06-03 — Huntress SOC responds to DesckVB RAT infection: The Huntress SOC reported an incident involving the DesckVB RAT, highlighting its sophisticated delivery and operation methods.
  • 2026-06-03 — Google DoubleClick abuse reported: Reports confirmed that the Google DoubleClick domain was exploited to bypass security filters in the malspam campaign.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Trojan (Attack Type)
  • a021185521s210008-11521.js.it (Domain)
  • ad.doubleclick.net (Domain)
  • andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br (Domain)
  • bing.com (Domain)
  • bth.startthewave.org (Domain)
  • catalogo.castrouria.com (Domain)
  • classlibrary3.in (Domain)
  • drop.it (Domain)
  • file.it (Domain)
  • fostercareintheus.optimizationprime.com (Domain)
  • ipapi.co (Domain)
  • logo.dev (Domain)
  • microsoft.net (Domain)
  • pengajian.muliastudy.com (Domain)
  • DesckVB (Malware)
  • DesckVB RAT (Malware)
  • T1012 - Query Registry (Mitre Attack)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1047 - Windows Management Instrumentation (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1218 - System Binary Proxy Execution (Mitre Attack)
  • T1497 - Virtualization/Sandbox Evasion (Mitre Attack)
  • T1562.001 - Disable Or Modify Tools (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • Google DoubleClick (Platform)
  • Hyper-V (Platform)
  • Parallels (Platform)
  • QEMU (Platform)
  • Sandboxie (Platform)
  • VirtualBox (Platform)
  • Windows (Platform)
  • VMware (Tool)
  • InstallUtil.exe (Tool)
  • PowerShell (Tool)
  • C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6 (Sha256)
  • D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed