Google DoubleClick Abused in Malspam Campaign to Deliver DesckVB RAT
A new malspam campaign is leveraging Google's DoubleClick domain to evade security detections and deliver the DesckVB RAT, personalizing lures on the fly.
A novel malspam campaign has emerged, employing a sophisticated technique to bypass security defenses by routing malicious lures through Google's legitimate DoubleClick domain. This strategy aims to exploit the trust associated with Google's infrastructure, making it less likely for security tools to flag the initial stages of the attack. Researchers from Huntress identified this campaign, noting that it significantly enhances the scalability and cost-effectiveness of threat actor operations.
The attack chain begins with an unsuspecting user receiving a phishing email containing an HTML attachment. Upon opening this file, the user is subjected to a meta-refresh browser redirect to a Google DoubleClick Campaign Manager click-tracking URL. This initial redirection serves as a stealthy entry point, leading the victim to further attacker-controlled infrastructure.
From the DoubleClick redirector, the victim is then passed to another redirector that dynamically personalizes the attack. This stage decodes the victim's email address from the URL and crafts a convincing landing page, often presenting a "Download PDF" button. Crucially, the campaign uses the victim's email address and company details to dynamically generate lures, eliminating the need for threat actors to create bespoke phishing kits for each target.
Clicking the "Download PDF" button triggers the download of a ZIP archive, initiating the subsequent stages of the infection. This archive contains a JavaScript loader responsible for retrieving and executing the DesckVB RAT without raising immediate suspicion. The loader executes a PowerShell script, which in turn fetches a .NET loader from an external server.
The .NET loader acts as a stager, designed to evade analysis by checking for sandboxing environments or analysis tools. It then proceeds to neutralize security controls, establish persistence, and download the final RAT payload. This is achieved through a technique known as process hollowing, where the malware is injected into legitimate, Microsoft-signed processes, further obscuring its malicious nature.
Once active, the DesckVB RAT communicates with its command-and-control (C2) server via raw TCP sockets. It performs system reconnaissance, configures exclusions within Microsoft Defender, and patches critical telemetry mechanisms like Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) at the native API level. Persistence is established through Run and RunOnce Registry entries and by placing a loader in the user's Startup folder.
The DesckVB RAT is a .NET-based remote access trojan that has been observed in the wild since February 2026. Its capabilities include data extraction, command execution, and the deployment of additional payloads, granting attackers extensive control over compromised systems. The malware also includes self-preservation features, such as terminating and rebooting if it detects analysis tools or sandboxed environments.
To mitigate such threats, Huntress recommends implementing a defense-in-depth strategy. This includes configuring Group Policy Objects (GPOs) to force script files like .vbs, .hta, and .js to open in Notepad by default, thereby stopping the initial execution stage. Additionally, strengthening email security with DMARC, DKIM, and SPF records, alongside email gateway solutions capable of sandboxing attachments and links, can provide further layers of protection against these evolving malspam campaigns.