Ethical Hacking News
A new malspam campaign is using Google DoubleClick to deliver DesckVB RAT, a Remote Access Trojan (RAT) that grants attackers full control over infected machines. Experts warn that this attack highlights the need for organizations to bolster their security posture and implement defense-in-depth measures.
The researchers have uncovered a new malspam campaign using Google's DoubleClick domain to deliver a Remote Access Trojan (RAT) named DesckVB RAT.The attack begins with a phishing email containing an HTML file that redirects the user to a Google DoubleClick URL, leading them to download a ZIP archive containing the payload.The RAT executes while flying under the radar and communicates with a command-and-control server via raw TCP sockets.The DesckVB RAT malware can extract data, run commands, and deploy additional payloads, granting attackers full control over infected machines.Organizations should bolster their security posture by implementing defense-in-depth measures such as configuring Group Policy Objects and deploying DMARC, DKIM, and SPF records.
The cybersecurity landscape has just been dealt a significant blow as researchers have uncovered a new malspam campaign that leverages Google's DoubleClick domain to evade detection and deliver a Remote Access Trojan (RAT) named DesckVB RAT. This latest attack is noteworthy not only for its ingenious use of legitimate infrastructure but also for the malicious actors' ability to scale their operations, making them more cost-effective and efficient.
According to Huntress researchers Anna Pham and Adam Mooney, the attack commences when an unsuspecting user opens an HTML file attached to a phishing email. The file triggers a meta-refresh browser redirect to a Google DoubleClick Campaign Manager click-tracking URL, from which the user is steered to another redirector that decodes the Base64-encoded email address and leads them to a landing page containing a "Download PDF" button. Clicking this button initiates the infection chain by retrieving a ZIP archive that contains the rest of the payload.
The script executes a .NET RAT while flying under the radar, with the loader acting as a stager that verifies it's not being analyzed, neutralizes machine security controls, sets up persistence, and ultimately downloads and runs the RAT payload using process hollowing that involves injecting malware into Microsoft-signed processes. Once launched, the trojan communicates with a command-and-control (C2) server over raw TCP sockets, carries out system reconnaissance, configures Microsoft Defender exclusions, patches Antimalware Scan Interface (AMSI), and Event Tracing for Windows (ETW) at the native API level to blind Windows telemetry.
The DesckVB RAT malware comes equipped with capabilities to extract data, run commands, and deploy additional payloads, granting the attackers full control over infected machines while simultaneously taking steps to evade detection. The threat highlights the need for organizations to bolster their security posture by implementing defense-in-depth measures such as configuring a Group Policy Object (GPO) in Active Directory to force script files like .vbs, .hta, and .js to open in Notepad by default.
Furthermore, deploying DMARC, DKIM, and SPF records can reduce the likelihood of spoofed or malicious emails reaching end users. Organizations should also consider using an email gateway solution capable of sandboxing attachments and links before delivery as a meaningful layer of protection. Huntress emphasizes that this attack underscores why defense in depth matters, underscoring the importance of proactive security measures to safeguard against such evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Wave-of-Maliciousness-Google-DoubleClick-Abused-to-Deliver-DesckVB-RAT-ehn.shtml
https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html
Published: Wed Jun 3 16:36:08 2026 by llama3.2 3B Q4_K_M
