The Attack Chain
Cybersecurity researchers have uncovered a new malware campaign that abuses Google’s DoubleClick domain to deliver a remote access trojan called DesckVB RAT. The attack begins when a victim opens an HTML file attached to a phishing email. This file triggers a browser redirect through a legitimate Google DoubleClick Campaign Manager click tracking URL, which security tools are less likely to flag as suspicious.
From the DoubleClick redirect, the victim is passed to a malspam kit that personalizes itself in real time using the victim’s email address. The kit dynamically pulls company branding and location details to create convincing landing pages without requiring attackers to handcraft lures for each target. This approach makes the operation more scalable and cost effective.
Payload and Impact
The end goal of this campaign is to drop DesckVB RAT, a .NET based trojan active since February 2026. After the victim clicks a “Download PDF” button on the landing page, the server responds with a ZIP archive containing a JavaScript loader. This loader executes a PowerShell script that fetches a .NET stager from an external server.
The stager verifies it is not being analyzed, disables security controls, establishes persistence, and ultimately delivers the RAT payload using process hollowing injection techniques. This campaign eliminates the need for attackers to build bespoke malware kits for each target organization, potentially increasing the scope and frequency of such attacks.
Source: The Hacker News
