Malspam uses Google DoubleClick to deliver DesckVB RAT

Security researchers at Huntress uncovered a malspam campaign that uses Google DoubleClick click-tracking redirects to deliver the DesckVB .NET remote access trojan. The attack begins when a user opens an HTML file attached to a phishing email. The file triggers a meta-refresh redirect to a DoubleClick Campaign Manager URL, then routes the user through a secondary redirector that decodes a Base64-encoded email address to build a customized landing page.

The landing page is populated with company branding and location details drawn from the decoded email. A “Download PDF” button on the page returns a ZIP archive that contains a JavaScript loader. That script extracts and runs a PowerShell script, which then downloads a .NET loader from an external server. The .NET loader acts as a stager and performs anti-analysis checks before launching the final payload.

The loader checks for sandbox or analysis environments, disables selected security controls, and patches Windows telemetry hooks at the native API level to interfere with Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW). It establishes persistence by creating Run and RunOnce Registry entries and placing a loader in the user’s Startup folder. The loader uses process hollowing to inject the RAT into legitimate Microsoft-signed processes.

Once active, DesckVB communicates with a command-and-control server over raw TCP sockets. The trojan performs system reconnaissance, extracts data, runs arbitrary commands, deploys additional payloads, and can configure Microsoft Defender exclusions. The malware will terminate or reboot the host if it detects analysis tools or a sandbox environment. Huntress traced activity of this .NET-based trojan to February 2026.

Huntress researchers Anna Pham and Adam Mooney noted that the initial DoubleClick redirect sends victims through a legitimate Google-owned domain before they reach attacker-controlled infrastructure, and that the malspam kit personalizes landing pages on the fly using the victim’s email address. “Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as suspicious,” they wrote.

Huntress recommended defensive measures including configuring a Group Policy Object to force .vbs, .hta and .js files to open in Notepad by default, implementing DMARC, DKIM and SPF email authentication records, and using an email gateway that can sandbox attachments and links before delivery. Organizations are advised to keep endpoint protection and telemetry rules updated to detect related activity.