DesckVB RAT Exploits Google's DoubleClick Domain

A fresh malspam campaign has found a clever way to slip past defenses by hijacking Google’s DoubleClick domain—a widely trusted advertising platform. Since early 2026, attackers have been embedding malicious redirects within phishing emails that lead victims through DoubleClick URLs. This abuse of a legitimate domain helps the payload evade email filters and network protections, increasing the chances of successful infection.

At the heart of this campaign lies the DesckVB remote access trojan (RAT), a .NET-based malware designed for stealth and persistence. The attackers craft phishing emails with HTML attachments that trigger redirects through DoubleClick, funneling targets to tailored malicious landing pages. This technique not only masks the true source of the attack but also leverages the inherent trust in Google’s infrastructure, complicating detection and response efforts.

How the Malspam Campaign Operates

The campaign kicks off with phishing emails that look surprisingly ordinary but carry a hidden threat: an HTML attachment. When opened, this file doesn’t just display content—it triggers a redirect through Google’s DoubleClick domain. Using such a trusted advertising platform as a relay is a clever move. It helps the attackers slip past email filters and network defenses that might otherwise block suspicious links or domains.

Once redirected, victims land on a malicious webpage tailored to their environment. This personalized approach improves the chance that the victim will proceed, unknowingly downloading the DesckVB RAT payload. The malware itself is a .NET-based remote access trojan designed for stealth and control. It employs process hollowing—a method where malicious code runs inside legitimate processes—to stay hidden from casual inspection and evade endpoint detection systems.

DesckVB also targets security tools directly. It disables Microsoft Defender and the Antimalware Scan Interface (AMSI), two key components of Windows’ threat detection framework. By neutralizing these defenses early, the malware gains a foothold without raising immediate alarms.

The campaign’s infrastructure is dynamic. Attackers continuously update the malicious landing pages and payloads, adjusting to avoid detection and respond to defensive measures. The use of DoubleClick isn’t static either; the campaign exploits URL parameters and ad redirects to mask the final destination, complicating efforts to trace or block the attack.

This layered approach—trusted domain abuse, personalized phishing, sophisticated evasion—makes the campaign resilient and effective. It’s a stark reminder that even widely trusted platforms can be weaponized when attackers think creatively. Defenders must rethink assumptions about domain trust and bolster phishing awareness alongside technical controls.

Technical Details of the DesckVB RAT

DesckVB is a .NET-based remote access trojan designed with stealth and persistence in mind. Its architecture leverages common evasion techniques, notably process hollowing, where the malware injects its code into legitimate processes to avoid detection by endpoint security tools. This method effectively masks its presence, making traditional signature-based antivirus solutions less effective.

Beyond process hollowing, DesckVB actively disables critical Windows security components, including Microsoft Defender and the Antimalware Scan Interface (AMSI). By doing so, it neutralizes real-time scanning and script-blocking defenses, clearing the path for its payload to execute without interference. This suppression of native security features is a calculated move to maintain long-term access without raising alarms.

The RAT’s command-and-control communication is encrypted and designed to blend with normal network traffic, often mimicking legitimate web requests. This obfuscation complicates network-based detection and analysis. Once deployed, DesckVB grants attackers extensive control: file system manipulation, credential harvesting, keylogging, and even the ability to deploy additional payloads.

Its .NET foundation offers flexibility and rapid development, enabling attackers to update features or modify behavior dynamically. This adaptability, combined with the campaign’s use of a trusted domain for delivery, underscores why DesckVB poses a serious challenge for defenders relying solely on conventional detection methods.

Why This Attack Demands Stronger Defenses

The use of a reputable domain like Google’s DoubleClick to deliver DesckVB RAT shifts the threat landscape in a troubling way. Traditional email filters and web proxies often whitelist well-known ad networks, assuming their traffic is safe. This campaign exploits that trust, letting malicious payloads slip through defenses that many organizations rely on without question. It’s a stark reminder that threat actors are adapting faster than some security controls can keep up.

For enterprises, the stakes are high. Once DesckVB gains a foothold, it can disable core security tools and hide its activity through process hollowing, making detection and response significantly harder. Incident response teams will face longer dwell times and more complex forensic challenges. The campaign’s use of personalized landing pages means attackers can tailor lures to specific targets, increasing the likelihood of infection and complicating broad-based defense strategies.

This also pressures security vendors to rethink how they handle traffic from trusted domains. Relying solely on domain reputation is no longer sufficient. Behavioral analysis and endpoint-level detection must fill the gaps, especially against malware that actively undermines antivirus and monitoring tools. Organizations need to adopt layered defenses that don’t assume any channel is inherently safe, even those tied to major tech companies.

On a policy level, it raises questions about responsibility and oversight of ad networks. While Google’s infrastructure is being abused here, the challenge lies in balancing openness with tighter controls to prevent misuse without disrupting legitimate advertising. For now, defenders must stay vigilant, updating detection rules and educating users about the risks of interacting with unexpected attachments—even if they seem to come through familiar, trusted channels.

Steps Organizations Can Take Now

The next signs to watch for will likely come from shifts in how threat actors exploit legitimate infrastructure. This campaign’s use of Google’s DoubleClick domain underscores a growing trend: weaponizing trusted platforms to evade detection. Expect similar abuse of other major ad networks or cloud services, as attackers chase high-reputation domains to slip past filters. Organizations should monitor email traffic closely for unusual redirects or HTML attachments that link to unexpected domains—even those appearing legitimate at first glance. Network defenders will need to sharpen anomaly detection around outbound connections, especially those tied to advertising or content delivery networks. Indicators like sudden spikes in DoubleClick-related redirects or unexplained process injection attempts could signal new waves of this RAT or variants. On the endpoint side, behavioral analysis will become more critical. DesckVB’s reliance on process hollowing and disabling security controls means static signature-based tools alone won’t cut it. Watch for suspicious parent-child process relationships and unexpected AMSI or Defender service interruptions. Endpoint detection and response platforms tuned to these tactics can catch infections earlier. Finally, mitigation efforts must include tighter email hygiene and user training. Phishing remains the entry point here, so reinforcing awareness around suspicious attachments—even those that look benign—is vital. Multi-layered defenses combining network, endpoint, and user vigilance form the best barrier. No single fix will stop this evolving threat. But by focusing on the subtle cues this campaign reveals, defenders can anticipate the next moves and respond with greater agility. The battle will revolve around spotting trusted domains turned hostile and recognizing the malware’s stealthy footprints before damage spreads.
Ссылка на первоисточник
Mark Evans
Article author
Mark Evans
Tech Enthusiast & AI Explorer

Mark is a seasoned technology writer with over two decades of experience. At 46, he focuses on testing and reviewing emerging AI tools, breaking down complex innovations into clear, actionable insights.

More articles by the author
Military experts or arms industry insiders? UK media fails to disclose defence sector links in nearly 60% of cases - AOAV
Cybersecurity 400

Media Transparency in Defence Reporting

Nearly 60% of UK media reports on military issues fail to disclose contributors’ ties to the defence industry, risking biased narratives an…

3 min read Read