A new malspam campaign is using Google’s DoubleClick domain to help route victims to a remote access trojan called DesckVB RAT, according to a technical analysis from Huntress. The campaign uses phishing emails with HTML attachments and a redirect chain that can personalize the lure with the recipient’s email address.
KEY FACTS
- Delivery method phishing emails carry an HTML file that starts the infection chain.
- Redirect path the file sends victims through DoubleClick before reaching attacker infrastructure.
- Payload the campaign aims to install DesckVB RAT, a .NET-based trojan active since February 2026.
- Technique the malware uses PowerShell, process hollowing, and persistence through Registry keys and the Startup folder.
The HTML attachment triggers a meta-refresh redirect to a Google DoubleClick Campaign Manager click-tracking URL. From there, the victim is sent through another redirector that decodes a Base64-encoded email address and leads to a landing page with a Download PDF button.
Clicking the button returns a ZIP archive that starts a JavaScript loader. The script extracts and runs PowerShell, which fetches a .NET loader from an external server and then downloads and runs the RAT payload.
The report says the loader checks whether it is being analyzed, disables security controls, and sets up persistence. Once active, the trojan communicates with a command and control server over raw TCP sockets, carries out system reconnaissance, and configures Microsoft Defender exclusions.
It also patches AMSI and ETW at the native API level to reduce visibility to Windows telemetry. The malware can extract data, run commands, deploy additional payloads, and terminate or reboot the machine if it detects analysis tools or a sandboxed environment.
Huntress said organizations can reduce risk by blocking script files from opening outside Notepad by default and by using email security controls such as DMARC, DKIM, SPF, and attachment or link sandboxing.
WHY IT MATTERS
The campaign shows how threat actors can use trusted infrastructure and personalized lures to make phishing links look less suspicious and scale attacks across multiple targets. It also highlights the value of layered defenses that can stop malicious scripts before a payload is delivered.