top of page
perceptive_background_267k.jpg

Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Published:

3 June 2026 at 16:29:16

Alert date:

3 June 2026 at 21:02:42

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Email & Messaging

A new malspam campaign is exploiting Google's DoubleClick domain to evade detection and deliver the DesckVB remote access trojan (RAT). The attack leverages the legitimate Google-owned DoubleClick domain to route malicious traffic through trusted infrastructure before directing victims to attacker-controlled systems. This technique makes it more difficult for security tools to detect the malicious activity since DoubleClick is a trusted domain that security solutions are less likely to flag as suspicious.

Technical details

Malspam campaign uses Google DoubleClick domain for evasion to deliver DesckVB RAT. Attack begins with HTML file in phishing email that triggers meta-refresh redirect to Google DoubleClick Campaign Manager click-tracking URL, then to another redirector that decodes Base64-encoded email address, leading to landing page with Download PDF button. ZIP archive contains JavaScript loader that extracts and runs PowerShell script, which fetches .NET loader from external server. Loader verifies it's not being analyzed, neutralizes security controls, sets persistence, and downloads RAT payload using process hollowing technique into Microsoft-signed processes. RAT communicates over raw TCP sockets, performs system reconnaissance, configures Microsoft Defender exclusions, patches AMSI and ETW at native API level, and establishes persistence via Run/RunOnce Registry entries and Startup folder.

Mitigation steps:

Configure Group Policy Object (GPO) in Active Directory to force script files (.vbs, .hta, .js) to open in Notepad by default
Deploy DMARC, DKIM, and SPF records to reduce likelihood of spoofed or malicious emails
Implement email gateway solution capable of sandboxing attachments and links before delivery
Implement defense in depth security strategies

Affected products:

Google DoubleClick
Microsoft Windows
Microsoft Defender
Windows AMSI (Antimalware Scan Interface)
Windows ETW (Event Tracing for Windows)

Related links:

https://thehackernews.com/2026/02/trojanized-gaming-tools-spread-java.html
https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
https://learn.microsoft.com/en-us/windows-hardware/test/wpt/event-tracing-for-windows

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page