Google DoubleClick Abused to Deliver DesckVB RAT in Malspam Campaign

Cybersecurity researchers at Huntress have uncovered a sophisticated malspam campaign that exploits Google's DoubleClick domain to bypass security filters and deliver a remote access trojan known as DesckVB RAT. According to researchers Anna Pham and Adam Mooney, the attack chains begin with a phishing email carrying an HTML attachment. Once opened, a meta-refresh browser redirect sends the victim through a legitimate Google DoubleClick Campaign Manager click-tracking URL, effectively laundering the traffic through a trusted domain before it reaches attacker-controlled infrastructure. This approach eliminates the need for bespoke phishing kits per target, making the operation highly scalable and cost-effective for threat actors.

The redirect chain decodes a Base64-encoded email address and lands the victim on a convincing page that dynamically pulls in company branding and geographic details, personalized in real time. A fraudulent "Download PDF" button delivers a ZIP archive containing a JavaScript loader, which fetches a PowerShell stager, disables security controls, configures Microsoft Defender exclusions, and patches both the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) at the native API level. Persistence is established through Run and RunOnce Registry entries plus a loader placed in the user's Startup folder, while the final .NET RAT payload is injected via process hollowing into Microsoft-signed processes. Victims can verify exposure of their infrastructure using a port scanner to identify any open or suspicious remote-access endpoints.

Once operational, DesckVB RAT communicates with its command-and-control server over raw TCP sockets, performs system reconnaissance, and grants attackers full remote control capabilities including data exfiltration, command execution, and additional payload deployment. The malware, active since February 2026, also terminates and reboots the host machine if sandbox analysis is suspected. The abuse of trusted domains like DoubleClick highlights a growing trend where adversaries weaponize legitimate ad-tech and analytics platforms to evade detection. Organizations concerned about compromised credentials in similar campaigns should run an email breach checker, and security teams can use a privacy checkup to audit their overall exposure to tracking-based attack vectors.