Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
Summary
Hide ▲
Show ▼
A new malspam campaign is abusing Google's DoubleClick redirect path to evade detection and deliver DesckVB RAT, putting users and organizations at risk of malware infection. The phishing flow starts with an HTML attachment in email, then chains through redirects and a landing page with a fake Download PDF button. The operation scales by personalizing pages with the victim's email address, company branding, and location details, making the lure harder to spot. The delivery chain then uses a JavaScript loader and PowerShell to fetch a .NET loader that installs persistence, disables defenses, and runs the RAT.
Related Happenings
Hotel and hospitality photo-ZIP phishing campaign
Campaign
H score40
First: 26.06.2026 12:27
Last: 26.06.2026 12:27
Sources 1
About this happening:
An active phishing campaign is targeting hotel and hospitality organizations across Europe and Asia, increasing the risk of front-desk machine compromise and durab...
Hotel and hospitality photo-ZIP phishing campaign
CampaignAbout this happening: An active phishing campaign is targeting hotel and hospitality organizations across Europe and Asia, increasing the risk of front-desk machine compromise and durab...
ClickFix multi-loader delivery campaign targeting Windows and macOS users
Campaign
H score34
First: 16.06.2026 20:41
Last: 16.06.2026 20:41
Sources 1
About this happening:
The ClickFix malware-delivery campaign is spreading BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, widening risk for Windows and macOS users across several...
ClickFix multi-loader delivery campaign targeting Windows and macOS users
CampaignAbout this happening: The ClickFix malware-delivery campaign is spreading BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, widening risk for Windows and macOS users across several...
Openew[.]app cloaked malware download portal
Malware Activity
H score26
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a...
Openew[.]app cloaked malware download portal
Malware ActivityAbout this happening: The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a...
CypherLoc phishing-led browser scareware campaign
Campaign
H score49
First: 20.05.2026 13:00
Last: 20.05.2026 13:00
Sources 1
About this happening:
The CypherLoc operation has driven around 2.8 million attacks since the start of 2026, using phishing emails to send users to malicious pages that lock browsers an...
CypherLoc phishing-led browser scareware campaign
CampaignAbout this happening: The CypherLoc operation has driven around 2.8 million attacks since the start of 2026, using phishing emails to send users to malicious pages that lock browsers an...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
Campaign
H score30
First: 20.04.2026 18:01
Last: 20.04.2026 18:01
Sources 1
About this happening:
The Formbook phishing operation is targeting Windows organizations across Greece, Spain, Slovenia, Bosnia, Croatia and South America, using DLL sideloading and...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
CampaignAbout this happening: The Formbook phishing operation is targeting Windows organizations across Greece, Spain, Slovenia, Bosnia, Croatia and South America, using DLL sideloading and...
Timeline
-
03.06.2026 19:29 2 articles · 1mo ago
Google DoubleClick malspam campaign delivers DesckVB RAT
Initial DisclosureCybersecurity researchers identified a malspam campaign that uses Google's DoubleClick domain to evade detection and deliver DesckVB RAT. The infection chain starts with a phishing HTML attachment, sends the victim through a redirect sequence and a landing page with a "Download PDF" button, then uses a ZIP archive, JavaScript loader, PowerShell, and a .NET loader to stage the payload. The loader verifies it is not being analyzed, neutralizes security controls, uses process hollowing into Microsoft-signed processes, and the trojan then connects to a command-and-control server over raw TCP sockets, performs reconnaissance, configures Microsoft Defender exclusions, patches Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and establishes Run and RunOnce Registry persistence plus a Startup folder loader.
Show sources
- Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT — thehackernews.com — 03.06.2026 19:29
- Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT — thehackernews.com — 03.06.2026 19:29