Find notable cyber news and cases, enriched with sources, timelines, and signals.

Google DoubleClick malspam campaign delivering DesckVB RAT

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A new malspam campaign is abusing Google's DoubleClick redirect path to evade detection and deliver DesckVB RAT, putting users and organizations at risk of malware infection. The phishing flow starts with an HTML attachment in email, then chains through redirects and a landing page with a fake Download PDF button. The operation scales by personalizing pages with the victim's email address, company branding, and location details, making the lure harder to spot. The delivery chain then uses a JavaScript loader and PowerShell to fetch a .NET loader that installs persistence, disables defenses, and runs the RAT.

Related Happenings

Hotel and hospitality photo-ZIP phishing campaign

Campaign
H score40 First: 26.06.2026 12:27 Last: 26.06.2026 12:27 Sources 1

About this happening: An active phishing campaign is targeting hotel and hospitality organizations across Europe and Asia, increasing the risk of front-desk machine compromise and durab...

ClickFix multi-loader delivery campaign targeting Windows and macOS users

Campaign
H score34 First: 16.06.2026 20:41 Last: 16.06.2026 20:41 Sources 1

About this happening: The ClickFix malware-delivery campaign is spreading BabaDeda Loader, Lorem Ipsum Loader, and Potemkin, widening risk for Windows and macOS users across several...

Openew[.]app cloaked malware download portal

Malware Activity
H score26 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The openew[.]app malware-delivery activity now also uses legitimate ChatGPT shared pages as the first lure, with Google ads and SEO poisoning sending victims to a...

CypherLoc phishing-led browser scareware campaign

Campaign
H score49 First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The CypherLoc operation has driven around 2.8 million attacks since the start of 2026, using phishing emails to send users to malicious pages that lock browsers an...

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
H score30 First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The Formbook phishing operation is targeting Windows organizations across Greece, Spain, Slovenia, Bosnia, Croatia and South America, using DLL sideloading and...

Timeline

  1. 03.06.2026 19:29 2 articles · 1mo ago

    Google DoubleClick malspam campaign delivers DesckVB RAT

    Initial Disclosure

    Cybersecurity researchers identified a malspam campaign that uses Google's DoubleClick domain to evade detection and deliver DesckVB RAT. The infection chain starts with a phishing HTML attachment, sends the victim through a redirect sequence and a landing page with a "Download PDF" button, then uses a ZIP archive, JavaScript loader, PowerShell, and a .NET loader to stage the payload. The loader verifies it is not being analyzed, neutralizes security controls, uses process hollowing into Microsoft-signed processes, and the trojan then connects to a command-and-control server over raw TCP sockets, performs reconnaissance, configures Microsoft Defender exclusions, patches Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and establishes Run and RunOnce Registry persistence plus a Startup folder loader.

    Show sources