Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Google DoubleClick malspam campaign delivering DesckVB RAT

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A new malspam campaign is abusing Google's DoubleClick redirect path to evade detection and deliver DesckVB RAT, putting users and organizations at risk of malware infection. The phishing flow starts with an HTML attachment in email, then chains through redirects and a landing page with a fake Download PDF button. The operation scales by personalizing pages with the victim's email address, company branding, and location details, making the lure harder to spot. The delivery chain then uses a JavaScript loader and PowerShell to fetch a .NET loader that installs persistence, disables defenses, and runs the RAT.

Related Happenings

Openew[.]app cloaked malware download portal

Malware Activity
First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...

Open Happening

CypherLoc phishing-led browser scareware campaign

Campaign
First: 20.05.2026 13:00 Last: 20.05.2026 13:00 Sources 1

About this happening: The **CypherLoc** operation has driven **around 2.8 million attacks** since the start of **2026**, using **phishing emails** to send users to malicious pages that lock browsers an...

Open Happening

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

FAUX#ELEVATE phishing campaign targeting French-speaking corporate environments

Campaign
First: 24.03.2026 18:35 Last: 24.03.2026 18:35 Sources 1

About this happening: The **FAUX#ELEVATE** phishing campaign is actively targeting **French-speaking corporate environments** with **fake resume/CV lures** that deliver malware for **credential theft**...

Open Happening

Timeline

  1. 03.06.2026 19:29 2 articles · 6h ago

    Google DoubleClick malspam campaign delivers DesckVB RAT

    Initial Disclosure

    Cybersecurity researchers identified a malspam campaign that uses Google's DoubleClick domain to evade detection and deliver DesckVB RAT. The infection chain starts with a phishing HTML attachment, sends the victim through a redirect sequence and a landing page with a "Download PDF" button, then uses a ZIP archive, JavaScript loader, PowerShell, and a .NET loader to stage the payload. The loader verifies it is not being analyzed, neutralizes security controls, uses process hollowing into Microsoft-signed processes, and the trojan then connects to a command-and-control server over raw TCP sockets, performs reconnaissance, configures Microsoft Defender exclusions, patches Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), and establishes Run and RunOnce Registry persistence plus a Startup folder loader.

    Show sources
    Open in new tab