"Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as suspicious," Huntress researchers Anna Pham and Adam Mooney wrote.
How the DoubleClick redirect fits into the attack chain
The campaign starts inside a phishing message carrying an attached HTML file. When opened, that file triggers a meta-refresh browser redirect to a Google DoubleClick Campaign Manager click-tracking URL. From the DoubleClick URL the user is sent to another redirector that decodes a Base64-encoded email address and lands the visitor on a tailored page containing a "Download PDF" button.
Using DoubleClick — a legitimate, Google-owned domain — as the initial redirect point is central to the operators' evasion strategy, because "many security tools are less likely to treat [it] as suspicious," according to Huntress. The benign appearance of the double-hop redirect helps the lure reach victims before any traffic is directed to attacker-controlled infrastructure.
Malspam kit personalization and operational scale
Once the redirect lands, the malspam kit personalizes the landing page "on the fly" using the victim's email address. It dynamically pulls in company branding and location details so the page appears convincing without the operators having to handcraft a lure for every target. Huntress notes that removing the need for a bespoke kit per organization makes these operations "more scalable and cost-effective."
From ZIP to DesckVB RAT: the technical escalation
Clicking the landing-page "Download PDF" causes the server to deliver a ZIP archive that contains a JavaScript loader. The loader's main job is to retrieve and execute a .NET-based remote access trojan (RAT) known as DesckVB RAT, a .NET trojan Huntress says has been active in the wild since February 2026.
The JavaScript loader extracts and runs a PowerShell script, which fetches a .NET loader from an external server. That loader functions as a stager: it verifies the environment is not under analysis, neutralizes security controls, establishes persistence, and then downloads and runs the RAT payload. The loaders use a technique called process hollowing to inject the malware into Microsoft-signed processes.
DesckVB RAT capabilities and persistence mechanisms
Once running, the trojan connects to a command-and-control (C2) server over raw TCP sockets, performs system reconnaissance, and alters Microsoft Defender settings by configuring exclusions. At the outset the malware also patches Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) at the native API level to blind Windows telemetry.
For persistence, the campaign sets Run and RunOnce Registry entries and places a loader in the user's Startup folder responsible for launching the RAT. The malware supports data extraction, remote command execution, and deployment of additional payloads — granting attackers extensive control. Huntress observers also report the trojan will terminate and reboot a machine if it detects analysis tooling or a sandboxed environment.
What this means for email security teams, Active Directory administrators, and end users
- Email security teams: Huntress recommends deploying DMARC, DKIM, and SPF records to reduce the likelihood of spoofed or malicious emails reaching users, and using an email gateway capable of sandboxing attachments and links before delivery.
- Active Directory administrators: Huntress suggests configuring a Group Policy Object (GPO) in Active Directory to force script files such as .vbs, .hta, and .js to open in Notepad by default; Huntress says this "can stop a threat actor at the very first stage, preventing additional payloads from ever being dropped."
- End users: The campaign relies on opening an attached HTML file and following a download prompt; stopping or scrutinizing unexpected attachments and avoiding clicks on unknown landing pages interrupts the chain before the ZIP, loader, and RAT are encountered.
This campaign ties several well-worn elements together — trusted redirectors, on-the-fly personalization, a script-to-PowerShell escalation, and a .NET RAT that disables telemetry and establishes resilient persistence — into a single, reproducible workflow. Huntress's advice is blunt and practical: defensive layers that block script execution by default, validate email senders, and sandbox attachments can each disrupt this sequence at different points. Whether those controls are widely adopted will determine how far operators can scale similar campaigns that exploit trusted infrastructure for initial delivery.
Source: The Hacker News — Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT
