Cybersecurity researchers have identified a new malspam campaign that abuses Google’s DoubleClick infrastructure as part of its delivery chain to help evade detection and increase the success rate of phishing attacks. The campaign ultimately distributes a remote access trojan known as DesckVB RAT, which has been active in the wild since February 2026. According to researchers from Huntress, the attackers are leveraging trusted web infrastructure and multi stage redirection techniques to make malicious activity appear legitimate before users are ever exposed to attacker controlled systems. The initial infection begins through phishing emails carrying HTML attachments that are designed to look like routine business communications.
Once the victim opens the HTML file, it triggers an automatic meta refresh redirect in the browser. This redirect sends the user through a Google DoubleClick Campaign Manager tracking URL, which acts as a trusted intermediary and reduces suspicion from security filters that often whitelist or deprioritize well known advertising and tracking domains. From there, the victim is forwarded through additional redirect layers, where the system dynamically decodes encoded identifiers such as Base64 embedded email addresses. This process leads to a tailored landing page that impersonates legitimate organizational branding and includes contextual details like email identity, company information, and geographic hints to increase credibility. The landing page then presents a Download PDF button designed to encourage user interaction.
When the button is clicked, the server responds by delivering a ZIP archive that initiates a complex execution chain. Inside the archive is a JavaScript loader responsible for launching further stages of the attack. The script extracts and executes a PowerShell component, which then downloads a .NET based loader from an external server. This loader functions as a staging mechanism that performs multiple checks to determine whether it is running in a secure or sandboxed environment. It attempts to disable or bypass security controls on the host system, establish persistence, and prepare the environment for the final payload delivery. The attack chain eventually uses process hollowing, a technique where malicious code is injected into legitimate Microsoft signed processes to avoid detection while maintaining execution.
After successful deployment, DesckVB RAT establishes command and control communication over raw TCP sockets. It performs system reconnaissance to gather host information and modifies system configurations to maintain long term access. Researchers noted that the malware actively configures exclusions for Microsoft Defender and attempts to neutralize monitoring tools by patching interfaces such as the Antimalware Scan Interface and Event Tracing for Windows at the native API level. Persistence is achieved through multiple mechanisms including Run and RunOnce registry keys and startup folder modifications. In addition, the malware is capable of downloading and executing additional payloads, executing remote commands, and exfiltrating data from compromised systems. It also includes defensive evasion behavior, such as terminating processes or rebooting the system if analysis or sandbox detection is triggered.
Security experts emphasize that the campaign highlights how trusted infrastructure can be misused to improve phishing success rates and scale operations without requiring custom built infrastructure for each target. The use of DoubleClick as an initial redirect layer reduces suspicion and increases deliverability, while dynamically generated content personalizes lures to make them more convincing. To mitigate such threats, defenders recommend implementing layered security strategies that include strict email authentication mechanisms such as DMARC, DKIM, and SPF to reduce spoofed message delivery. Additional protections include configuring Group Policy Objects within Active Directory to force script files like VBS, HTA, and JS to open in Notepad by default, limiting execution risk at the earliest stage. Organizations are also encouraged to deploy secure email gateways with sandboxing capabilities to analyze attachments and embedded links before they reach end users, reducing the likelihood of full compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
