Cybersecurity researchers have uncovered a new malware campaign that abuses Google LLC’s DoubleClick advertising infrastructure as part of a multi-stage infection chain designed to deliver a remote access trojan known as DesckVB RAT.
Security analysts say the tactic helps attackers evade detection by routing malicious traffic through trusted advertising domains before redirecting victims to phishing and malware delivery sites.
DoubleClick Used as a Trust Evasion Layer
According to researchers at Huntress Labs, the attack begins with phishing emails containing HTML attachments that trigger automatic redirects.
Before reaching attacker-controlled infrastructure, victims are routed through a legitimate DoubleClick Campaign Manager URL. Because DoubleClick is a widely trusted Google-owned service, security filters are less likely to flag the traffic as suspicious.
From there, victims are redirected through a series of intermediary pages that ultimately lead to a fake download portal designed to deploy malware.
Personalized Phishing at Scale
One of the most notable aspects of the campaign is its automation. Instead of building custom phishing kits for each target organization, the malware infrastructure dynamically personalizes landing pages using the victim’s email address.
This allows attackers to automatically insert company branding, location data, and other contextual details—making the phishing pages appear highly legitimate without manual customization.
Security researchers say this approach significantly increases the scale and efficiency of malspam operations.
Infection Chain Leads to DesckVB RAT
The final payload delivered in the campaign is DesckVB RAT, a .NET-based remote access trojan that has been active since early 2026.
The infection process typically follows several stages:
- Opening a malicious HTML attachment in a phishing email
- Redirecting through DoubleClick tracking URLs
- Landing on a fake download page offering a ZIP file
- Executing a JavaScript loader from the archive
- Running PowerShell scripts to fetch additional payloads
- Installing a .NET loader that deploys the RAT
Once installed, the malware establishes communication with a command-and-control server using raw TCP connections and begins system reconnaissance.
Advanced Evasion and Persistence Techniques
Researchers report that DesckVB RAT includes several anti-analysis and evasion features, including:
- Disabling or bypassing Microsoft Defender protections
- Patching security monitoring components such as AMSI and ETW
- Injecting itself into legitimate Microsoft-signed processes using process hollowing
- Creating persistence through Windows Registry entries and startup folder modifications
These techniques allow attackers to maintain long-term access to compromised systems while avoiding detection.
Full System Control After Infection
Once active, the RAT can:
- Execute remote commands
- Steal sensitive data
- Deploy additional malware
- Monitor user activity
In some cases, the malware can detect virtualized environments or analysis tools and terminate execution or reboot the system to avoid inspection.
Security Guidance for Organizations
Researchers at Huntress Labs emphasize that layered security defenses are essential to stopping such attacks early in the chain.
Recommended measures include:
- Blocking risky script execution (e.g., .js, .vbs, .hta files) via Group Policy
- Implementing email authentication standards like SPF, DKIM, and DMARC
- Using secure email gateways with attachment and link sandboxing
- Monitoring redirects involving advertising and tracking domains
Experts warn that abuse of trusted infrastructure like DoubleClick makes traditional filtering more difficult and increases the importance of endpoint-level defenses.
Growing Trend of Ad Infrastructure Abuse
Security analysts say this campaign reflects a broader trend of attackers leveraging legitimate advertising and tracking services to hide malicious activity.
By blending into normal web traffic, these campaigns can bypass reputation-based detection systems and reach victims more effectively.
