As reported by The Hacker News, a new malspam campaign has been identified by Huntress researchers that leverages Google's DoubleClick domain to evade security measures and distribute the DesckVB RAT. This sophisticated attack chain aims to bypass traditional detection methods by routing traffic through a legitimate Google-owned domain.The campaign begins with a phishing email containing an HTML attachment. Upon opening, the attachment initiates a redirect through a Google DoubleClick tracking URL, eventually leading the victim to a personalized landing page. This page dynamically incorporates company branding and location details, making it appear more convincing. Clicking a "Download PDF" button triggers the download of a ZIP archive. Inside, a JavaScript loader retrieves and executes a .NET RAT using a technique called process hollowing, injecting the malware into legitimate Microsoft processes.The DesckVB RAT, active since February 2026, then establishes persistence, disables security controls like AMSI and ETW, and communicates with a command-and-control server. It possesses capabilities for data extraction, command execution, and deploying further payloads, while also attempting to detect and evade sandboxed environments or analysis tools. Security experts recommend implementing DMARC, DKIM, and SPF records, along with email gateway solutions that sandbox attachments and links, to mitigate such threats.Source: The Hacker News
