DesckVB RAT malspam
campaign
· campaign:desckvb-rat-doubleclick-2026
single-source
DesckVB RAT malspam laundered via Google DoubleClick redirects; AMSI/ETW patching; DACH-themed lures.
Coverage timeline
1
first 2026-06-04 → last 2026-06-04
Peak priority
notable
1 notable
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
2
pinned v19.1 · see below
ATT&CK techniques
2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)
Privilege Escalation TA0004
T1055.012Process Injection: Process Hollowing×1
Stealth TA0005
T1055.012Process Injection: Process Hollowing×1
Defense Impairment TA0112
T1685Disable or Modify Tools×1
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.
Evidence: 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗
Story timeline
- 2026-06-04DesckVB RAT malspam launders through Google DoubleClick and blinds AMSI/ETW, with German-language lures aimed at DACH
active-threats
Where this entity is cited
explore in graph
Entries about DesckVB RAT malspam (1)
NOTABLE
Huntress documented a DesckVB RAT chain from a May 2026 IR engagement that abuses Google DoubleClick Campaign Manager click-tracking for reputation laundering: a German-named HTML attachment (Bestellung_2026.html — "order") does a zero-second meta-refresh to a high-reputation ad.doubleclick.net URL that allowlist-based mail/web filters pass transparently, then steers to a "Download PDF" landing page delivering a JavaScript loader (Huntress, 2026-06-03). The loader runs a .NET assembly via process hollowing (T1055.012) after patching AMSI and ETW at the native-API level (T1562.001) to blind Windows telemetry; persistence is set before C2 over raw TCP. German-language purchase-order lures point at DACH enterprises.
Why it matters to us: the DoubleClick hop defeats domain-reputation allowlisting at the gateway — flag HTML email attachments containing meta-refresh to ad-network domains, and watch for runtime patching of AmsiScanBuffer / ETW from node/script-spawned process trees rather than relying on the redirect domain.