DesckVB RAT malspam laundering via Google DoubleClick; AMSI/ETW patching; DACH lures

campaign · campaign:desckvb-rat-doubleclick-2026

Coverage timeline

first 2026-06-04 → last 2026-06-04

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-04CTI Daily Brief — 2026-06-04
active_threatsFirst coverage — DACH-targeted, single-source (Huntress)

Where this entity is cited

active_threats1

Source distribution

huntress.com1 (50%)
upguard.com1 (50%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)
annual-reportannual-report:gtig-europe-2025×1

All cited sources (2)

Items in briefs about DesckVB RAT malspam laundering via Google DoubleClick; AMSI/ETW patching; DACH lures (1)

DesckVB RAT malspam launders through Google DoubleClick and blinds AMSI/ETW, with German-language lures aimed at DACH [SINGLE-SOURCE]

From CTI Daily Brief — 2026-06-04 · published 2026-06-04 · view item permalink →

Huntress documented a DesckVB RAT chain from a May 2026 IR engagement that abuses Google DoubleClick Campaign Manager click-tracking for reputation laundering: a German-named HTML attachment (Bestellung_2026.html — "order") does a zero-second meta-refresh to a high-reputation ad.doubleclick.net URL that allowlist-based mail/web filters pass transparently, then steers to a "Download PDF" landing page delivering a JavaScript loader (Huntress, 2026-06-03). The loader runs a .NET assembly via process hollowing (T1055.012) after patching AMSI and ETW at the native-API level (T1562.001) to blind Windows telemetry; persistence is set before C2 over raw TCP. German-language purchase-order lures point at DACH enterprises. Why it matters to us: the DoubleClick hop defeats domain-reputation allowlisting at the gateway — flag HTML email attachments containing meta-refresh to ad-network domains, and watch for runtime patching of AmsiScanBuffer / ETW from node/script-spawned process trees rather than relying on the redirect domain.