ctipilot.ch

DesckVB RAT malspam

campaign · campaign:desckvb-rat-doubleclick-2026 single-source

DesckVB RAT malspam laundered via Google DoubleClick redirects; AMSI/ETW patching; DACH-themed lures.

Coverage timeline
1
first 2026-06-04 → last 2026-06-04
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Privilege Escalation TA0004

T1055.012Process Injection: Process Hollowing×1

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

Evidence: 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗

Stealth TA0005

T1055.012Process Injection: Process Hollowing×1

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

Evidence: 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗

Defense Impairment TA0112

T1685Disable or Modify Tools×1

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

Evidence: 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗

Story timeline

  1. 2026-06-04DesckVB RAT malspam launders through Google DoubleClick and blinds AMSI/ETW, with German-language lures aimed at DACH
    active-threats

Where this entity is cited

  • active-threats1

Source distribution

  • huntress.com1 (100%)

explore in graph

Entries about DesckVB RAT malspam (1)

2026-06-04 · view entry permalink →

NOTABLE

DesckVB RAT malspam launders through Google DoubleClick and blinds AMSI/ETW, with German-language lures aimed at DACH

Huntress documented a DesckVB RAT chain from a May 2026 IR engagement that abuses Google DoubleClick Campaign Manager click-tracking for reputation laundering: a German-named HTML attachment (Bestellung_2026.html — "order") does a zero-second meta-refresh to a high-reputation ad.doubleclick.net URL that allowlist-based mail/web filters pass transparently, then steers to a "Download PDF" landing page delivering a JavaScript loader (Huntress, 2026-06-03). The loader runs a .NET assembly via process hollowing (T1055.012) after patching AMSI and ETW at the native-API level (T1562.001) to blind Windows telemetry; persistence is set before C2 over raw TCP. German-language purchase-order lures point at DACH enterprises. Why it matters to us: the DoubleClick hop defeats domain-reputation allowlisting at the gateway — flag HTML email attachments containing meta-refresh to ad-network domains, and watch for runtime patching of AmsiScanBuffer / ETW from node/script-spawned process trees rather than relying on the redirect domain.

threat04 Jun 05:00Zsingle-sourceOpen finding ↗
Sources: Huntress Labs