Defending Against DesckVB RAT: Abusing Google DoubleClick in 2026 Malspam

In the escalating arms race between threat actors and security controls, adversaries continue to "weaponize trust." Security researchers have identified a new malspam campaign active in 2026 that exemplifies this tactic by abusing Google's doubleclick.net domain to deliver the DesckVB Remote Access Trojan (RAT).

The campaign is insidious because it bypasses traditional allow-listing and reputation-based filtering. Since DoubleClick is a legitimate, high-reputation domain owned by Google, security tools often permit the traffic blindly. The attack chain routes victims through this trusted domain before redirecting them to attacker-controlled infrastructure, effectively laundering the malicious URL through a trusted source. For SOC analysts and defenders, this means standard indicators of compromise (IOCs) based on domain reputation are insufficient. We must pivot to behavioral analysis and inspection of HTTP redirect chains.

Technical Analysis

Affected Platforms: Windows endpoints (DesckVB RAT target), Email Gateways, Web Proxies.

The Attack Chain:

Initial Vector: Malspam emails containing malicious links. These emails are crafted to bypass basic spam filters.
The Trust Exploit: The user clicks the link, which initially resolves to a Google DoubleClick URL (e.g., ad.doubleclick.net or googleads.g.doubleclick.net).
Redirection: The DoubleClick server issues an HTTP 302 redirect, forwarding the request to the attacker's payload server.
Payload Delivery: The final destination hosts the DesckVB RAT payload, often disguised as a legitimate document or utility.
Execution: Once executed, DesckVB RAT establishes a C2 channel, granting attackers remote access to the victim's machine.

Why DesckVB RAT? DesckVB is a Visual Basic-based RAT known for its capabilities in keylogging, screen capturing, and remote command execution. Its use in this campaign suggests a focus on espionage and data theft rather than immediate ransomware deployment. By leveraging a trusted redirector, the attackers significantly increase the success rate of the initial phishing hook.

Exploitation Status: Confirmed active exploitation in the wild via malspam campaigns. No specific CVE is being exploited; this is an abuse of functionality and trust.

Detection & Response

To catch this campaign, relying on blocklists of the DoubleClick domain is not feasible—it would break half the internet. Instead, we must detect the anomalous usage of the domain and the subsequent malicious behavior.

SIGMA Rules

These rules focus on the network redirection pattern and the subsequent execution of the RAT. Note that Proxy logs are critical here.

YAML

---
title: Suspicious Redirect from Google DoubleClick to File Download
id: 8c4d9a12-1f73-4b5e-9c6a-2d4e8f901234
status: experimental
description: Detects network traffic where the Referrer is a Google DoubleClick domain, but the destination is a file download or an executable. This indicates potential ad-abuse for malware delivery.
references:
  - https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.initial_access
  - attack.t1566.002
logsource:
  category: proxy
  product: null
detection:
  selection:
    cs-referrer|contains: 'doubleclick.net'
    cs-method: 'GET'
  filter_legit_content:
    cs-uri-query|contains:
      - 'image'
      - 'css'
      - 'js'
  selection_suspicious_ext:
    cs-uri-extension|contains:
      - 'exe'
      - 'vbs'
      - 'bat'
      - 'cmd'
      - 'scr'
  condition: selection and not filter_legit_content and selection_suspicious_ext
falsepositives:
  - Legitimate software distribution via ad networks (rare for executable types)
level: high
---
title: DesckVB RAT Persistence via Registry Run Key
description: Detects potential DesckVB RAT persistence by monitoring suspicious unsigned executables added to Run keys. VB-based RATs often use simple registry persistence.
references:
  - Internal Threat Research
author: Security Arsenal
date: 2026/06/18
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains:
      - '\Software\Microsoft\Windows\CurrentVersion\Run'
      - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
  filter_signed:
    Signed: 'true'
  condition: selection and not filter_signed
falsepositives:
  - Legitimate unsigned software updates
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for users who clicked a DoubleClick link and immediately initiated a network connection to a low-reputation domain or downloaded a file.

KQL — Microsoft Sentinel / Defender

let DoubleClickDomains = dynamic(['doubleclick.net', 'googleads.g.doubleclick.net']);
let TimeFrame = 1h;
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemoteUrl has_any (DoubleClickDomains)
| project DeviceId, DeviceName, UserId, Timestamp, RemoteUrl, InitiatingProcessFileName
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(TimeFrame)
    | where RemoteUrl !contains "google" // Exclude normal Google traffic immediately after
    | where FileType in ("exe", "vbs", "bat", "dll", "ps1") or RiskScore > 50
    | project DownloadTime=Timestamp, MaliciousUrl=RemoteUrl, DeviceId, UserId
) on DeviceId, UserId
| where DownloadTime between (Timestamp .. (Timestamp + 2m))
| project Timestamp, DeviceName, UserId, ReferrerUrl=RemoteUrl, MaliciousUrl, DownloadTime, InitiatingProcessFileName

Velociraptor VQL

Hunt for instances of VB Script hosts (likely used to spawn DesckVB) communicating with the internet shortly after a browser session.

VQL — Velociraptor

-- Hunt for suspicious process execution patterns linked to the campaign
SELECT 
    Pid, 
    Name, 
    CommandLine, 
    Exe, 
    Username, 
    CreateTime
FROM pslist()
WHERE Name IN ('wscript.exe', 'cscript.exe', 'mshta.exe', 'powershell.exe')
  AND CommandLine =~ 'http'
  AND CreateTime > now() - 24h
-- Join with netstat to check for established C2 connections
GROUP BY Pid

Remediation Script (PowerShell)

Use this script to audit and block the specific abuse vector via the Windows Hosts file if proxy filtering is not available, and to check for common DesckVB artifacts.

PowerShell

# Remediation Script for DoubleClick Abuse Campaign
# Requires Administrator Privileges

Write-Host "[+] Initiating DesckVB RAT Campaign Hardening..." -ForegroundColor Cyan

# 1. Identify and block known malvertising redirectors if specific IPs are found (Placeholder for specific IOCs)
# As a general defense, we ensure traffic to ad-networks is inspected via Proxy.
# If proxy is absent, we add a restrictive hosts entry (Use with caution - breaks ads)
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$CheckHosts = Select-String -Path $HostsPath -Pattern "doubleclick.net" -SimpleMatch

if (-not $CheckHosts) {
    Write-Host "[!] Warning: No entry for doubleclick.net in hosts file." -ForegroundColor Yellow
    Write-Host "[?] Recommendation: Ensure corporate proxy inspects SSL traffic to DoubleClick domains." -ForegroundColor Green
} else {
    Write-Host "[+] DoubleClick domains found in hosts file." -ForegroundColor Green
}

# 2. Hunt for DesckVB Indicators (VB-based persistence)
Write-Host "[+] Scanning for suspicious VB-based persistence..." -ForegroundColor Cyan

$RunKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
)

$SuspiciousProcesses = @()
foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-ItemProperty $Key | ForEach-Object {
            $Values = $_.PSObject.Properties | Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName" }
            foreach ($Val in $Values) {
                $Path = $Val.Value
                # Check if value points to wscript/cscript or unusual locations
                if ($Path -match "(wscript|cscript|mshta)\.exe" -and $Path -notmatch "C:\Windows\System32") {
                    Write-Host "[!] Suspicious persistence found: $($Val.Name) -> $Path" -ForegroundColor Red
                    $SuspiciousProcesses += $Path
                }
            }
        }
    }
}

if ($SuspiciousProcesses.Count -eq 0) {
    Write-Host "[+] No obvious VB-based persistence mechanisms detected." -ForegroundColor Green
} else {
    Write-Host "[!] Action Required: Investigate and remove registry values listed above." -ForegroundColor Red
}

Write-Host "[+] Remediation script completed." -ForegroundColor Cyan

Remediation

Network Inspection (SSL/TLS Decryption): This is the most effective control. You must enable SSL inspection on your corporate proxy to inspect the traffic inside the HTTPS connection to DoubleClick. This allows your proxy to see the 302 redirect to the malicious payload domain and block it accordingly.
URL Filtering Updates: Update your Secure Web Gateway (SWG) policies. While you cannot block google.com or doubleclick.net entirely, you can implement "Referrer Checks." If traffic originates from an email client (Outlook, Webmail) and hits DoubleClick, enforce strict scrutiny on the destination of any subsequent redirects.
User Awareness: Brief your users. Inform them that "Google" or "DoubleClick" in a link does not guarantee safety. Encourage them to use the "Report Phish" button if an email context is suspicious, even if the link looks like a reputable ad server.
Endpoint Detection: Ensure your EDR is configured to flag unsigned binaries downloaded from the internet, specifically those originating from wscript.exe or browser processes.
Block Macro Execution: If DesckVB is delivered via a document lure, ensure Microsoft Office macros are blocked from the internet and signed only.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub