News

Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

By Nina Kowalski · Cybersecurity Correspondent 8h ago

Cybersecurity researchers identified a new malspam campaign leveraging Google's DoubleClick domain to distribute DesckVB RAT, a remote access trojan that provides attackers full control over compromised systems.

The campaign exploits DoubleClick, a legitimate Google advertising service, to bypass security detection tools that commonly whitelist trusted domains. Attackers route malicious payloads through DoubleClick infrastructure before directing victims to attacker-controlled servers. This redirection technique significantly increases delivery success rates because security filters treat traffic from Google domains as inherently trustworthy.

DesckVB RAT grants operators capabilities including keystroke logging, screen capture, file exfiltration, and arbitrary command execution. Once installed, the trojan establishes persistent remote access, allowing attackers to steal credentials, harvest sensitive data, and maintain long-term presence on compromised networks.

The malspam delivery relies on social engineering, typically through deceptive email attachments or malicious links that appear legitimate. Recipients unknowingly initiate the infection chain when they open attachments or click links embedded in phishing messages. The initial payload downloads the RAT onto the victim's machine.

Organisations and individuals face immediate risk of data theft, financial fraud, and operational disruption. Corporate networks particularly suffer when RATs achieve foothold on employee devices, enabling lateral movement to critical systems and databases. The use of legitimate infrastructure like DoubleClick complicates detection because administrators must balance security blocking with maintaining access to legitimate Google services.

Security teams should implement email filtering that examines URL redirects and payload behavior rather than relying solely on domain reputation. Endpoint detection and response (EDR) solutions that monitor process execution and registry modifications catch RAT installation attempts. User training remains essential since social engineering drives initial compromise.

Organisations should review email logs for suspicious DoubleClick redirects and monitor for

Key facts

Cybersecurity researchers identified a new malspam campaign leveraging Google's DoubleClick domain to distribute DesckVB RAT, a remote access trojan that provides attackers full control over compromised systems.
The campaign exploits DoubleClick, a legitimate Google advertising service, to bypass security detection tools that commonly whitelist trusted domains.
Attackers route malicious payloads through DoubleClick infrastructure before directing victims to attacker-controlled servers.
This redirection technique significantly increases delivery success rates because security filters treat traffic from Google domains as inherently trustworthy.

Why it matters

This general story is part of CyberWireDaily's daily monitoring of sources, companies, institutions, and trends shaping security breaches, threats & cyber news.

Source context

This article summarizes and contextualizes reporting from The Hacker News. The visible original source link is retained so readers can review the primary report directly.

Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Key facts

Why it matters

Source context

Related reading

Beyond the Zero-Day: See Your Network Like an Attacker | Webinar with HD Moore

Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

CISA warns of cyberattacks targeting fuel tank monitoring systems

Get Daily CyberWireDaily