Researchers at Huntress observed a large-scale phishing email campaign in which attackers use the legitimate Google DoubleClick Campaign Manager domain as an intermediate link in the infection chain. The ultimate goal is to deliver the DesckVB RAT remote access trojan written on the .NET platform. A key feature of the campaign is automatic personalization of phishing pages for each victim without the need to create separate kits for every targeted organization, which makes the attack scalable and cost-effective. Organizations using Windows infrastructure are advised to review script execution policies and email security settings.
Infection chain: from HTML attachment to full control
According to the researchers, the attack starts with a phishing email containing an HTML attachment. When opened, the file performs a redirect via a meta-refresh tag to a Google DoubleClick Campaign Manager click-tracking URL. Since the doubleclick.net domain belongs to Google, many email security tools and web filters are less likely to block such a redirect.
The victim is then sent through an additional redirector, which decodes the email address from Base64 format and routes the user to a landing page with a “Download PDF” button. According to the report, the phishing kit dynamically pulls in the victim’s corporate branding and location data, creating a convincing imitation of a legitimate resource without manual customization for each organization.
Clicking the download button initiates the download of a ZIP archive that launches a multi-stage infection chain:
- JavaScript loader — extracts and runs a PowerShell script
- PowerShell script — downloads a .NET loader from an external server
- .NET loader (stager) — performs checks for analysis environments, disables defenses, and sets up persistence mechanisms
- DesckVB RAT — the final payload, injected into a legitimate process using the process hollowing technique
Notably, the malicious code is injected into processes signed with Microsoft certificates, which significantly complicates detection at the behavioral analysis level.
Evasion and persistence techniques
According to Huntress, DesckVB RAT uses an aggressive set of techniques to blind monitoring systems even before establishing persistent presence on the system:
- Patching AMSI (Antimalware Scan Interface) at the native API level — blocks antivirus solutions from scanning scripts and downloaded in-memory code
- Patching ETW (Event Tracing for Windows) — suppresses Windows telemetry, depriving EDR solutions of event streams
- Configuring Microsoft Defender exclusions — adds paths and processes to the antivirus exclusion list
- Analysis-environment detection — when analysis tools or a sandbox are detected, the malware terminates processes and reboots the machine
To maintain persistence on the system, the trojan reportedly uses several mechanisms at once: entries in the Run and RunOnce registry keys, as well as placing the loader in the user’s Startup folder.
Trojan capabilities
After launch, DesckVB RAT establishes a connection to the command server via raw TCP sockets, performs system reconnaissance and, according to the researchers, provides operators with the following capabilities:
- Exfiltration of data from the compromised system
- Execution of arbitrary commands
- Delivery and deployment of additional payloads
Impact assessment
Using legitimate Google infrastructure as an intermediate hop is not a new technique, but it is an effective one that lowers detection rates at the level of email gateways and web proxies. Combined with automatic personalization of phishing pages, this creates a threat to organizations of any size: attackers do not need prior reconnaissance to craft convincing lures for a specific company.
Organizations at the greatest risk are those where script execution policies are not configured, there is no sandbox for analyzing email attachments, and email authentication mechanisms are not deployed.
Recommendations for defense
To counter this and similar campaigns, the following measures are recommended:
- Script execution policies: via Active Directory Group Policies (GPO), configure files with the .vbs, .hta and .js extensions to open in a text editor (Notepad) by default — this blocks the first stage of the infection chain
- Email authentication: deploy DMARC, DKIM and SPF records to reduce the likelihood of fraudulent emails reaching end users
- Attachment sandboxing: use a mail gateway capable of analyzing attachments and links in an isolated environment before delivering the email to the recipient
- Registry monitoring: track changes in the Run and RunOnce keys and in the contents of the Startup folder
- AMSI and ETW integrity monitoring: use EDR solutions capable of detecting attempts to patch AMSI and ETW functions at the native API level
This campaign clearly demonstrates why defense in depth remains a critically important principle: no single layer of controls can guarantee blocking the entire attack chain. A top-priority action for administrators of Windows infrastructures should be configuring GPO to block the automatic execution of script files — this single measure can break the infection chain at the very earliest stage, before any additional components are downloaded.
