Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

The abuse of Google’s DoubleClick Campaign Manager illustrates a growing trend where attackers co‑opt high‑reputation advertising infrastructure to slip past perimeter defenses. DoubleClick URLs are whitelisted by many email gateways and web filters, so a malicious redirect that appears to originate from a Google domain often escapes early scrutiny. This tactic reflects a broader shift toward leveraging legitimate cloud services—such as content delivery networks and analytics platforms—to increase the success rate of phishing and malspam campaigns, forcing defenders to look beyond simple domain reputation.

Technically, the infection chain is sophisticated yet modular. A phishing attachment triggers a meta‑refresh that points to a DoubleClick tracking link, which then redirects to a secondary server that decodes the victim’s email address and serves a customized landing page. A JavaScript loader fetches a PowerShell script that pulls a .NET loader, which validates the environment, disables security controls, and finally injects the DesckVB RAT into a Microsoft‑signed process via process hollowing. The RAT establishes raw TCP C2, modifies AMSI and ETW to blind Windows telemetry, and creates Run/RunOnce registry entries and a Startup folder loader for persistence, giving attackers full command over compromised hosts.

Mitigation requires layered defenses. Enforcing Group Policy to open script files (.vbs, .hta, .js) in Notepad can stop the initial payload, while robust email authentication (DMARC, DKIM, SPF) reduces spoofed delivery. Advanced email gateways that sandbox attachments and URLs add a critical barrier, and endpoint solutions must incorporate behavior‑based detection to spot process hollowing and AMSI bypass attempts. As adversaries continue to weaponize trusted domains, organizations must adopt defense‑in‑depth strategies that combine policy hardening, threat intelligence, and continuous monitoring to stay ahead of such evasive techniques.