Google DoubleClick Abused as Redirector to Deliver DesckVB RAT via Malspam Campaign

Scope: Enterprise Email Users (Windows Endpoints)

Severity: Red

A scalable malspam campaign documented by Huntress in May 2026 routes phishing emails through Google's legitimate ad.doubleclick.net domain as a first-hop redirector, exploiting the domain's high reputation to bypass email security gateways and URL blocklists before steering victims through a dynamically personalized landing page that pulls in the victim's company branding in real time and delivers a ZIP archive. The five-stage in-memory infection chain (HTML attachment, JScript loader, PowerShell stager, .NET reflective loader, DesckVB RAT) never writes meaningful artifacts to disk, culminating in a .NET-based RAT active since February 2026 that establishes persistence, configures Microsoft Defender exclusions, and grants full remote control via process hollowing into Microsoft-signed processes. Organizations should configure GPO to force script file extensions (.vbs, .hta, .js) to open in Notepad by default, enforce DMARC, DKIM, and SPF, deploy email gateway sandboxing with recursive URL analysis, enable PowerShell ScriptBlock and Module logging, and deploy EDR with behavioral detection rules for AMSI patching and process hollowing.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.