Malspam Campaign Leverages Google DoubleClick to Distribute DesckVB RAT
What Happened – Researchers observed a new malspam operation that routes malicious links through Google’s DoubleClick advertising domain, bypassing many security controls. The campaign delivers the DesckVB remote‑access trojan (RAT) to victims who click the link or open the attachment.
Why It Matters for TPRM –
- Attackers exploit trusted third‑party infrastructure (Google DoubleClick) to increase delivery success rates.
- The RAT can harvest credentials, exfiltrate data, and provide persistent footholds in partner environments.
- Vendors that rely on Google advertising services may inadvertently become a conduit for malware, expanding the attack surface of their supply chain.
Who Is Affected – All industries that receive email communications containing Google DoubleClick ads or links, especially organizations with high email traffic and limited URL‑reputation filtering.
Recommended Actions –
- Review email security policies to include reputation checks for DoubleClick URLs.
- Harden endpoint detection to flag unknown RAT binaries such as DesckVB.
- Conduct a supply‑chain risk assessment of any third‑party services that embed Google advertising.
Technical Notes – The campaign uses a malspam email with a lure that redirects through doubleclick.net before reaching the attacker’s payload server. DesckVB RAT is a Windows‑based remote‑access tool capable of keylogging, screenshot capture, and data exfiltration. No specific CVE is cited; the attack relies on social engineering and trusted domain abuse. Source: The Hacker News