DesckVB RAT
DesckVB RAT is a .NET-based remote access trojan observed in active campaigns in early 2026, including malspam operations identified by Huntress that abused Google’s DoubleClick domain to evade detection and deliver the payload. In the reported phishing chain, victims received an email with an HTML attachment that redirected through DoubleClick to a personalized landing page using victim email, company branding, and location details; clicking a fake "Download PDF" button delivered a ZIP archive containing a JavaScript loader, followed by PowerShell and a .NET loader/stager that ultimately deployed DesckVB RAT via process hollowing into legitimate Microsoft-signed processes. Separate reporting also describes DesckVB RAT v2.9 as a modular, plugin-based .NET RAT delivered through an obfuscated Windows Script Host JavaScript stager executed by wscript.exe, transitioning to PowerShell and a fileless in-memory .NET loader.
Documented capabilities include persistence via Run and RunOnce registry entries and a Startup-folder loader, command-and-control communications over raw/custom TCP sockets, system reconnaissance, data theft, command execution, and delivery of additional payloads. The malware weakens host defenses by configuring Microsoft Defender exclusions and patching or disabling AMSI and ETW at the native API level. It also performs anti-analysis and sandbox checks, including internet-connectivity validation and debugger or analysis-tool detection, and may terminate or reboot the host if analysis is detected. Reported plugin functionality includes a keylogger tracking active windows, webcam streaming via DirectShow, and enumeration of installed antivirus or security products. High-confidence behavioral indicators from the reporting include anomalous wscript.exe activity, suspicious PowerShell that constructs decimal byte arrays, reflective or in-memory code loading, process hollowing into legitimate Microsoft processes, and persistence through registry Run/RunOnce keys and Startup-folder artifacts. One source references the malware as linked to the "Pjoao1578 toolchain," but no actor attribution is otherwise established in the provided content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe campaign begins with a phishing email containing an HTML attachment.
The attack begins when an unsuspecting user opens an HTML file that's attached to a phishing email.
Execution
5 techniquesIt possesses capabilities for data extraction, command execution, and deploying further payloads...
The script extracts and runs a PowerShell script, which then fetches a .NET loader from an external server.
This is achieved by means of a JavaScript loader, whose main responsibility is to retrieve and execute a .NET RAT while flying under the radar.
The attack begins when an unsuspecting user opens an HTML file that's attached to a phishing email.
The campaign begins with a phishing email containing an HTML attachment. Upon opening, the attachment initiates a redirect through a Google DoubleClick tracking URL...
Persistence
2 techniquespersistence is established on the host by setting up Run and RunOnce Registry entries
Privilege Escalation
3 techniquesThe Execute method within this loader uses CreateProcessA to spawn a new process in a suspended state before injecting the malicious payload.
Inside, a JavaScript loader retrieves and executes a .NET RAT using a technique called process hollowing, injecting the malware into legitimate Microsoft processes.
Stealth
7 techniquesanother redirector, which decodes the Base64-encoded email address
This sophisticated attack chain aims to bypass traditional detection methods by routing traffic through a legitimate Google-owned domain... leading the victim to a personalized landing page. This page dynamically incorporates company branding and location details, making it appear more convincing.
The Execute method within this loader uses CreateProcessA to spawn a new process in a suspended state before injecting the malicious payload.
Inside, a JavaScript loader retrieves and executes a .NET RAT using a technique called process hollowing, injecting the malware into legitimate Microsoft processes.
The malware uses the legitimate Windows tool InstallUtil.exe to execute its payload — a known technique for bypassing application control policies.
...while also attempting to detect and evade sandboxed environments or analysis tools.
Once fully deployed, DesckVB RAT loads a .NET assembly directly into memory using .NET reflection techniques, bypassing the need to leave any files on the hard drive.
Defense Impairment
1 techniqueCredential Access
1 techniqueDiscovery
2 techniquesOnce launched, the trojan communicates with a command-and-control (C2) server over raw TCP sockets, carries out system reconnaissance
Collection
3 techniquesIt possesses capabilities for data extraction, command execution, and deploying further payloads...
At runtime, the malware activates several harmful capabilities, including keylogging, webcam access, antivirus detection evasion, and encrypted communication with its C2 server.
At runtime, the malware activates several harmful capabilities, including keylogging, webcam access, antivirus detection evasion, and encrypted communication with its C2 server.
Command and Control
5 techniquesThe DesckVB RAT... communicates with a command-and-control server.
Its use of encrypted HTTPS traffic over port 443 allows it to blend in with normal internet activity, making network-level detection just as difficult.
The file triggers a meta-refresh browser redirect to a Google DoubleClick Campaign Manager click-tracking URL, from where the user is steered to another redirector, which decodes the Base64-encoded email address and leads the victim to a landing page
Clicking a "Download PDF" button triggers the download of a ZIP archive. Inside, a JavaScript loader retrieves and executes a .NET RAT...
Once active, it drops Keylogger.dll directly into memory and begins C2 communication over manikandan83.mysynology.net on port 7535, resolving to IP 45.156.87.226.
Other
1 techniqueIOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A .NET remote access trojan delivered via malspam that uses process hollowing to inject into legitimate Microsoft processes, establishes persistence, disables AMSI and ETW, communicates with a command-and-control server, supports data extraction and command execution, can deploy additional payloads, and includes sandbox/analysis evasion checks.
A .NET-based remote access trojan delivered via malspam. It uses a multi-stage infection chain involving JavaScript, PowerShell, and a .NET loader to evade analysis, disable security controls, establish persistence, inject into Microsoft-signed processes via process hollowing, communicate with C2 over raw TCP sockets, perform system reconnaissance, configure Microsoft Defender exclusions, patch AMSI and ETW, extract data, run commands, and deploy additional payloads.
Remote access trojan family enabling comprehensive remote control over infected hosts; reported as newly discovered by threat hunters.
Modular .NET-based remote access trojan with a plugin ecosystem. Delivered via an obfuscated WSH JavaScript stager followed by a PowerShell stage with anti-analysis checks, then a fileless in-memory .NET loader. Supports post-compromise modules including keylogging, webcam streaming (DirectShow), and antivirus/security product enumeration; modules delivered over a custom TCP protocol.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.