Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT

DesckVB RAT emerged in February 2026 through a sophisticated malspam campaign utilizing a dynamic delivery kit that personalizes lures on-the-fly by extracting victim email addresses and pulling company logos in real-time. The attack chain routes through Google's DoubleClick domain to evade email gateways before delivering a five-stage infection: HTML redirect, JScript loader, PowerShell dropper, .NET loader, and finally the RAT itself. The malware employs extensive anti-analysis techniques including sandbox detection, forced reboots upon detection, and in-memory execution via .NET reflection. Once established, it patches AMSI and ETW at the native API level, injects into legitimate Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe, and establishes persistence through registry keys and scheduled tasks. The RAT communicates with DDNS-based C2 infrastructure on non-standard ports, performs system reconnaissance including GPU enumeration possibly for crypto mining, and can deliver additional payl...

Pulse ID: 6a20299eb75a686b68713273
Pulse Link: https://otx.alienvault.com/pulse/6a20299eb75a686b68713273
Pulse Author: AlienVault
Created: 2026-06-03 13:18:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoMining #CyberSecurity #DNS #DoubleClick #ELF #Email #Google #HTML #InfoSec #MSBuild #MalSpam #Malware #Microsoft #NET #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Spam #bot #AlienVault

A csv formatted list of #malspam campaigns that crossed my path in May to include #malware, subjects, hashes, c2's, and email exfil addresses:

https://gist.github.com/silence-is-best/9b7365532f5ceb3b963bbc2dc3d8e876

#retrohunt

Threat Actors Weaponize Tiflux RMMs in Malspam Attacks

Pulse ID: 6a016038daea3ca1a2762d7b
Pulse Link: https://otx.alienvault.com/pulse/6a016038daea3ca1a2762d7b
Pulse Author: Tr1sa111
Created: 2026-05-11 04:51:04

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #MalSpam #OTX #OpenThreatExchange #Spam #bot #Tr1sa111

An on time (yay) csv formatted list of #malspam campaigns that crossed my path in April to include #malware type, c2, hash, subject, and email exfil addresses:

https://gist.github.com/silence-is-best/bc95a949f272f8c5487d057bbd74d14f

#retrohunt

When your #malspam threat actor forgets to properly configure their #remcos ....ya "Juniorer" indeed 🤣

https://app.any.run/tasks/1ff77354-94ca-4d30-b6f7-a86aff32e1af

Trust this “Amazon” phishing email in Japan—and you’re Prime sashimi 🎣 🍣

Looking into our malspam data, we identified an active campaign impersonating Amazon and targeting Japanese citizens. The emails use subjects such as 「至急 Amazonプライム会員情報の確認」 (“Urgent: Confirm Amazon Prime member information”).

The URLs within the emails ultimately lead to an Amazon phishing page, but only after routing victims through a TDS. Interestingly, instead of keeping the TDS step invisible, the actors chose to show it off—repackaging it as a reassuring security check.

Upon clicking the link within the email, victims are first redirected to an RDGA TDS domain, where fingerprinting occurs. If the user does not match the targeting criteria (e.g., connecting from outside Japan), access is blocked. If they do match, potential victims are redirected to a second RDGA domain.
This second and last domain is not a TDS domain, but funny enough, these actors decided they would emulate it anyway!

At that step victims are already at the landing page but instead of immediately displaying a standard Amazon phishing page, the website displays a CAPTCHA and fake console interface simulating environment fingerprinting checks to “make sure your environment and connection is safe” before "proceeding to the landing page". Ironically, part of their message is true: fingerprinting did happen one domain earlier. It just wasn’t for the user’s benefit—it was to make sure the environment was safe… for the scammers. A few seconds later, without added user interaction needed, a fake Amazon login page is displayed.

Domains samples:
qqc10c[.]cyou
51wang11c[.]cyou

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #amazon #malspam #email #fingerprinting #japan

A very late (due to work travel) csv formatted list of #malspam campaigns that crossed my path in March to include #malware type, subject, hash, c2, and email exfil addresses:

https://gist.github.com/silence-is-best/440abd3e683adf69f531371cf56cd338

#retrohunt

A csv formatted list of #malspam campaigns that crossed my path in February to include subjects, #malware type, hashes, c2's, and email exfil addresses:

https://gist.github.com/silence-is-best/49cbc51145478ed68d06e02e14ddc135

#retrohunt

New 2026 telemetry from Bitdefender indicates 41% of Valentine’s-themed email traffic contained scam elements.

Threat vectors observed:
• Brand impersonation campaigns
• AI-generated dating personas
• Advance-fee survey funnels
• Delivery notification phishing
• Pharma spam distribution
• Healthcare provider impersonation (e.g., Techniker Krankenkasse)
Geographic targeting concentrated in the U.S. (55%) and key European markets.

Question for defenders:
Are current email filtering models sufficiently adaptive to seasonal emotional triggers amplified by generative AI?
Engage below.

Follow @technadu for threat intelligence reporting.

#ThreatIntel #Phishing #EmailSecurity #AIThreats #SOC #BlueTeam #FraudDetection #BrandAbuse #SecurityResearch #CyberDefense #Malspam #DigitalRisk

A csv formatted list of #malspam campaigns that crossed my path in January to include #malware, c2, hash, subject, and some email exfil addresses:

https://gist.github.com/silence-is-best/8b91cfa90b598f71dbd7169f0391c98c

#retrohunt