Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT
Essential information
- Published
- 03/06/2026 15:18
- Modified
- 04/06/2026 09:08
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- amsi bypass desckvb rat in-memory execution jscript loader malspam venomrat
- Tags
- 2026-06-03 amsi bypass desckvb rat in-memory execution jscript loader malspam venomrat
- Related entities
- 15 indicators, 15 observables, 21 techniques (mitre), 2 malware, 7 others
Description
DesckVB RAT emerged in February 2026 through a sophisticated malspam campaign utilizing a dynamic delivery kit that personalizes lures on-the-fly by extracting victim email addresses and pulling company logos in real-time. The attack chain routes through Google's DoubleClick domain to evade email gateways before delivering a five-stage infection: HTML redirect, JScript loader, PowerShell dropper, .NET loader, and finally the RAT itself. The malware employs extensive anti-analysis techniques including sandbox detection, forced reboots upon detection, and in-memory execution via .NET reflection. Once established, it patches AMSI and ETW at the native API level, injects into legitimate Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe, and establishes persistence through registry keys and scheduled tasks. The RAT communicates with DDNS-based C2 infrastructure on non-standard ports, performs system reconnaissance including GPU enumeration possibly for crypto mining, and can deliver additional payl...