{
  "name": "Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT",
  "slug": "inside-desckvb-rat-analysis-from-malspam-to-in-memory-rat",
  "description": "DesckVB RAT emerged in February 2026 through a sophisticated malspam campaign utilizing a dynamic delivery kit that personalizes lures on-the-fly by extracting victim email addresses and pulling company logos in real-time. The attack chain routes through Google's DoubleClick domain to evade email gateways before delivering a five-stage infection: HTML redirect, JScript loader, PowerShell dropper, .NET loader, and finally the RAT itself. The malware employs extensive anti-analysis techniques including sandbox detection, forced reboots upon detection, and in-memory execution via .NET reflection. Once established, it patches AMSI and ETW at the native API level, injects into legitimate Microsoft-signed binaries like InstallUtil.exe and MSBuild.exe, and establishes persistence through registry keys and scheduled tasks. The RAT communicates with DDNS-based C2 infrastructure on non-standard ports, performs system reconnaissance including GPU enumeration possibly for crypto mining, and can deliver additional payl...",
  "published": "2026-06-03T13:18:22.675000+00:00",
  "created_at": "2026-06-04T09:08:54.767000+00:00",
  "modified_at": "2026-06-04T07:08:54+00:00",
  "created_at_opencti": "2026-06-04T09:08:54.767000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "amsi bypass",
    "desckvb rat",
    "in-memory execution",
    "jscript loader",
    "malspam",
    "venomrat"
  ],
  "tags": [
    "2026-06-03",
    "amsi bypass",
    "desckvb rat",
    "in-memory execution",
    "jscript loader",
    "malspam",
    "venomrat"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "cd162d1a-05cb-4647-a0bd-6d6b4766a685",
        "name": "bth.startthewave.org"
      },
      {
        "id": "81562143-d002-4547-b350-7a6f4f66f6a2",
        "name": "xtadts.ddns.net"
      },
      {
        "id": "ad095324-4391-44fc-a18d-7ecdc24f97da",
        "name": "catalogo.castrouria.com"
      },
      {
        "id": "4d332bf2-2825-4587-89be-9c3ccede886a",
        "name": "c356aff1a01c2b0da472e584c8e3c8f875b9a24280435d42836a77b19f5a8c18"
      },
      {
        "id": "3db1a978-fa64-4482-b685-c5ed24c10699",
        "name": "andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br"
      },
      {
        "id": "c2183004-d6d6-4b90-bd5f-4cc148be6d20",
        "name": "d5b7247c497788cf0031ceb06e3df77a45fef59f1e49633dc7159816d64759b5"
      },
      {
        "id": "7a3a3192-2815-49d7-b6d6-b0f17956b0a9",
        "name": "https://andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br/GpazlLUWIJ_14_05_Meus_ArquivosDeTexto/02.txt"
      },
      {
        "id": "5c61f195-787b-43fd-bc2f-558bbdbd9991",
        "name": "pengajian.muliastudy.com"
      },
      {
        "id": "ffff51a7-6bc3-4264-a976-7bd4d44faf0f",
        "name": "afxwd.ddns.net"
      },
      {
        "id": "f2e996a1-fb07-429c-9490-976ad2ea9a42",
        "name": "e91fb249aa97be5c7931e430781167edfe7ba804720b5f643e6ab70b7e6e74dd"
      },
      {
        "id": "c23679ee-aeaf-4c90-99d3-c6b127ab43d9",
        "name": "fostercareintheus.optimizationprime.com"
      },
      {
        "id": "e23c75b8-b7a9-4278-881b-88e0d02770be",
        "name": "https://pengajian.muliastudy.com/images/edu/u.php"
      },
      {
        "id": "ee6a27e0-1e64-4f1c-ade4-bcbfee040a9f",
        "name": "http://pengajian.muliastudy.com/images/edu/u.php"
      },
      {
        "id": "5a82800d-109a-46c4-a128-54a7bf40fe0d",
        "name": "f1c3ebe78bd8c38559bf3cfcc9a9fa37d221e31780774a3787e26160a61f5348"
      },
      {
        "id": "da3f76ed-c5c8-4aab-9f59-43c47c1c9a21",
        "name": "c61b1941cf756eb7551f7c661743802362728b785adc22e860d269713dfb01a6"
      }
    ],
    "attack_patterns": [
      {
        "id": "a706defa-5a99-4a26-b1be-ac6c1fc20b92",
        "name": "T1562.006"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7dc1bc79-ccad-419e-b7c0-0f7fa8522270",
        "name": "T1055.012"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "eaed9e28-8072-48ff-bd94-ed7d72554636",
        "name": "T1218.005"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "1e573653-8e3c-42df-abd2-df73bd3e1266",
        "name": "T1218.004"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "malware": [
      {
        "id": "258761ad-353e-4958-bc16-f6e572d4bd57",
        "name": "VenomRAT",
        "slug": "venomrat"
      },
      {
        "id": "c9b40e80-b8eb-4e95-96bb-65ed7776b191",
        "name": "DesckVB RAT",
        "slug": "desckvb-rat"
      }
    ],
    "observables": [
      {
        "id": "e000faef-37d9-48ac-9380-9a994ae3ad55",
        "name": "xtadts.ddns.net"
      },
      {
        "id": "b3570adb-f744-4cd7-b4d9-6959c3ce4207",
        "name": "catalogo.castrouria.com"
      },
      {
        "id": "d68dc3f0-7066-4807-8809-94c27831c00f",
        "name": "pengajian.muliastudy.com"
      },
      {
        "id": "2151a717-38ac-4be2-a65e-1e56546ef999",
        "name": "bth.startthewave.org"
      },
      {
        "id": "f390b852-aca8-493f-93d8-2501ef103fda",
        "name": "afxwd.ddns.net"
      },
      {
        "id": "e74e56b0-e292-4650-8002-7009f972a974",
        "name": "fostercareintheus.optimizationprime.com"
      },
      {
        "id": "d020bf84-91ef-4bbb-9887-f6c426d8359a",
        "name": "andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br"
      },
      {
        "id": "dc60cbf6-8d63-433d-901c-a638e14f9ee6",
        "name": "http://pengajian.muliastudy.com/images/edu/u.php"
      },
      {
        "id": "aea44733-bda3-423e-ae7b-138c2b41bd88",
        "name": "https://andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br/GpazlLUWIJ_14_05_Meus_ArquivosDeTexto/02.txt"
      },
      {
        "id": "5cf52352-07c0-4990-a1d6-b93bf8e7139e",
        "name": "https://pengajian.muliastudy.com/images/edu/u.php"
      },
      {
        "id": "",
        "name": "c356aff1a01c2b0da472e584c8e3c8f875b9a24280435d42836a77b19f5a8c18"
      },
      {
        "id": "",
        "name": "d5b7247c497788cf0031ceb06e3df77a45fef59f1e49633dc7159816d64759b5"
      },
      {
        "id": "",
        "name": "e91fb249aa97be5c7931e430781167edfe7ba804720b5f643e6ab70b7e6e74dd"
      },
      {
        "id": "",
        "name": "f1c3ebe78bd8c38559bf3cfcc9a9fa37d221e31780774a3787e26160a61f5348"
      },
      {
        "id": "",
        "name": "c61b1941cf756eb7551f7c661743802362728b785adc22e860d269713dfb01a6"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "bth.startthewave.org"
      },
      {
        "id": "",
        "name": "xtadts.ddns.net"
      },
      {
        "id": "",
        "name": "catalogo.castrouria.com"
      },
      {
        "id": "",
        "name": "andrefelipedonascime1778799406970.2241107.meusitehostgator.com.br"
      },
      {
        "id": "",
        "name": "pengajian.muliastudy.com"
      },
      {
        "id": "",
        "name": "afxwd.ddns.net"
      },
      {
        "id": "",
        "name": "fostercareintheus.optimizationprime.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "a9f065ba-9cec-4b63-9377-af56847f4ec7",
      "standard_id": "external-reference--2da5255f-ab59-5f5a-9712-f17606e05c83",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis",
      "hash": null,
      "external_id": null,
      "created": "2026-06-04T09:08:54.677Z",
      "modified": "2026-06-04T09:08:54.677Z",
      "createdById": null
    },
    {
      "id": "31d985d2-50d7-4744-a83a-8b4f7e8db8af",
      "standard_id": "external-reference--da07497d-692e-56ea-bc68-c9765cd7fb51",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a20299eb75a686b68713273",
      "hash": null,
      "external_id": "6a20299eb75a686b68713273",
      "created": "2026-06-04T09:08:54.643Z",
      "modified": "2026-06-04T09:08:54.643Z",
      "createdById": null
    }
  ]
}