Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Researchers observed a malspam campaign that abuses Google DoubleClick redirect URLs to funnel victims to dynamically personalized landing pages that deliver a ZIP containing a JavaScript loader; the loader spawns a PowerShell script which fetches a .NET loader that stages and deploys DesckVB RAT. The RAT performs process hollowing into Microsoft-signed processes, disables/patches AMSI and ETW, configures Defender exclusions and persistence, communicates with C2 over raw TCP, and includes data exfiltration and remote control capabilities; defenders are advised to harden email authentication (SPF/DKIM/DMARC), sandbox attachments, and use GPOs to block script execution as a first line of defense.