At a glance: Attackers route malware access through Google’s DoubleClick domain to exploit its trustworthiness and deceive security tools.
Security researchers have documented a malspam campaign that exploits Google’s DoubleClick domain to bypass security controls and deliver the remote-access trojan DesckVB RAT. The technique leverages the trustworthiness of a legitimate Google domain.
Cybersecurity researchers have identified a new malspam campaign that abuses Google’s DoubleClick domain. The goal is to circumvent security mechanisms and subsequently install remote-access trojan malware DesckVB RAT on target systems.
The attack flow exploits a redirect via DoubleClick: victims are first routed to the legitimate DoubleClick domain operated by Google before access is forwarded to attacker-controlled infrastructure. Since DoubleClick is an established Google domain, many security tools assess traffic during this phase as trustworthy and allow it to pass.
This approach is a variant of the so-called “living off the land” technique: attackers use legitimate, trusted services as intermediaries to protect their malware infrastructure from detection. The routing structure makes it difficult for both perimeter security solutions and email filters to block the campaign.
CISOs should consider DoubleClick as a false-negative source when evaluating sandbox and threat intelligence systems, and should scrutinize HTTP redirect traffic from suspicious sources more closely.
Source: thehackernews.com · Published June 3, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.