A sophisticated new Remote Access Trojan (RAT) dubbed DesckVB has emerged in 2026, employing advanced evasion techniques such as heavily obfuscated JavaScript and a fileless .NET loader to bypass security defenses. This malware grants attackers comprehensive remote control over infected systems, posing a significant cybersecurity threat to both individuals and organizations. The discovery highlights the evolving landscape of malware attacks and the increasing reliance on stealthy, in-memory execution methods.
The DesckVB RAT initiates its infection chain through a meticulously obfuscated JavaScript file. Upon execution, this script silently deploys a PowerShell script to the common, often less scrutinized, `C:UsersPublic` directory on the victim’s machine. The malware exhibits a multi-faceted approach to persistence, replicating its code across PowerShell and text files, thereby diversifying its execution pathways. The core danger of DesckVB lies in its minimal on-disk footprint for critical components, making it exceptionally difficult for traditional antivirus solution to detect and neutralize.
The Fileless Infection Chain of DesckVB RAT
Security analysts from Point Wild’s LAT61 Threat Intelligence Team have conducted an in-depth examination of DesckVB RAT, revealing its layered obfuscation strategy designed to conceal its malicious intent at every stage. The malware employs a combination of Base64 encoding and URL string reversal to mask its command-and-control (C2) server addresses, a tactic specifically engineered to thwart automated threat detection tools. The overall architecture of DesckVB suggests a deliberate design informed by a deep understanding of contemporary security software capabilities.
Once fully deployed, DesckVB RAT utilizes .NET reflection techniques to load its core .NET assembly directly into the system’s memory. This fileless execution method circumvents the need for any persistent storage on the hard drive, enabling the malware to carry out its malicious operations without triggering many file-based detection mechanisms. Among its runtime capabilities, DesckVB can perform keylogging, capture webcam feeds, actively evade antivirus software, and establish encrypted communication channels with its C2 server.
The implications of DesckVB RAT are far-reaching and concerning. Successful deployment allows threat actors to exfiltrate sensitive data, continuously monitor user activities, and maintain prolonged, undetected access to compromised systems. Its use of encrypted HTTPS traffic over port 443 further aids in its stealth by blending seamlessly with legitimate internet traffic, making even network-level detection a formidable challenge.
The infection chain of DesckVB RAT is fundamentally characterized by its avoidance of traditional file drops, a key element in its evasive strategy. The process begins with the initial, heavily obfuscated JavaScript file acting as the gateway. This file is programmed to drop a PowerShell script into the `C:UsersPublic` directory, a location often overlooked due to its association with legitimate shared files.
Upon execution, the PowerShell script first verifies internet connectivity by attempting to ping Google before initiating contact with a malicious external domain. The C2 domain itself is concealed through a combination of Base64 encoding and string reversal techniques. DesckVB employs the legitimate Windows utility `InstallUtil.exe` to execute its payload. This is a common technique for adversaries seeking to circumvent application control policies and gain privileged execution.
.webp)
The PowerShell script then proceeds to load `ClassLibrary3.dll` directly into memory. It invokes an obfuscated method, identified as `prFVI`, which subsequently loads `ClassLibrary1.dll`. The `Execute` method within this loader utilizes the `CreateProcessA` function to spawn a new process in a suspended state. This allows the malware to inject its malicious payload into a legitimate process, a technique known as process injection, thereby evading observation by hiding within trusted system processes.
.webp)
The final payload, masquerading as `Microsoft.exe`, contains encoded string arrays that hold its runtime configuration. Once active, it injects `Keylogger.dll` directly into memory and establishes C2 communication with `manikandan83.mysynology.net` on port `7535`, which resolves to the IP address `45.156.87.226`. Network traffic analysis confirms that the malware transmits its module names and internal operational data to its remote server.
.webp)
For effective defense against DesckVB RAT and similar threats, security teams should monitor for unusual PowerShell execution patterns, the unexpected invocation of `InstallUtil.exe`, and any outbound network connections to unknown domains or IP addresses. Practical proactive measures include restricting script execution from the `C:UsersPublic` directory and enabling comprehensive PowerShell script logging to identify malicious activity early. Maintaining up-to-date endpoint protection software remains paramount, as current detection tools have demonstrated the capability to flag key components of this malware.