DesckVB RAT Evades Detection With Obfuscated JavaScript and Fileless .NET Loader
Key Takeaways A new Remote Access Trojan, DesckVB, has been identified, actively targeting systems in 2026. DesckVB employs sophisticated obfuscation techniques, including heavily disguised...
Key Takeaways
- A new Remote Access Trojan, DesckVB, has been identified, actively targeting systems in 2026.
- DesckVB employs sophisticated obfuscation techniques, including heavily disguised JavaScript loaders and fileless .NET execution, to evade traditional security defenses.
- The malware grants attackers comprehensive control over compromised machines, enabling data theft, real-time surveillance, and persistent access.
- Detection is challenging due to in-memory execution, encrypted C2 communications, and the use of legitimate system tools for payload delivery.
- Defenders should focus on monitoring PowerShell activity, restricting script execution in public directories, and updating endpoint protection.
A novel Remote Access Trojan (RAT), dubbed DesckVB, has been observed in active campaigns during 2026. This sophisticated threat employs highly obfuscated JavaScript and a fileless .NET loader to bypass conventional security measures, granting attackers extensive control over victim systems.
Table Of Content
DesckVB poses a significant risk to both individuals and organizations, as it facilitates full remote command over compromised machines.
The infection sequence for DesckVB RAT initiates with a JavaScript file, meticulously cloaked through obfuscation. Upon execution, this script surreptitiously deposits a PowerShell script into the C:UsersPublic directory of the target system.
The JavaScript component duplicates its code into both PowerShell and text files, establishing multiple execution pathways for the malware. A key characteristic making this threat particularly insidious is its ability to operate largely without writing core components to disk, significantly complicating detection by traditional antivirus solutions.
Analysts from Point Wild’s LAT61 Threat Intelligence Team conducted a detailed examination of DesckVB RAT, revealing its multi-layered obfuscation strategy designed to conceal its true functionality at every stage of execution.
Their investigation uncovered that the malware strategically combines Base64 encoding with URL string reversal to obscure its command-and-control (C2) server addresses, a technique specifically crafted to bypass automated scanning tools. The overall architectural design of the malware suggests a deep understanding of contemporary security defense mechanisms.
Once fully deployed, DesckVB RAT loads a .NET assembly directly into memory using advanced .NET reflection techniques. This in-memory execution circumvents the necessity of writing any files to the hard drive, allowing the malware to execute its malicious routines without triggering many standard file-based detection systems.
During runtime, the RAT activates a suite of harmful capabilities, including keylogging, access to webcams, evasion of antivirus software, and encrypted communication with its C2 server.
The implications of a DesckVB RAT compromise are extensive and alarming. Attackers can exfiltrate sensitive data, monitor user activities in real time, and maintain persistent access to compromised systems without immediate detection. Its use of encrypted HTTPS traffic over port 443 allows it to blend seamlessly with legitimate internet activity, making network-level detection equally challenging.
The Fileless Infection Chain
A defining characteristic of DesckVB RAT is its ability to progress through infection stages without relying on conventional file drops. The malware’s operational flow begins with the obfuscated JavaScript file, serving as the initial entry point. This script places a PowerShell file directly into C:UsersPublic, leveraging commonly overlooked system directories for its activities.
The PowerShell script first verifies internet connectivity by pinging Google, then attempts to establish a connection with a malicious external domain. The C2 domain is concealed through a combination of Base64 encoding and string reversal. Notably, the malware exploits the legitimate Windows utility InstallUtil.exe to execute its payload, a known technique for evading application control policies.
Subsequently, the script loads ClassLibrary3.dll directly into memory and invokes the obfuscated method prFVI, which then loads ClassLibrary1.dll. The Execute method within this loader utilizes CreateProcessA to spawn a new process in a suspended state before injecting the malicious payload. This process injection technique allows the malware to hide within trusted processes, thereby avoiding detection.
The final payload, identified as Microsoft.exe, contains encoded string arrays that hold a hidden runtime configuration. Once active, it drops Keylogger.dll directly into memory and initiates C2 communication with manikandan83.mysynology.net on port 7535, which resolves to IP address 45.156.87.226. Network captures have confirmed that the malware transmits its module names and internal activity data to its remote server.
What You Should Do
- Monitor PowerShell Execution: Implement robust logging and monitoring for unusual PowerShell script execution, especially from non-standard directories like
C:UsersPublic. - Restrict Script Execution: Configure Group Policies or other security controls to block or severely restrict script execution from public user directories.
- Track
InstallUtil.exeUsage: Monitor for unexpected or unauthorized execution of legitimate tools likeInstallUtil.exe, which can be abused for payload delivery. - Enhance Network Monitoring: Look for outbound connections to unknown domains or IP addresses, particularly those using encrypted HTTPS traffic on non-standard ports or behaving unusually on port 443.
- Keep Endpoint Protection Current: Ensure all endpoint detection and response (EDR) and antivirus software is up-to-date, as security vendors have developed signatures for components of this malware.
- Implement Application Whitelisting: Consider application whitelisting to prevent unauthorized executables and scripts from running on critical systems.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.