Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Threats/DesckVB RAT Evades Detection With Obfuscated JavaScript and Fileless .NET Loader
Threats

DesckVB RAT Evades Detection With Obfuscated JavaScript and Fileless .NET Loader

Key Takeaways A new Remote Access Trojan, DesckVB, has been identified, actively targeting systems in 2026. DesckVB employs sophisticated obfuscation techniques, including heavily disguised...

Sarah simpson
Sarah simpson
April 10, 2026 4 Min Read
35 0

Key Takeaways

  • A new Remote Access Trojan, DesckVB, has been identified, actively targeting systems in 2026.
  • DesckVB employs sophisticated obfuscation techniques, including heavily disguised JavaScript loaders and fileless .NET execution, to evade traditional security defenses.
  • The malware grants attackers comprehensive control over compromised machines, enabling data theft, real-time surveillance, and persistent access.
  • Detection is challenging due to in-memory execution, encrypted C2 communications, and the use of legitimate system tools for payload delivery.
  • Defenders should focus on monitoring PowerShell activity, restricting script execution in public directories, and updating endpoint protection.

A novel Remote Access Trojan (RAT), dubbed DesckVB, has been observed in active campaigns during 2026. This sophisticated threat employs highly obfuscated JavaScript and a fileless .NET loader to bypass conventional security measures, granting attackers extensive control over victim systems.

Table Of Content

  • Key Takeaways
  • The Fileless Infection Chain
  • What You Should Do

DesckVB poses a significant risk to both individuals and organizations, as it facilitates full remote command over compromised machines.

The infection sequence for DesckVB RAT initiates with a JavaScript file, meticulously cloaked through obfuscation. Upon execution, this script surreptitiously deposits a PowerShell script into the C:UsersPublic directory of the target system.

The JavaScript component duplicates its code into both PowerShell and text files, establishing multiple execution pathways for the malware. A key characteristic making this threat particularly insidious is its ability to operate largely without writing core components to disk, significantly complicating detection by traditional antivirus solutions.

Analysts from Point Wild’s LAT61 Threat Intelligence Team conducted a detailed examination of DesckVB RAT, revealing its multi-layered obfuscation strategy designed to conceal its true functionality at every stage of execution.

Their investigation uncovered that the malware strategically combines Base64 encoding with URL string reversal to obscure its command-and-control (C2) server addresses, a technique specifically crafted to bypass automated scanning tools. The overall architectural design of the malware suggests a deep understanding of contemporary security defense mechanisms.

Once fully deployed, DesckVB RAT loads a .NET assembly directly into memory using advanced .NET reflection techniques. This in-memory execution circumvents the necessity of writing any files to the hard drive, allowing the malware to execute its malicious routines without triggering many standard file-based detection systems.

During runtime, the RAT activates a suite of harmful capabilities, including keylogging, access to webcams, evasion of antivirus software, and encrypted communication with its C2 server.

The implications of a DesckVB RAT compromise are extensive and alarming. Attackers can exfiltrate sensitive data, monitor user activities in real time, and maintain persistent access to compromised systems without immediate detection. Its use of encrypted HTTPS traffic over port 443 allows it to blend seamlessly with legitimate internet activity, making network-level detection equally challenging.

The Fileless Infection Chain

A defining characteristic of DesckVB RAT is its ability to progress through infection stages without relying on conventional file drops. The malware’s operational flow begins with the obfuscated JavaScript file, serving as the initial entry point. This script places a PowerShell file directly into C:UsersPublic, leveraging commonly overlooked system directories for its activities.

The PowerShell script first verifies internet connectivity by pinging Google, then attempts to establish a connection with a malicious external domain. The C2 domain is concealed through a combination of Base64 encoding and string reversal. Notably, the malware exploits the legitimate Windows utility InstallUtil.exe to execute its payload, a known technique for evading application control policies.

Subsequently, the script loads ClassLibrary3.dll directly into memory and invokes the obfuscated method prFVI, which then loads ClassLibrary1.dll. The Execute method within this loader utilizes CreateProcessA to spawn a new process in a suspended state before injecting the malicious payload. This process injection technique allows the malware to hide within trusted processes, thereby avoiding detection.

The final payload, identified as Microsoft.exe, contains encoded string arrays that hold a hidden runtime configuration. Once active, it drops Keylogger.dll directly into memory and initiates C2 communication with manikandan83.mysynology.net on port 7535, which resolves to IP address 45.156.87.226. Network captures have confirmed that the malware transmits its module names and internal activity data to its remote server.

What You Should Do

  • Monitor PowerShell Execution: Implement robust logging and monitoring for unusual PowerShell script execution, especially from non-standard directories like C:UsersPublic.
  • Restrict Script Execution: Configure Group Policies or other security controls to block or severely restrict script execution from public user directories.
  • Track InstallUtil.exe Usage: Monitor for unexpected or unauthorized execution of legitimate tools like InstallUtil.exe, which can be abused for payload delivery.
  • Enhance Network Monitoring: Look for outbound connections to unknown domains or IP addresses, particularly those using encrypted HTTPS traffic on non-standard ports or behaving unusually on port 443.
  • Keep Endpoint Protection Current: Ensure all endpoint detection and response (EDR) and antivirus software is up-to-date, as security vendors have developed signatures for components of this malware.
  • Implement Application Whitelisting: Consider application whitelisting to prevent unauthorized executables and scripts from running on critical systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical Flaw in 11 AI Models, Including ChatGPT, Claude, Gemini

Next Post

Critical Juniper Junos OS Vulnerability Lets Attackers Take Control

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us