DesckVB RAT: Multi-stage Infection & Chain Plugin-Based

DesckVB RAT version 2.9, a sophisticated new modular Remote Access Trojan, has recently surfaced. Built on the .NET framework, this threat has been observed in active malware campaigns throughout early 2026.

Unlike simple backdoors, this threat demonstrates a high level of operational maturity, designed to establish persistent control over compromised systems while evading traditional defense mechanisms.

The malware initiates its attack through a highly obfuscated Windows Script Host (WSH) JavaScript file.

This initial stager performs critical setup tasks, such as copying itself to public user directories and executing via the wscript engine to mask its activity.

By leveraging native Windows components, the attackers can blend their malicious traffic with legitimate system processes, complicating detection efforts for security teams.

GitHub analysts noted that this initial activity is merely a gateway, setting the stage for a more potent payload.

Following the initial execution, the infection chain transitions into a PowerShell stage that performs rigorous anti-analysis checks.

It verifies internet connectivity and scans for debugging tools, ensuring the environment is safe before downloading the core malicious components. This careful validation prevents the malware from executing in sandboxes.

The impact of DesckVB RAT lies in its stability and stealth. By using a fileless .NET loader, the malware executes directly in memory without leaving a physical footprint on the disk.

This “living off the land” approach allows it to bypass many static file scanning defenses, making forensic analysis significantly more challenging for incident responders.

Modular Plugin Ecosystem

The most defining feature of DesckVB RAT is its robust plugin-based architecture, which allows operators to extend capabilities dynamically.

Instead of bundling every malicious function into a single executable, the attackers can selectively deploy specific modules post-compromise based on the target’s value.

Validated plugins include a comprehensive keylogger that tracks active windows, a webcam streamer using DirectShow, and an antivirus enumerator that reports installed security products.

These modules are delivered via a custom TCP protocol that uses distinct delimiters to manage payloads.

This flexibility transforms the RAT from a simple backdoor into a versatile espionage tool, capable of adapting to various operational needs without requiring a complete re-infection of the host system.

Security professionals are advised to focus on behavioral detection to mitigate this threat.

Monitoring for unusual wscript.exe execution and PowerShell scripts building decimal byte arrays can provide early warning signs.

Ensuring that endpoint detection systems are tuned to spot reflective code loading is also essential for effective mitigation against these evolving attacks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.