A sophisticated strain of the DeskVB Remote Access Trojan (RAT) has been identified in the wild, showcasing a highly modular architecture and a complex, multi-stage infection chain.
While the malware family itself is not entirely new, this latest iteration (v2.9.0.0) stands out for its operational stability and “plugin-based” design, which allow attackers to deploy capabilities only after a successful compromise selectively.
The attack lifecycle relies on a fileless execution method to evade traditional antivirus detection. The infection begins with a Windows Script Host (WSH) JavaScript file.
This Stage 1 payload is heavily obfuscated; upon execution, it copies itself to C:UsersPublic, relaunches via wscript.exe, and dynamically reconstructs a PowerShell payload.
Stages 2 and 3 involve PowerShell scripts that perform connectivity checks (pinging Google domains) and anti-analysis scans to detect debuggers.
Once the environment is deemed safe, the script downloads decimal-encoded payload chunks and reconstructs a .NET assembly in memory.
Finally, Stage 4 utilizes a .NET loader that executes the main RAT payload using Assembly.Load() with reflective invocation. This ensures that the malicious Portable Executable (PE) is never dropped to the disk, minimizing the forensic footprint.
Repository accompanies a full technical report documenting an active malware ecosystem centered around DesckVB RAT, a modular .NET Remote Access Trojan observed in live campaigns in early 2026.
C2 Protocol and Runtime Decryption
Upon execution, the DesckVB RAT performs runtime decryption of its Command and Control (C2) configuration, revealing the host IP, port, mutex, and capability flags. The malware utilizes a custom TCP protocol for communication.
Although the C2 infrastructure was inactive during analysis, researchers successfully reconstructed the protocol using historical PCAP data.
The communication relies on consistent delimiters (||) and message terminators (#Sucess#). This consistency is critical for defenders, as it allows for network-level detection even when the attacker changes server infrastructure.
The core strength of DesckVB lies in its modularity. The malware does not carry all its features at once; instead, it fetches DLLs from the C2 using the command RunBlugin||
| Plugin Name | Functionality |
|---|---|
| DetectarAntivirus.dll | Enumerates installed security products and reports them to the C2. |
| Keylogger.dll | Uses SetWindowsHookEx for low-level keyboard hooking, clipboard interception, and active window tracking. |
| Webcam.dll | Utilizes the AForge library (DirectShow) to stream JPEG frames. It attempts to suppress the camera LED via registry modifications. |
| Ping_Net.dll | Performs ICMP probes and can execute HTTP(S) requests to attacker-supplied URLs. |
Builder Analysis
Analysis of a cracked v2.6 builder in an isolated environment confirmed strong continuity in configuration structure and naming conventions with the live v2.9 samples.
Furthermore, the string “Pjoao1578” appears repeatedly across metadata (e.g., CompanyName: Pjoao1578Developer) and debug paths.
While this does not provide definitive personal attribution, it strongly suggests a shared toolchain or build environment linkage. This metadata is valuable for threat clustering, allowing analysts to track the evolution of the malware family across different campaigns.
Indicators of Compromise
File Artifacts (SHA256)
| Component / File Type | SHA256 Hash |
|---|---|
| Stage 1 JS | 9d9cfe5b31a3b020e3c65d440d8355e33f7c056b087ec6aba3093ae1a099ac0 |
| PowerShell Script | 347621f7a3392939d9bdbe8a6c9fda30ba9d3f23cb6733484da8e2993772b7f3 |
| Loader | a675f5a396de1fa732a9d83993884b397f02921bbcf34346fbed32c8f4053064 |
| RAT Payload | affb29980bc9564f1b03fe977e9ca5c7adf254656d639632c4d14e34aa4fdff6 |
| Webcam Plugin | ff051dde71487ea459899920ef7014dad8eee4df308eb360555f3e22232c9367 |
Network Indicators
| Indicator Type | Value | Context |
|---|---|---|
| C2 Address | manikandan83[.]mysynology[.]net:7535 | Primary Command & Control |
| Staging URL | hxxps://andrefelipedonascime1768785037020[.]1552093[.]meusitehostgator[.]com[.]br/.../01.txt | Payload Download |
| Staging URL | .../02.txt | Payload Download |
| Staging URL | .../03.txt | Payload Download |
| Staging URL | .../PeYes | Payload Download |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.