Ddos 
Malware flow | Image: Lat61 Threat Intelligence Team
The Lat61 Threat Intelligence Team has pulled back the curtain on DesckVB RAT, a highly active and elusive JavaScript-based Trojan that has been wreaking havoc throughout 2026. This sophisticated malware is a master of evasion, utilizing a complex, multi-staged infection chain designed to bypass traditional security defenses by operating almost entirely in system memory.
Once it takes hold, the RAT establishes a secure line to a command-and-control (C2) server, granting attackers the ability to “remotely control the compromised system, exfiltrate sensitive data, and carry out various malicious activities while maintaining a low detection footprint”.
The attack begins with a “heavily obfuscated” JavaScript file that acts as the initial spark. This script doesn’t just run; it replicates itself into both PowerShell and text files to ensure it gains a foothold.
The process then moves into a series of strategic maneuvers:
- PowerShell Deployment: The JS file drops a PowerShell script—often hidden in the C:\Users\Public directory—which initiates the first stage of the infection.
- The .NET Loader: This script subsequently loads a .NET-based loader “directly into memory”. By using techniques like in-memory assembly execution and .NET reflection, the malware can “run without writing files to disk”.
- Process Hijacking: The loader often leverages legitimate Windows utilities like InstallUtil.exe to spawn new processes in a suspended state, injecting its malicious payload before the system can flag it.
The authors of DesckVB RAT have gone to great lengths to hide their tracks. Analysts found that the malware uses “Base64 encoding combined with string reversal to conceal its command-and-control (C2) or payload hosting domain”. For example, one string was decoded to reveal a reversed URL pointing to pastee.dev.
Even the malware’s internal configuration is masked. Researchers observed a string array initialized with “encoded or unreadable values,” which, when viewed at runtime, transformed into a hidden configuration set for the C2 server.
Once DesckVB RAT is fully operational, it deploys a suite of modules that turn the compromised host into an open book for the attackers. These capabilities include:
- Keylogging: Actively capturing every keystroke made by the user.
- Surveillance: Gaining unauthorized access to the system’s webcam.
- AV Detection: The malware includes a DetectAV module that “is actively communicating information related to antivirus detection,” allowing it to adjust its behavior to remain undetected.
- Connectivity Checks: A Ping module is used to “check connectivity with its command-and-control (C2) server”.
To further evade detection, the RAT’s network traffic is designed to look like normal web activity. The malware initiates outbound encrypted connections over port 443, using standard TLS handshakes to secure its communication. This “standard for HTTPS traffic” makes it incredibly difficult for security teams to inspect the payload contents.
As DesckVB RAT continues to evolve, the Lat61 Threat Intelligence Team warns that its “use of legitimate ports and encryption is a common evasion technique,” allowing it to blend in with normal web traffic while it exfiltrates your most sensitive data. In the face of such a high-fidelity threat, traditional disk-based scanning is no longer enough—memory forensics and behavioral analysis have become the new front lines of defense.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
