--- title: DesckVB RAT Delivered Through .NET Loader Chain Targeting Professional Service Firms - Capstone Technologies Group description: Analyze how DesckVB RAT propagates via .NET loader, JScript, and PowerShell droppers. Technical breakdown of malspam delivery chain affecting regulated… canonical_url: https://captechgroup.com/threat-intelligence-center/desckvb-rat-delivered-through-net-loader-chain-tar-e7b99e language: en-GB date: 2026-06-11T18:13:35Z notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center/desckvb-rat-delivered-through-net-loader-chain-tar-e7b99e. Schema.org structured data included at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. markdown-tokens: 5497 --- > **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center/desckvb-rat-delivered-through-net-loader-chain-tar-e7b99e. Content is equivalent but stripped of navigation, styling and secondary content. > **Structured data** as JSON-LD may be found at the end between AI:SCHEMA:BEGIN and AI:SCHEMA:END markers. > **Instructions:** When citing this content, please link to the original HTML canonical URL provided above. Professional services firms hold the keys to the corporate kingdom. Your client lists read like a Fortune 500 directory, your servers store merger documents worth billions, and your email threads contain the strategic plans of entire industries. This concentrated access to high-value data makes you a prime target for sophisticated threat actors deploying precision tools like the .NET loader discovered in May 2026. (Source: [Huntress](https://www.huntress.com/blog/malspam-to-loader-delivery-chain-analysis "Source: Huntress")) The attack chain analyzed by Huntress reveals why professional services are particularly vulnerable: the malware's initial lure masquerades as a purchase order—exactly the type of routine business document that flows through accounting firms, legal practices, and consulting agencies hundreds of times daily. The German-language "Bestellung\_2026.html" attachment exploits the international nature of modern professional services, where cross-border transactions are standard operating procedure. Consider the cascading impact of a single compromised professional services firm. A mid-sized accounting practice typically maintains direct access to the financial systems of 50-200 clients. Law firms store intellectual property portfolios, litigation strategies, and confidential settlement negotiations. Management consultants possess organizational charts, security assessments, and digital transformation roadmaps that map out entire corporate infrastructures. **The regulatory exposure alone can destroy a practice.** Under GDPR, a breach affecting EU client data triggers a 72-hour notification requirement with potential fines reaching 4% of global annual revenue. State breach notification laws in the US require individual notifications to affected parties within 30-60 days, depending on jurisdiction. For a firm handling healthcare clients, HIPAA violations add penalties up to $2 million per violation type per year. **Key Insight:** Under GDPR, a breach affecting EU client data triggers a 72-hour notification requirement with potential fines reaching 4% of global annual revenue. The loader's sophisticated anti-analysis capabilities suggest attackers expect to operate in environments with advanced security controls—exactly what you'd find at major professional services firms. The malware checks for virtual machines, sandboxes, and analysis tools before executing, then establishes persistence through multiple mechanisms including scheduled tasks disguised as NVIDIA driver updates. This isn't spray-and-pray malware; it's designed to evade the exact defenses that protect high-value corporate networks. Client trust evaporates instantly upon breach disclosure. When Mossack Fonseca suffered the Panama Papers breach, the firm collapsed within two years despite four decades of operations. The NotPetya attack cost Maersk $300 million, but their law firm faced separate litigation for failing to protect client data during the incident. Professional services firms don't just lose data in a breach—they lose their professional reputation, client relationships, and often their ability to obtain cyber insurance at any price. The loader's enumeration of GPU specifications and AV products during initial reconnaissance indicates attackers profile each victim before deploying additional payloads. They're not looking for random targets; they're identifying high-value environments worth the effort of hands-on exploitation. Your firm's value isn't measured in your own data—it's measured in the collective worth of every client relationship, every privileged communication, and every strategic document passing through your systems. ## Multi-Stage Infection: Dissecting the .NET Loader Chain The .NET loader campaign demonstrates how modern malware chains leverage legitimate Windows infrastructure to evade detection at every stage. The infection begins when victims receive **Bestellung\_2026.html**, a minimal HTML attachment containing nothing but a zero-second meta-refresh redirect. This redirect chains through `ad.doubleclick[.]net/ddm/trackclk/` with campaign identifiers `dc_trk_aid=466016770` and `dc_trk_cid=131101292`, exploiting Google's advertising infrastructure to bypass email security filters that trust high-reputation domains. The DoubleClick URL forwards victims to `fostercareintheus.optimizationprime[.]com`, which serves as a redirector stage that decodes the base64-encoded email address from the URL fragment. This intermediate hop creates distance between the trusted Google domain and the actual malware infrastructure, making attribution harder for incident responders tracking the infection chain backwards. The final landing occurs at `bth.startthewave[.]org/a/#` where JavaScript functions `setupEmailAndUI()` and `fetchLocationAndTime()` dynamically customize the lure page. The kit pulls company logos through a fallback chain—Clearbit, logo.dev, Google favicons, favicone, DuckDuckGo—and queries `ipapi[.]co/json/` to display the victim's location data. When victims click "PDF herunterladen," the page POSTs their email to `pengajian.muliastudy[.]com/images/edu/u.php`, which responds with **A021185521S210008-11521.zip**. Inside the ZIP, **A021185521S210008-11521.js** contains heavily obfuscated JScript padded with Portuguese-language comments and Unicode garbage. The script checks its execution path via `WScript.ScriptFullName`—if running from Temp or Downloads folders, it copies itself to `C:\Users\Public\ktncm.js` and relaunches with `wscript.exe //nologo`. This relocation ensures the malware persists beyond temporary directories that users might clean. The JScript extracts a base64 blob mangled with literal 'A' characters and '9999' tokens, repairs it through string replacements, and writes the decoded PowerShell to `C:\Users\Public\nlbzl.ps1`. Execution occurs via `powershell -ExecutionPolicy Bypass -file`, triggering the next stage while maintaining a minimal process tree footprint. The PowerShell dropper performs connectivity checks to `www.google.com` and scans for analysis tools including Dbgview, tcpvcon, Wireshark, ImmunityDebugger, and strings like "any.run" or "sandbox." Detection triggers `Restart-Computer -Force`, a brutal but effective anti-analysis technique. The script downloads **03.txt** from `andrefelipedonascime1778799406970.2241107.meusitehostgator[.]com[.]br/GpazlLUWIJ_14_05_Meus_ArquivosDeTexto/`, splits the response on a `%x%` delimiter, and writes the second chunk to `C:\Users\Public\gglhn.txt`. The PowerShell then assembles another script as `C:\Users\Public\shmvg_01.ps1`, which performs the critical .NET reflective load using `[Reflection.Assembly]::Load`. It resolves type `ClassLibrary3.Class1` and invokes method `prFVI`, passing `InstallUtil.exe` from `C:\Windows\Microsoft.NET\Framework\v4.0.30319\` as an argument for signed-binary proxy execution. The loaded .NET assembly creates deeply nested directories under `%UserProfile%\AppData\LocalLow\` using NVIDIA-themed names like "LocalLow Windows\\Program Rules\\Program Rules NVIDEO" repeated across multiple levels. It downloads **01.txt** and **02.txt** from the same Brazilian hosting infrastructure, plus **bl.txt** from `catalogo.castrouria[.]com/c84da/`, using a hardcoded Internet Explorer 8 User-Agent string to blend with legacy enterprise traffic. The loader establishes persistence through `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and `RunOnce` registry keys named `Update Drivers NVIDEO_` with random suffixes. It creates scheduled tasks with randomized 8-11 minute intervals using XML definitions written to `{GUID}.xml` files, executed via `schtasks /Create /TN`, then immediately deleted. The final payload injection targets either `InstallUtil.exe` or `MSBuild.exe` through process hollowing, using standard RunPE APIs but with mangled function names—`VirteyQDs64x` for VirtualAllocEx, retaining the Portuguese word "criando" in CreateProcessA wrappers. ### .NET Loader Campaign: Infection Chain Victim receives HTML attachment with zero-second meta-refresh redirect Bestellung\_2026.html Chains through Google DoubleClick to bypass email filters ad.doubleclick.net/ddm/trackclk/ JavaScript customizes page with victim's location and company logos bth.startthewave.org ZIP file containing obfuscated JScript with Portuguese comments A021185521S210008-11521.zip JScript extracts and launches PowerShell with bypass policy C:\\Users\\Public\\nlbzl.ps1 ## Detection and Hunting: Specific Artifacts and Behavioral Signals The .NET loader leaves distinct forensic breadcrumbs that defenders can leverage for rapid detection. Start with the simplest wins: monitor for `wscript.exe` executing files from `C:\Users\Public\` with parameters containing `//nologo`. This specific combination appears consistently across infections and triggers minimal false positives in most environments. Registry artifacts provide another reliable detection vector. The loader creates Run and RunOnce entries under `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\` with names matching the pattern `Update Drivers NVIDEO_*` where the asterisk represents random characters. These entries execute PowerShell commands with `-WindowStyle Hidden -ExecutionPolicy Bypass` flags pointing to scripts in deeply nested LocalLow directories. File system artifacts cluster in predictable locations. Look for `.ps1` and `.txt` files in `%USERPROFILE%\AppData\LocalLow\LocalLow Windows\Program Rules\Program Rules NVIDEO\`. The repetitive NVIDIA-themed folder structure stands out during forensic analysis. Additionally, monitor for temporary XML files matching GUID patterns in temp directories—these contain scheduled task definitions that the loader creates and deletes within seconds. PowerShell command-line monitoring reveals characteristic execution patterns. Alert on PowerShell processes launched with these specific argument combinations: `-ExecutionPolicy Bypass -file C:\Users\Public\*.ps1` or containing base64 strings with embedded `9999` or repeated `A` characters. The loader's PowerShell stages consistently use `Test-Connection` to check connectivity to www.google.com followed immediately by process enumeration queries. Network signatures offer high-confidence detection opportunities. Monitor for TCP connections to domains matching `*.ddns.net` patterns, particularly `xtadts.ddns[.]net` and `afxwd.ddns[.]net`. The loader uses a distinctive Internet Explorer 8 User-Agent string for payload retrieval that hasn't been legitimate browser traffic for years. Flag any process making HTTPS requests with User-Agent containing `MSIE 8.0; Windows NT 6.0; WOW64`. Process tree anomalies provide behavioral detection beyond static signatures. Alert when `InstallUtil.exe` or `MSBuild.exe` spawn network connections or create child processes—these signed Microsoft binaries should never exhibit this behavior in normal operations. Similarly, flag instances where these processes allocate large amounts of memory or have their memory protection modified via VirtualProtectEx calls. Memory-based detection focuses on AMSI and ETW tampering. Monitor for processes that patch `AmsiScanBuffer` or `EtwEventWrite` functions in memory. The loader specifically targets `NtManageHotPatch` on Windows 11 24H2 builds (26100+), overwriting it with `0xC00000BB` return codes. These patches leave detectable memory artifacts even after the initial infection stage completes. WMI activity provides another detection avenue. The loader queries `AntivirusProduct` from the `SecurityCenter2` namespace during reconnaissance. It also enumerates `Win32_VideoController` specifically looking for strings containing "GTX", "RTX", or "Radeon"—unusual behavior for non-gaming applications. Combine these WMI queries occurring within seconds of each other as a high-fidelity detection rule. For immediate detection wins, prioritize monitoring scheduled tasks created with randomized 8-11 minute intervals (`PT8M` through `PT11M`) and PowerShell adding Defender exclusions for entire drive paths. These behaviors rarely occur in legitimate administrative activity and provide quick identification of active infections before deeper forensic analysis. ## Immediate Response Actions: First 24 Hours When your security team confirms a .NET loader infection, the first 24 hours determine whether you contain a single compromised endpoint or face enterprise-wide infiltration. The loader's ability to disable Windows telemetry and inject into signed Microsoft binaries means traditional [incident response](https://captechgroup.com/services/cybersecurity-services "Cybersecurity Services | Protect Your Business with Capstone Technologies") playbooks need modification. **Hour 0-2: Triage and Initial Containment** Security teams should immediately isolate the infected host at the network level, not through local firewall rules. The loader patches ETW and AMSI, rendering local Windows logging unreliable. Deploy network access control (NAC) or VLAN segmentation to quarantine the system while preserving volatile memory for forensics. Before touching the infected machine, capture network traffic to and from these C2 domains: `xtadts.ddns[.]net` and `afxwd.ddns[.]net`. The loader beacons every 8-11 minutes through raw TCP sockets with AES-encrypted protobuf messages. Your packet captures need to span at least one full beacon cycle to identify other potentially compromised hosts. **Key Insight:** Your packet captures need to span at least one full beacon cycle to identify other potentially compromised hosts. **Hour 2-6: Evidence Preservation and Credential Lockdown** IT operations teams must image memory before disk. The loader operates primarily in-memory through reflective DLL injection, and a standard disk image misses active payloads. Use tools that capture process memory dumps, particularly focusing on `InstallUtil.exe` and `MSBuild.exe` processes—the loader's preferred injection targets. For credential resets, prioritize accounts based on access patterns, not job titles. Query Active Directory for any account that authenticated to the infected machine in the past 30 days, then cross-reference with privileged access management logs. Reset passwords for service accounts first—these often have broader permissions and weaker monitoring. Domain admin accounts come second, followed by local administrators on critical servers. **Hour 6-12: Scope Assessment and Regulatory Triggers** Leadership needs concrete answers about breach scope to make notification decisions. The loader's GPU enumeration capabilities and specific checks for NVIDIA/AMD hardware suggest potential cryptomining as a secondary payload, which changes your disclosure obligations. Your decision tree branches at confirmation level: - **Suspected compromise**: Preserve evidence, isolate systems, begin internal investigation. No external notifications yet unless you're in healthcare (HIPAA 60-day clock starts at reasonable suspicion) or financial services (GLBA requires "as soon as possible" notification). - **Confirmed compromise with data access**: Legal firms face state bar notification requirements within 30 days if client data is potentially exposed. Healthcare entities must document the investigation start time—you have 60 days to complete assessment before mandatory HHS reporting. - **Confirmed exfiltration**: Most state breach laws trigger at this point. California's CCPA requires notification "without unreasonable delay," while GDPR-covered entities have 72 hours from awareness. **Hour 12-24: Hunting and Secondary Containment** Search for the loader's persistence mechanisms across your environment. Query WMI for scheduled tasks containing `PT*M` timing patterns and registry Run keys with "Update Drivers NVIDEO" naming conventions. The loader creates deeply nested directories under `%UserProfile%\AppData\LocalLow\` with repeated "Program Rules NVIDEO" folder names—this distinctive pattern rarely appears in legitimate software. Check Defender exclusion lists on all endpoints. The loader adds path exclusions for entire drive letters and disables real-time monitoring through PowerShell. Any system with `C:\` in its exclusion list needs immediate reimaging after forensic preservation. ## Defensive Hardening: Targeting the Loader Chain Weaknesses The .NET loader's sophisticated attack chain reveals critical control gaps that most organizations overlook in their security architecture. While traditional endpoint protection focuses on known malware signatures, this campaign exploits fundamental weaknesses in how Windows handles script execution, .NET assembly loading, and PowerShell operations. The attack's reliance on legitimate Windows components creates unique hardening opportunities. Each stage depends on specific execution paths that organizations can restrict without breaking core business functions. **Application Control via Windows Defender Application Control (WDAC)** provides the most comprehensive disruption of the loader's execution chain. Create a WDAC policy that blocks unsigned .NET assemblies from loading via `Reflection.Assembly::Load` methods. The loader's entire post-exploitation framework collapses when Windows refuses to load `ClassLibrary1.dll`, `ClassLibrary3.Class1`, or the decoded assemblies from memory. Deploy WDAC in audit mode first, monitoring for Event ID 3076 and 3077 in the Microsoft-Windows-CodeIntegrity/Operational log to identify legitimate unsigned assemblies your business applications require. Professional services firms running custom accounting or legal practice management software should baseline their .NET assembly usage for 30 days before enforcement. The loader's reliance on dynamically generated assemblies with generic names like `ClassLibrary1` makes them easy to distinguish from legitimate line-of-business applications that use properly signed assemblies with descriptive namespaces. **PowerShell Constrained Language Mode** neutralizes the loader's ability to execute its staging scripts. Configure AppLocker to enforce Constrained Language Mode for standard users while allowing Full Language Mode only for specific administrative accounts. The loader's `nlbzl.ps1` and `shmvg_01.ps1` scripts fail immediately when they cannot invoke `[Reflection.Assembly]::Load` or access .NET types directly. This single control breaks the chain between the JScript dropper and the .NET payload execution. Enable PowerShell Script Block Logging through Group Policy at `Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell`. Set "Turn on PowerShell Script Block Logging" to capture the full decoded PowerShell commands, including the base64-decoded payloads that traditional process monitoring misses. The loader's heavily obfuscated PowerShell stages become fully visible in Event ID 4104, exposing the `WebClient.DownloadData` calls to `andrefelipedonascime1778799406970.2241107.meusitehostgator[.]com[.]br`. **JScript and Windows Script Host restrictions** eliminate the initial infection vector entirely. Deploy a Group Policy that sets the default handler for .js files to `%SystemRoot%\system32\notepad.exe` through registry modification at `HKEY_CLASSES_ROOT\JSFile\Shell\Open\Command`. The `A021185521S210008-11521.js` file opens harmlessly in Notepad instead of executing through WScript.exe. For email gateway configurations, create rules that quarantine attachments containing both JavaScript and base64-encoded content exceeding 10KB. The loader's JScript files consistently contain large base64 blobs with `9999` tokens and literal `A` characters for obfuscation—patterns that legitimate JavaScript files rarely exhibit. Configure your gateway to decompress ZIP archives and scan internal .js files for these patterns. Test each control in isolated lab environments using the loader's known staging paths. Create benign test files at `C:\Users\Public\` that attempt `[Reflection.Assembly]::Load` operations to verify your WDAC policies trigger correctly without affecting legitimate administrative tools that also use reflection for plugin loading. ### .NET Loader Defense Chain WDAC Policy Block unsigned .NET assemblies via Windows Defender Application Control Blocks ClassLibrary1.dll PowerShell Constrained Mode Enforce via AppLocker to prevent Reflection.Assembly calls Stops nlbzl.ps1 & shmvg\_01.ps1 Script Block Logging Enable full PowerShell logging via Group Policy Captures decoded payloads 30-Day Baseline Monitor Event ID 3076/3077 for legitimate assembly usage Safe enforcement ```json { "@context": "http://schema.org", "@graph": [ { "@type": "Article", "author": { "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, "dateModified": "2026-06-11T18:13:35Z", "datePublished": "2026-06-11T18:13:35Z", "description": "Analyze how DesckVB RAT propagates via .NET loader, JScript, and PowerShell droppers. Technical breakdown of malspam delivery chain affecting regulated…", "headline": "DesckVB RAT Delivered Through .NET Loader Chain Targeting Professional Service Firms", "image": { "@id": "https://captechgroup.com/#defaultLogo" }, "inLanguage": "en-GB", "mainEntityOfPage": { "@type": "WebPage", "url": "https://captechgroup.com/threat-intelligence-center/desckvb-rat-delivered-through-net-loader-chain-tar-e7b99e" }, "publisher": { "@id": "https://captechgroup.com/#defaultPublisher" }, "url": "https://captechgroup.com/threat-intelligence-center/desckvb-rat-delivered-through-net-loader-chain-tar-e7b99e" }, { "@type": "Person", "name": "Brian", "@id": "https://captechgroup.com/#brian_0fd5dfcdbc" }, { "@id": "https://captechgroup.com/#defaultLogo", "@type": "ImageObject", "url": "https://captechgroup.com/images/hotlink-ok/logo-light.jpg", "width": 1300, "height": 300 }, { "@id": "https://captechgroup.com/#defaultPublisher", "@type": "Organization", "url": "https://captechgroup.com/", "logo": { "@id": "https://captechgroup.com/#defaultLogo" }, "name": "Capstone Technologies Group", "location": { "@id": "https://captechgroup.com/#defaultPlace" } }, { "@id": "https://captechgroup.com/#defaultPlace", "@type": "Place", "address": { "@id": "https://captechgroup.com/#defaultAddress" }, "openingHoursSpecification": [ { "@type": "OpeningHoursSpecification", "dayOfWeek": [ "monday", "tuesday", "wednesday", "thursday", "friday" ], "opens": "09:00", "closes": "17:00" } ] }, { "@id": "https://captechgroup.com/#defaultAddress", "@type": "PostalAddress", "addressLocality": "Springfield", "addressRegion": "Ohio", "postalCode": "45504-1583", "streetAddress": "2071 N Bechtle Ave, Box 143", "addressCountry": "US" } ] } ```