{"id":12013,"date":"2026-04-10T10:04:20","date_gmt":"2026-04-10T10:04:20","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/10\/desckvb-rat-uses-obfuscated-javascript-and-fileless-net-loader-to-evade-detection\/"},"modified":"2026-04-10T10:04:20","modified_gmt":"2026-04-10T10:04:20","slug":"desckvb-rat-uses-obfuscated-javascript-and-fileless-net-loader-to-evade-detection","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/10\/desckvb-rat-uses-obfuscated-javascript-and-fileless-net-loader-to-evade-detection\/","title":{"rendered":"DesckVB RAT Uses Obfuscated JavaScript and Fileless .NET Loader to Evade Detection"},"content":{"rendered":"

DesckVB RAT Uses Obfuscated JavaScript and Fileless .NET Loader to Evade Detection
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A new Remote Access Trojan known as DesckVB has been targeting systems in 2026, using obfuscated JavaScript and a fileless .NET loader to stay hidden from traditional security tools. <\/p>\n

The malware gives attackers full remote control over a victim\u2019s machine, making it a serious threat for individuals and organizations alike.<\/p>\n

DesckVB RAT starts its infection chain with a heavily obfuscated JavaScript<\/a> file that, once executed, silently drops a PowerShell script into the\u00a0C:UsersPublic<\/code>\u00a0directory on the target system. <\/p>\n

The JavaScript replicates its code into PowerShell and text files, giving the malware multiple ways to run. What makes this threat particularly dangerous is that it avoids writing most of its core components to disk, making it much harder for conventional antivirus tools to catch it.<\/p>\n

Point Wild analysts from the LAT61 Threat Intelligence Team identified and examined DesckVB RAT<\/a> in detail, uncovering how it uses layered obfuscation to hide its true purpose at every stage of execution. <\/p>\n

Their research found that the malware combines Base64 encoding with URL string reversal to conceal its command-and-control (C2) server addresses, a tactic designed to trick automated scanning tools. <\/p>\n

The overall structure of the malware suggests it was built with a clear understanding of how modern security defenses work.<\/p>\n

Once fully deployed, DesckVB RAT loads a .NET assembly directly into memory using .NET reflection techniques, bypassing the need to leave any files on the hard drive. <\/p>\n

This in-memory execution method allows the malware to run its harmful routines without triggering many standard file-based detection systems. <\/p>\n

At runtime, the malware activates several harmful capabilities, including keylogging, webcam access, antivirus detection evasion, and encrypted communication with its C2 server.<\/p>\n

The overall impact of DesckVB RAT<\/a> is broad and concerning. Attackers who deploy it can steal sensitive information, monitor user activity in real time, and maintain long-term access to a compromised system without raising immediate alarms. <\/p>\n

Its use of encrypted HTTPS traffic over port 443 allows it to blend in with normal internet activity, making network-level detection just as difficult.<\/p>\n

The Fileless Infection Chain<\/strong><\/h2>\n

The most notable aspect of DesckVB RAT is how it moves through its infection stages without relying on traditional file drops. The malware\u2019s flow begins with the JavaScript file, acting as the first entry point. <\/p>\n

\n
\"Shows
Shows flow of malware (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n

This file is heavily obfuscated and drops a PowerShell file directly into\u00a0C:UsersPublic<\/code>, keeping its activities within commonly overlooked system folders.<\/p>\n

\n
\"JS
JS obfuscated file (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n

The PowerShell script first checks for internet connectivity by pinging Google, then attempts to connect to a malicious external domain. The C2 domain is hidden using Base64 encoding combined with string reversal. <\/p>\n

The malware uses the legitimate Windows tool\u00a0InstallUtil.exe<\/code>\u00a0to execute its payload \u2014 a known technique for bypassing application control policies.<\/p>\n

From there, the script loads\u00a0ClassLibrary3.dll<\/code>\u00a0directly into memory and invokes the obfuscated method\u00a0prFVI<\/code>, which then loads\u00a0ClassLibrary1.dll<\/code>.<\/p>\n

The Execute method within this loader uses\u00a0CreateProcessA<\/code>\u00a0to spawn a new process in a suspended state before injecting the malicious payload. <\/p>\n

\n
\"Obfuscated
Obfuscated method (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n

This process injection approach allows the malware to hide inside trusted processes and avoid drawing attention.<\/p>\n

\n
\"Encoded
Encoded String Array (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n

The final payload,\u00a0Microsoft.exe<\/code>, carries encoded string arrays that hold a hidden runtime configuration. Once active, it drops\u00a0Keylogger.dll<\/code>\u00a0directly into memory and begins C2 communication over\u00a0manikandan83.mysynology.net<\/code>\u00a0on port\u00a07535<\/code>, resolving to IP\u00a045.156.87.226<\/code>. <\/p>\n

Network captures confirm the malware transmits its module names and internal activity to its remote server.<\/p>\n

Security teams should watch for unusual PowerShell execution, unexpected use of\u00a0InstallUtil.exe<\/code>, and outbound connections to unknown domains or IPs. <\/p>\n

Blocking script execution from\u00a0C:UsersPublic<\/code>\u00a0and enabling detailed PowerShell script<\/a> logging are practical first steps to catching this threat early. <\/p>\n

Keeping endpoint protection software current also remains a critical defense, as detection tools<\/a> have already shown the ability to flag key components of this malware.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n

The post DesckVB RAT Uses Obfuscated JavaScript and Fileless .NET Loader to Evade Detection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

DesckVB RAT Uses Obfuscated JavaScript and Fileless .NET Loader to Evade Detection A new Remote Access Trojan known as DesckVB has been targeting systems in 2026, using obfuscated JavaScript and a fileless .NET loader to stay hidden from traditional security tools. The malware gives attackers full remote control over a victim\u2019s machine, making it a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12013","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12013"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12013"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12013\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}