A newly uncovered phishing campaign has begun exploiting trusted cloud infrastructure, as attackers actively use Google Cloud Storage to distribute the notorious Remcos Remote Access Trojan (RAT) to unsuspecting users worldwide. Notably, this tactic significantly increases the attack’s success rate by leveraging the inherent trust users and security systems place in Google’s ecosystem.
To begin with, the attackers host a malicious HTML page directly on the googleapis.com domain, which belongs to Google’s legitimate services. As a result, most email security gateways and web filtering solutions fail to flag the link as suspicious. Consequently, this allows the phishing email to bypass traditional defenses with ease.
Moreover, victims receive emails containing links that redirect them to a fake interface mimicking Google Drive’s document-sharing page. At first glance, the page appears authentic; however, once users interact with it, the infection process initiates silently in the background. This deceptive approach makes detection extremely difficult, even for relatively cautious users.
According to researchers at ANY.RUN, the campaign uses a highly structured, multi-stage infection chain. Their analysis revealed that each phase of the attack is carefully designed to evade detection. From phishing delivery to payload execution, the attackers ensure that no single stage triggers immediate suspicion. In fact, hosting malicious content on a trusted domain remains the campaign’s most effective evasion tactic.
Remcos RAT, developed by Breaking Security, is originally marketed as a legitimate remote administration tool. However, cybercriminals have repeatedly weaponized it for malicious purposes, including surveillance, data theft, and persistent unauthorized access. Since its introduction in 2016, the malware has continued to evolve with regular updates, making it a long-standing cybersecurity concern.
Once installed, Remcos grants attackers extensive control over infected systems. For instance, they can log keystrokes, capture screenshots, manage files, and establish communication with command-and-control servers. Therefore, the potential damage extends beyond individual users to entire organizations.
Multi-Stage Infection Mechanism
The attack unfolds through multiple deliberate stages. Initially, the phishing email directs users to the malicious Google-hosted page. Subsequently, user interaction triggers a JavaScript-based redirect or initiates a download of an obfuscated archive from attacker-controlled servers.
Inside this archive, a dropper executes silently using Windows scripting engines such as VBScript or PowerShell. Following this, the dropper retrieves the final Remcos payload and injects it into a legitimate Windows process through process hollowing. This advanced technique enables the malware to operate within trusted system processes, effectively bypassing file-based detection mechanisms.
Furthermore, the malware establishes persistence by writing entries into the Windows Registry, ensuring it remains active even after system reboots. It then creates an encrypted communication channel with the attacker’s server, allowing continuous remote control.
Security Recommendations
Security experts strongly advise organizations to monitor outbound traffic to googleapis.com URLs that fall outside normal operations. Additionally, enforcing strict script execution policies and deploying behavioral endpoint detection tools can significantly reduce risks.
At the same time, users must remain vigilant. They should avoid clicking on links in unexpected emails—even if they appear to come from trusted platforms like Google Drive. Verifying the sender through alternate communication channels is also a crucial step in preventing compromise.
Recommended Cyber Technology News:
- Google GTIG Warns of Raccoon Social Engineering Attacks
- HackerOne Stops Bug Bounty Program Over AI Risks
- AWS Partners with Anthropic to Launch Advanced Cybersecurity AI
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
