A new phishing campaign is delivering the notorious Remcos RAT by exploiting trusted cloud infrastructure, raising fresh concerns about how attackers are bypassing traditional security defenses. Researchers from ANY.RUN have identified a multi-stage attack chain that leverages legitimate Google services to evade detection and increase success rates.
The campaign abuses Google Cloud Storage by hosting malicious HTML phishing pages directly on trusted domains like storage.googleapis.com. Because these links originate from legitimate infrastructure, they often pass email security checks such as authentication protocols and domain reputation filters, allowing them to slip through secure email gateways undetected.
Attackers enhance the deception by mimicking familiar interfaces like Google Drive and Workspace login pages. Victims are prompted to “sign in to view document,” a tactic that feels routine for users accustomed to cloud-based collaboration. This significantly lowers suspicion and increases the likelihood of credential theft.
Once credentials are captured, the attack progresses through a stealthy, multi-stage malware chain. It often involves script execution sequences and the abuse of legitimate system tools, eventually deploying Remcos RAT to establish persistent access. By disguising malicious activity within trusted processes, attackers can remain undetected for extended periods, giving them time to escalate privileges and move laterally within networks.
Security experts warn that traditional defenses—such as domain reputation checks and static detection methods—are no longer sufficient against these tactics. Because the attack relies on trusted infrastructure and legitimate binaries, organizations may experience delayed detection, increasing the risk of financial fraud, data breaches, and even ransomware incidents.
The campaign highlights a growing trend where attackers weaponize trust across multiple layers, including cloud platforms, authentication systems, and built-in operating system tools. As a result, security teams are being urged to adopt behavior-based detection strategies that monitor unusual script activity, suspicious process chains, and abnormal network connections.
Advanced sandboxing and threat intelligence tools are becoming essential in this landscape. Platforms like ANY.RUN allow analysts to observe the full attack lifecycle—from phishing delivery to command-and-control communication—helping organizations translate these insights into actionable defenses.
As cyber threats continue to evolve, this campaign underscores a critical shift: defending against modern attacks requires not just blocking known threats, but understanding and detecting how attackers exploit trusted systems to operate in plain sight.
Recommended Cyber Technology News:
- Northeast Spine Data Breach Exposes 7K N.J. Patients
- Cloudflare Unveils Mesh for AI Agent Infrastructure Security
- WatchGuard and HaloPSA Partner to Streamline MSP Security
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
