Cybercriminals are increasingly exploiting legitimate cloud storage platforms, such as Google Cloud Storage, to host sophisticated phishing pages that deliver potent malware, including the Remcos Remote Access Trojan (RAT). This evolving tactic bypasses traditional security measures by leveraging the trust associated with established services, as detailed in recent cybersecurity analyses.
The campaign commences with deceptive phishing emails. These emails direct recipients to pages hosted on the legitimate Google domain storage.googleapis.com. These imitator pages are designed to closely resemble Google Drive login screens, complete with familiar logos and document icons. Victims are enticed to log in with their credentials to “view a document,” inadvertently surrendering their email address, password, and one-time passcodes to attackers.
Google Cloud Storage Abuse Facilitates Remcos RAT Delivery
Following a successful credential harvest, victims are further tricked into downloading a JavaScript file named Bid-P-INV-Document.js. This file serves as the critical entry point for the entire malware infection chain. According to ANY.RUN’s annual Malware Trends Report for 2025, phishing campaigns leveraging trusted cloud hosting have become a dominant attack vector. The report indicates a significant year-over-year rise in remote access trojans by 28% and backdoors by 68%.
The threat research team at ANY.RUN identified this specific campaign in April 2026. Attackers utilized various subdomains under googleapis.com, including pa-bids, com-bid, contract-bid-0, and out-bid, to host their malicious pages. This strategic placement on Google’s infrastructure provided an inherent immunity from reputation-based email and web security filters.
The ultimate payload of this campaign is Remcos RAT, a commercially available remote access trojan. Once installed, Remcos grants attackers comprehensive and persistent control over the victim’s compromised machine. Its capabilities include logging keystrokes, stealing credentials from browsers and password managers, capturing screenshots, accessing the microphone and webcam, monitoring clipboard content, and enabling remote file transfer.
To ensure persistence, Remcos establishes entries in the Windows Registry under HKEY_CURRENT_USERSoftwareRemcos-{ID}, allowing it to survive system reboots. A single infected endpoint can rapidly become a launchpad for further malicious activities, such as ransomware deployment, data exfiltration, and lateral movement across corporate networks.
The dual risk presented by this threat is particularly alarming. Victims not only forfeit their Google account credentials but also unknowingly install a sophisticated surveillance tool on their machines. The combination of credential theft and remote access capabilities provides attackers with immediate entry into accounts and ongoing visibility within the compromised environment, transforming a single phishing click into a severe security risk.
Multi-Stage Infection Mechanism Leverages Evasion Techniques
The infection chain employed in this campaign is multi-layered and meticulously designed to evade detection at each stage. After the victim executes the initial JavaScript file using Windows Script Host, the script employs time-based evasion logic to delay its execution. This is a common technique designed to defeat automated sandboxes that analyze behavior within a fixed timeframe.
Subsequently, the script silently launches a Visual Basic Script (VBS) stage. This stage fetches and executes a second VBS file, which then drops files into the %APPDATA%WindowsUpdate directory. It also configures startup persistence to ensure the malware remains active after reboots.
A PowerShell script, identified as DYHVQ.ps1, then takes control. This script loads an obfuscated executable stored as ZIFDG.tmp. Concurrently, the infection chain retrieves an obfuscated .NET loader from Textbin, a public text-hosting service. This loader is then directly injected into memory using Assembly.Load, a method that leaves no trace on the disk for antivirus tools to scan.
The .NET loader further abuses RegSvcs.exe, a legitimate Microsoft-signed binary, to execute the Remcos payload through a process hollowing technique. Because RegSvcs.exe typically carries a clean reputation on VirusTotal, this stage usually appears legitimate to most endpoint protection tools, making it nearly invisible without robust behavioral monitoring capabilities.
Security teams are advised to treat any link originating from storage.googleapis.com with the same level of caution as an unknown domain. A trusted platform name does not automatically guarantee the safety of its content. Behavioral analysis tools that monitor post-click activity are significantly more effective than signature-based detection alone in identifying such threats.
Furthermore, employees in critical roles, particularly within finance, procurement, and leadership, should receive specialized training to recognize cloud-storage phishing lures. They must be educated to refrain from downloading files from unexpected login prompts. All suspicious JavaScript and script files should always be tested in an isolated sandbox environment before being run on any production system.
The ongoing reliance on legitimate cloud infrastructure by threat actors highlights the need for advanced security solutions. Organizations should focus on implementing multi-layered defenses that incorporate behavioral analysis and user training to mitigate the risks associated with evolving phishing and malware delivery techniques. The trend indicates that attackers will continue to seek trusted platforms to disguise their malicious activities, demanding a proactive and adaptive security posture from businesses.