Cybercriminals have devised a new method to distribute malware, ingeniously weaponizing a widely trusted online tool: Google Forms. A recently identified campaign is leveraging business-themed lures such as fictitious job interviews, project briefings, and financial documents to infect victim machines with a Remote Access Trojan (RAT) known as PureHVNC. This campaign stands out not for the novelty of the malware itself, but for the unconventional channel employed to initiate the infection and effectively deliver PureHVNC via Google Forms.
The attack begins with a well-crafted Google Form designed to mimic legitimate recruitment or business processes. These forms solicit professional details like work history and background, aiming to establish a sense of authenticity and trust. Upon submission, victims are redirected to a business-themed ZIP file hosted on file-sharing platforms like Dropbox, filedn.com, and fshare.vn, or accessed through URL shorteners such as tr.ee and goo.su, which serve to obscure the true destination. Threat actors are also disseminating these malicious links across professional networking sites like LinkedIn, targeting individuals actively seeking employment or new career opportunities.
Multi-Stage Infection Mechanism Exploiting Google Forms for PureHVNC Delivery
Malwarebytes analysts have cataloged multiple variations of this campaign, noting that the threat actors impersonate prominent companies across the financial, logistics, technology, sustainability, and energy sectors. These fake Google Forms frequently display genuine company names, logos, and branding, making them exceptionally difficult for the average user to identify as fraudulent. Archive file names, such as “Project_Information_Summary_2026.zip” and “{CompanyName}_GlobalLogistics_Ad_Strategy.zip,” highlight the deliberate and calculated nature of the deception aimed at delivering PureHVNC.
PureHVNC is identified as a modular .NET RAT belonging to the “Pure” malware family. Once established on a compromised system, it grants attackers comprehensive remote control. This allows them to execute commands, exfiltrate sensitive data from browsers, cryptocurrency wallets, and messaging applications like Telegram and Foxmail, gather detailed hardware and software information, and deploy additional plugins to expand their capabilities. The malware’s configuration is encoded using Base64 and compressed with GZIP. The identified command and control (C2) server for this PureHVNC campaign is located at IP address 207.148.66.14, accessible via ports 56001, 56002, and 56003. The broad reach of this campaign targets industries where document sharing is a common practice and professionals regularly receive files from external contacts, creating an environment where malicious attachments might go unnoticed.
The infection chain employed by this campaign is a meticulously orchestrated, multi-stage process designed to evade detection at every juncture. After a victim extracts the downloaded ZIP file, they will find job-related documents alongside a concealed executable file and a DLL named msimg32.dll. This DLL is designed to execute through DLL hijacking, an technique that tricks a legitimate application into loading and running the malicious code without triggering obvious alerts.
Once operational, the malicious DLL decrypts embedded strings using XOR encryption with the key “4B.” It then proceeds to check for analysis environments by employing functions such as IsDebuggerPresent() and time64(). If it detects sandbox or debugging activity, the malware displays the error message, “This software has expired or debugger detected,” and terminates its execution. Following this, the DLL self-deletes from the disk, drops a counterfeit PDF file to keep the user occupied, and establishes persistence by adding a registry entry at CurrentVersionRunMiroupdate.
The subsequent stage involves the extraction of a hidden archive, named final.zip, into a randomly generated folder within the ProgramData directory. An obfuscated Python script, referred to as config.log or image.mp3 depending on the specific variant, decodes and launches Donut shellcode executed entirely in memory. This shellcode then injects the PureHVNC malware into SearchUI.exe, a legitimate Windows system process, to further mask its presence.
To maintain a persistent foothold on the compromised system when administrative privileges are present, the malware establishes a scheduled task using a Base64-encoded PowerShell command that operates at the highest privilege level. As a final marker, it leaves the mutex named “Rluukgz” on the host system.
Individuals and organizations are strongly advised to implement several protective measures to mitigate exposure to this evolving threat. It is crucial to always verify the source of any Google Form before submitting personal information or downloading linked files. Unexpected job offers or project requests should be cross-referenced with official company websites and confirmed through known contacts. Users should exercise caution and avoid clicking links concealed behind URL shorteners without first confirming their untrusted destination.
Security teams should remain vigilant for anomalous DLL loads, the creation of encoded PowerShell tasks, and process injection activities targeting SearchUI.exe. Endpoint security solutions must be kept up-to-date to effectively detect Python processes unexpectedly executing from within ProgramData directories. The ongoing evolution of attack vectors, such as this creative use of Google Forms, underscores the need for continuous user education and robust security practices in the face of sophisticated cyber threats.