Cybercriminals are increasingly leveraging Google Cloud Storage to bypass email filters and distribute malware, a new report reveals. This sophisticated phishing tactic uses the widely trusted cloud platform to host malicious pages that deliver the Remcos Remote Access Trojan (RAT). The attack chain, identified by ANY.RUN’s threat research team, bypasses traditional security measures by exploiting the inherent trust users place in legitimate cloud domains.
The campaign begins with phishing emails that direct unsuspecting users to login pages hosted on legitimate Google Cloud Storage subdomains, such as `storage.googleapis.com`. These pages are designed to meticulously mimic Google Drive login interfaces, complete with authentic-looking logos and file icons. Victims are enticed to log in to “view a document,” a deceptive prompt that actually harvests their email address, password, and any subsequent one-time passcodes.
Hackers Using Google Cloud Storage to Distribute Remcos RAT
Following a fraudulent login, victims are instructed to download a JavaScript file, typically named `Bid-P-INV-Document.js`. This file serves as the initial entry point into a multi-stage infection process that ultimately unleashes the Remcos RAT. According to ANY.RUN’s 2025 Malware Trends Report, phishing campaigns utilizing trusted cloud hosting services have become a predominant attack vector, with a significant year-over-year increase in remote access trojans and backdoors.
In April 2026, researchers observed this specific campaign exploiting Google’s infrastructure. Attackers strategically employed subdomains like `pa-bids`, `com-bid`, `contract-bid-0`, and `out-bid` to host their malicious landing pages. By embedding their operations within Google’s own domain, the campaign gained an inherent advantage, effectively circumventing reputation-based email and web security filters that might otherwise flag suspicious domains.
The ultimate objective of this attack is the deployment of Remcos RAT, a commercially available tool that grants attackers extensive and persistent control over an infected computer. Once installed, Remcos RAT possesses a wide range of malicious capabilities, including keystroke logging, credential theft from browsers and password managers, screenshot capture, unauthorized access to the microphone and webcam, clipboard monitoring, and remote file transfer. To ensure its longevity, the malware establishes persistence by creating entries in the Windows Registry under `HKEY_CURRENT_USERSoftwareRemcos-{ID}`, allowing it to survive system reboots.
The implications of a single infected endpoint extend far beyond individual data compromise. A compromised machine can easily become a pivot point for further network intrusions, facilitating ransomware deployment, widespread data exfiltration, and lateral movement across an organization’s internal network. This dual threat of credential theft coupled with sustained remote access significantly amplifies the risk associated with a single phishing click.
Multi-Stage Infection Mechanism
The infection chain orchestrated by these attackers is deliberately layered and designed to evade detection at each progressive stage. This sophisticated approach aims to circumvent security solutions that rely on static analysis or limited time-window sandboxing.
Upon execution of the initial JavaScript file via Windows Script Host, the malware employs time-based evasion tactics. This deliberate delay in execution is a common technique to thwart automated sandboxes that analyze system behavior within a predefined timeframe. Following this delay, the script silently initiates a Visual Basic Script (VBS) stage. This VBS script is responsible for fetching and running a second VBS file.
This subsequent VBS file then establishes a presence within the compromised system by dropping files into the `%APPDATA%WindowsUpdate` directory and configuring Startup persistence to ensure the malware remains active after system restarts. A PowerShell script, identified as `DYHVQ.ps1`, then assumes control. Its primary function is to load an obfuscated executable, stored as `ZIFDG.tmp`, directly into memory.
Simultaneously, the infection chain retrieves an obfuscated .NET loader from Textbin, a public text-hosting service. This loader is then injected directly into the memory of the system using the `Assembly.Load` method, which means no malicious files are written to disk, making them invisible to traditional antivirus scanning. The .NET loader further abuses a legitimate Microsoft-signed binary, `RegSvcs.exe`, to execute the Remcos payload through a technique known as process hollowing. Given that `RegSvcs.exe` maintains a clean reputation on platforms like VirusTotal, this stage often appears benign to many endpoint protection tools unless advanced behavioral monitoring is in place.
Security teams must now treat any link originating from `storage.googleapis.com` with the same level of scrutiny as a link from an unknown or suspicious domain. The reputation of a platform name does not guarantee the safety of its hosted content. Solutions that employ behavioral analysis to monitor post-click activity are proving to be more effective against these evolving threats than signature-based detection methods alone. Employees in sensitive roles, particularly within finance and procurement departments, require enhanced training to identify these cloud-storage phishing lures and to avoid downloading files from unexpected login prompts.
For organizations, the practice of testing any suspicious JavaScript or script files within an isolated, sandbox environment before deployment on production systems is paramount. This precautionary measure can prevent catastrophic breaches. The continued reliance on trusted cloud infrastructure by cybercriminals highlights the necessity for continuous adaptation of security protocols and robust employee awareness programs.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.