{"id":13588,"date":"2026-04-09T13:06:53","date_gmt":"2026-04-09T13:06:53","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=13588"},"modified":"2026-04-09T13:06:53","modified_gmt":"2026-04-09T13:06:53","slug":"new-phishing-marketing-campaign-exploits-google-storage-to-ship-remcos-rat","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=13588","title":{"rendered":"New Phishing Marketing campaign Exploits Google Storage to Ship Remcos RAT"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>A lately noticed phishing marketing campaign is abusing Google Cloud Storage to ship the Remcos distant entry trojan (RAT), counting on trusted Google infrastructure and a signed Microsoft binary to evade conventional defenses. <\/p>\n<p>Attackers host a pretend <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/google-drive-users-files\/\" type=\"post\" id=\"80220\" target=\"_blank\" rel=\"noreferrer noopener\">Google Drive login web page<\/a> on the professional area storage.googleapis.com, making the URL seem reliable to each customers and safety instruments. <\/p>\n<p>As an alternative of registering their very own area, they add a crafted HTML web page that intently mimics Google\u2019s interface and branding. <\/p>\n<p>The operation <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.linkedin.com\/posts\/phishing-remcos-iocs-share-7447636921503272962-SaEE\/?utm_source=social_share_send&amp;utm_medium=ios_app&amp;rcm=ACoAABO-jCkB1he5ufTfbYYMNKmaojg8M31OVpM&amp;utm_campaign=copy_link\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">highlights how reputation-based filtering<\/a> alone is not sufficient to cease fashionable credential theft and malware supply.<\/p>\n<p>The web page requests the sufferer\u2019s electronic mail deal with, password, and one\u2011time passcode, successfully capturing full account entry. Utilizing Google\u2019s infrastructure additionally helps phishing hyperlinks bypass some electronic mail filters and URL-reputation checks that favor nicely\u2011recognized cloud suppliers.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-multi-stage-infection-chain\"><strong>Multi\u2011stage an infection chain<\/strong><\/h2>\n<p>After a \u201cprofitable\u201d login, the positioning prompts the consumer to obtain a JavaScript file named Bid\u2011Packet\u2011INV\u2011Doc.js, offered as a doc or bid packet. <\/p>\n<p>When executed, this script runs beneath Home windows Script Host, contains time\u2011based mostly evasion logic, and launches the<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/whatsapp-attack-chain\/\" type=\"post\" id=\"182142\" target=\"_blank\" rel=\"noreferrer noopener\"> subsequent stage VBS script<\/a>.<\/p>\n<p>The primary VBS stage downloads and silently runs one other VBS file, which drops parts beneath %APPDATApercentWindowsUpdate and configures Startup persistence so the malware survives reboot. <\/p>\n<p>A PowerShell script, DYHVQ.ps1, then orchestrates the loading of an obfuscated moveable executable saved as ZIFDG.tmp, which <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/remcos-rat-c2\/\" type=\"post\" id=\"169333\" target=\"_blank\" rel=\"noreferrer noopener\">incorporates the Remcos RAT payload<\/a>. <\/p>\n<p>To remain stealthy, the chain fetches an extra obfuscated .NET loader from a textual content\u2011internet hosting service (Textbin). It masses it instantly in reminiscence through Meeting.Load.<\/p>\n<p>The .NET loader abuses RegSvcs.exe, a professional Microsoft .NET Companies Set up Instrument positioned within the framework listing, for course of hollowing. <\/p>\n<p>As a result of RegSvcs.exe is signed by Microsoft and infrequently has a clear VirusTotal repute, its execution normally seems benign in endpoint logs. <\/p>\n<p>The loader creates or begins RegSvcs.exe from %TEMP%, hollowing the method and injecting the Remcos payload in order that a lot of the malicious logic executes solely in reminiscence. <\/p>\n<p>This ends in {a partially} fileless Remcos occasion that communicates with its command\u2011and\u2011management (C2) server whereas hiding behind a trusted course of identify.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-detection-and-defense-recommendations\"><strong>Detection and protection suggestions<\/strong><\/h2>\n<p>Safety groups shouldn&#8217;t rely solely on area or file repute when triaging alerts involving <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/hackers-abusing-google-cloud\/\" type=\"post\" id=\"99274\" target=\"_blank\" rel=\"noreferrer noopener\">Google cloud domains <\/a>or signed Home windows binaries. <\/p>\n<p>Behavioral sandboxing and EDR telemetry are key: defenders ought to monitor for suspicious script chains (JS \u2192 VBS \u2192 PowerShell), uncommon creation of WindowsUpdate\u2011like folders in %APPDATA%, and RegSvcs.exe launching from atypical paths akin to %TEMP%. <\/p>\n<p>Community controls ought to flag outbound connections following execution of scripting engines and newly spawned .NET processes, particularly when preceded by entry to storage.googleapis.com hyperlinks. <\/p>\n<p>Lastly, consumer consciousness campaigns should emphasize that even hyperlinks pointing to nicely\u2011recognized cloud suppliers can host phishing pages and malware, and any surprising login prompts or script downloads from \u201cDrive paperwork\u201d must be handled with warning.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 100%,rgb(169,184,195) 100%)\"><strong>Observe us on\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/news.google.com\/publications\/CAAqKAgKIiJDQklTRXdnTWFnOEtEV2RpYUdGamEyVnljeTVqYjIwb0FBUAE?hl=en-IN&amp;gl=IN&amp;ceid=IN%3Aen\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google Information<\/a>,\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cyber-threat-intel\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/The_Cyber_News\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get On the spot Updates and Set GBH as a Most well-liked Supply in\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.google.com\/preferences\/source?q=https:\/\/gbhackers.com\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>A lately noticed phishing marketing campaign is abusing Google Cloud Storage to ship the Remcos distant entry trojan (RAT), counting on trusted Google infrastructure and a signed Microsoft binary to evade conventional defenses. Attackers host a pretend Google Drive login web page on the professional area storage.googleapis.com, making the URL seem reliable to each customers [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13590,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[396,128,3183,81,261,1538,557,2041],"class_list":["post-13588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-campaign","tag-deliver","tag-exploits","tag-google","tag-phishing","tag-rat","tag-remcos","tag-storage"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13588"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13588\/revisions"}],"predecessor-version":[{"id":13589,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/13588\/revisions\/13589"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/13590"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69c6f7b5190636d50e9f6768. Config Timestamp: 2026-03-27 21:33:41 UTC, Cached Timestamp: 2026-04-09 20:56:33 UTC -->