- \n
- Attackers are shifting to trusted cloud infrastructure (Google Storage) to bypass email filters and reputation checks. <\/li>\n<\/ul>\n\n\n\n
- \n
- The multi-stage chain uses obfuscated JS\/VBS\/PowerShell and legitimate RegSvcs.exe for process injection, making static detection ineffective. <\/li>\n<\/ul>\n\n\n\n
- \n
- Remcos RAT provides full remote control, keylogging, and data exfiltration \u2014 turning one compromised endpoint into a persistent foothold. <\/li>\n<\/ul>\n\n\n\n
- \n
- Credential harvesting combined with malware delivery creates dual risk: immediate data theft plus long-term network compromise. <\/li>\n<\/ul>\n\n\n\n
- \n
- Traditional EDR relying on file reputation misses these attacks; behavioral sandboxing and real-time TI are required. <\/li>\n<\/ul>\n\n\n\n
- \n
- ANY.RUN\u2019s Interactive Sandbox, TI Lookup, and TI Feeds<\/a> enable proactive detection and rapid response, closing the gap before damage occurs.
<\/li>\n<\/ul>\n\n\n\nThe New Face of Phishing: When \u201cLegitimate\u201d Becomes Lethal <\/h2>\n\n\n\n
According to ANY.RUN’s annual Malware Trends Report<\/a> for 2025, phishing driven by multi-stage redirect chains and trusted-cloud hosting has become the dominant attack vector, with RATs<\/a> and backdoors rising 28% and 68% respectively. The abuse of legitimate platforms has made traditional reputation-based filtering fundamentally unreliable. <\/p>\n\n\n\n
Early detection is no longer simply a technical performance metric. It is a business continuity imperative. When threats hide inside trusted infrastructure, the window between initial infection and serious organizational impact can be measured in hours, not days. Security teams that cannot identify and contain an attack in its earliest stages \u2014 before the payload executes, before the C2 channel is established, before the attacker pivots deeper into the network \u2014 face an exponentially harder response challenge. <\/p>\n\n\n\n
Phishing Campaign Hiding Remcos RAT Inside Google Cloud Storage <\/h2>\n\n\n\n
In April 2026, ANY.RUN\u2019s threat research team identified a sophisticated multi-stage phishing campaign that perfectly exemplifies this new breed of attack. The campaign abuses Google Cloud Storage to host HTML phishing pages themed as Google Drive document viewers, ultimately delivering the Remcos Remote Access Trojan (RAT). <\/p>\n\n\n\n
View the attack in real time in a live sandbox session<\/a> <\/p>\n\n\n\n
![\"\"](\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/googleremcos_2-1024x486.png\")
Sandbox analysis of a phishing attack<\/em> <\/figcaption><\/figure>\n\n\n\n The attackers parked their phishing pages on a legitimate, widely-trusted Google domain. This single architectural choice allowed the campaign to bypass a wide range of conventional email security gateways and web filtering tools.
Convincing Google Drive-themed phishing pages are hosted on storage.googleapis.com subdomains such as pa-bids, com-bid, contract-bid-0, in-bids, and out-bid. Examples include URLs like hxxps:\/\/storage[.]googleapis[.]com\/com-bid\/GoogleDrive.html. These pages mimic legitimate Google Workspace sign-in flows, complete with branded logos, file-type icons (PDF, DOC, SHEET, SLIDE), and prompts to \u201cSign in to view document in Google Drive<\/em>.\u201d
The pages are crafted to harvest full account credentials: email address, password, and one-time passcode. But the credential theft is just the opening act. After a \u201csuccessful login,\u201d the page prompts the download of a file named Bid-Packet-INV-Document.js, which serves as the entry point for the malware delivery chain. <\/p>\n\n\n\nAttack Chain <\/h3>\n\n\n\n
The delivery chain is deliberately complex and layered to evade detection at every stage: <\/p>\n\n\n\n
1. Phishing Email Delivery<\/strong>. Because the sending domain and the linked domain are both associated with legitimate Google infrastructure, the email passes standard DMARC, SPF, and DKIM authentication checks, and is not flagged by reputation-based email filters. <\/p>\n\n\n\n
2. Fake Google Drive Login Page<\/strong>. The googleapis.com link opens a convincing replica of the Google Drive interface, prompting the victim to authenticate with their email address, password, and one-time passcode. Credentials entered here are captured and exfiltrated to the attacker’s command-and-control infrastructure. <\/p>\n\n\n\n
3. Malicious JavaScript Download<\/strong>. The victim is prompted to download Bid-Packet-INV-Document.js, presented as a business document. When executed under Windows Script Host, this JavaScript file contains time-based evasion logic \u2014 it can delay execution to avoid sandbox detection environments that analyze behavior within a fixed time window. <\/p>\n\n\n\n
4. VBS Chain and Persistence<\/strong>. The JavaScript launches a first VBS stage, which downloads and silently executes a second VBS file. This second stage drops components into %APPDATA%\\WindowsUpdate (folder name chosen to blend in with legitimate Windows processes) and configures Startup persistence, ensuring the malware survives system reboots. <\/p>\n\n\n\n
![\"\"](\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/googleremcos_3.png\")
Malicious script activity captured by the sandbox<\/em> <\/figcaption><\/figure>\n\n\n\n 5. PowerShell Orchestration<\/strong>. A PowerShell script (DYHVQ.ps1) then orchestrates the loading of an obfuscated portable executable stored as ZIFDG.tmp, which contains the Remcos RAT payload. To remain stealthy, the chain simultaneously fetches an additional obfuscated .NET loader from Textbin, a text-hosting service, loading it directly in memory via Assembly.Load, leaving no file on disk for traditional antivirus engines to scan. <\/p>\n\n\n\n
6. Process Hollowing via RegSvcs.exe<\/strong>. The .NET loader abuses RegSvcs.exe for process hollowing. Because RegSvcs.exe is signed by Microsoft and carries a clean reputation on VirusTotal, its execution appears benign in endpoint logs. The loader creates or starts RegSvcs.exe from %TEMP%, hollowing the process and injecting the Remcos payload into its memory space. The result is a partially fileless Remcos instance: most of the malicious logic executes entirely in memory, never touching the disk in a form that a signature-based scanner would recognize. <\/p>\n\n\n\n
![\"\"](\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/googleremcos_4.png\")
Remcos RAT detected in the sandbox analysis<\/em><\/figcaption><\/figure>\n\n\n\n 7. C2 Establishment<\/strong>. Remcos establishes an encrypted communication channel back to the attacker’s command-and-control server and writes persistence entries into the Windows Registry under HKEY_CURRENT_USER\\Software\\Remcos-{ID}, ensuring continued access across reboots. From this point, the attacker has full, persistent, covert control over the compromised endpoint. <\/p>\n\n\n\n
ANY.RUN\u2019s sandbox<\/a> analysis clearly visualizes this chain: wscript.exe spawns multiple VBS and JS scripts, cmd.exe and powershell.exe handle staging, and RegSvcs.exe is flagged for Remcos behavior. The entire process tree demonstrates how attackers chain living-off-the-land binaries (LOLBins) with obfuscation and in-memory execution. <\/p>\n\n\n\n
Why This Attack Works \u2014 and Why Remcos Makes It So Dangerous <\/h2>\n\n\n\n
The attack succeeds because it weaponizes trust at every layer. Google Storage provides reputation immunity. RegSvcs.exe is a signed Microsoft binary used for .NET service installation: its clean hash means endpoint protection rarely flags it. Combined with heavy obfuscation, time-based evasion, and fileless techniques, the campaign slips past static analysis and many EDR rules that rely on file reputation or known malicious domains. <\/p>\n\n\n\n
At the heart of the final payload is Remcos RAT<\/a> \u2014 a commercially available Remote Access Trojan that has become a favorite among cybercriminals due to its affordability, ease of use, and powerful feature set. It grants attackers full remote control over the compromised system. Capabilities include keylogging, credential harvesting from browsers and password managers, screenshot capture, file upload\/download, remote command execution, microphone and webcam access, and clipboard monitoring. It supports persistence mechanisms, anti-analysis tricks, and encrypted C2 communication. <\/p>\n\n\n\n
The dangers of Remcos extend far beyond initial access. It serves as a beachhead for further attacks: ransomware deployment, lateral movement across the corporate network, data exfiltration of intellectual property or customer records, and even supply-chain compromise if the infected machine belongs to a vendor. Because it runs in memory inside a trusted process, it can remain undetected for weeks or months, silently harvesting sensitive data. <\/p>\n\n\n\n
Why This Matters for Businesses <\/h2>\n\n\n\n
Enterprises face amplified risk because these campaigns target high-value users (executives, finance teams, and procurement staff) who routinely handle sensitive documents and have elevated privileges. A single successful infection can lead to: <\/p>\n\n\n\n
- \n
- Data Breaches and Regulatory Fines<\/strong>: Stolen credentials and exfiltrated files can trigger GDPR, CCPA, or industry-specific compliance violations costing millions. <\/li>\n<\/ul>\n\n\n\n
- \n
- Financial Losses<\/strong>: Direct wire fraud from compromised email accounts or indirect losses from ransomware. <\/li>\n<\/ul>\n\n\n\n
- \n
- Operational Disruption<\/strong>: Lateral movement can encrypt servers or exfiltrate intellectual property, halting production or R&D. <\/li>\n<\/ul>\n\n\n\n
- \n
- Reputation Damage<\/strong>: Clients and partners lose trust when a breach is publicly disclosed. <\/li>\n<\/ul>\n\n\n\n
- \n
- Supply-Chain Ripple Effects<\/strong>: If a vendor\u2019s system is compromised via this vector, attackers can pivot into larger organizations. <\/li>\n<\/ul>\n\n\n\n
In attacks that exploit legitimate services, the Mean Time to Detect (MTTD<\/a>) for conventional security tools is dramatically extended. When the initial link is clean, the host domain is trusted, and the payload runs inside a legitimate Microsoft process, the alert chain that SOC teams<\/a> depend on generates few or no signals. The attacker operates in silence while gathering intelligence, escalating privileges, and expanding their foothold. <\/p>\n\n\n\n
Enabling Proactive Protection Against Trust-Abuse Phishing <\/h2>\n\n\n\n
Defending against phishing campaigns that abuse legitimate services requires a security capability that operates at the behavioral level \u2014 one that can observe what happens after a link is clicked or a file is opened, not just assess whether a URL or hash matches a known-bad list. ANY.RUN’s Enterprise Suite<\/a> is built precisely for this purpose, and its three core modules address the threat at complementary stages of the detection and response lifecycle. <\/p>\n\n\n\n
Triage & Response: See the Full Kill Chain Before It Reaches Production <\/h3>\n\n\n\n
- Supply-Chain Ripple Effects<\/strong>: If a vendor\u2019s system is compromised via this vector, attackers can pivot into larger organizations. <\/li>\n<\/ul>\n\n\n\n
- Reputation Damage<\/strong>: Clients and partners lose trust when a breach is publicly disclosed. <\/li>\n<\/ul>\n\n\n\n
- Operational Disruption<\/strong>: Lateral movement can encrypt servers or exfiltrate intellectual property, halting production or R&D. <\/li>\n<\/ul>\n\n\n\n
- Financial Losses<\/strong>: Direct wire fraud from compromised email accounts or indirect losses from ransomware. <\/li>\n<\/ul>\n\n\n\n
- Data Breaches and Regulatory Fines<\/strong>: Stolen credentials and exfiltrated files can trigger GDPR, CCPA, or industry-specific compliance violations costing millions. <\/li>\n<\/ul>\n\n\n\n
- ANY.RUN\u2019s Interactive Sandbox, TI Lookup, and TI Feeds<\/a> enable proactive detection and rapid response, closing the gap before damage occurs.
- Traditional EDR relying on file reputation misses these attacks; behavioral sandboxing and real-time TI are required. <\/li>\n<\/ul>\n\n\n\n
- Credential harvesting combined with malware delivery creates dual risk: immediate data theft plus long-term network compromise. <\/li>\n<\/ul>\n\n\n\n
- Remcos RAT provides full remote control, keylogging, and data exfiltration \u2014 turning one compromised endpoint into a persistent foothold. <\/li>\n<\/ul>\n\n\n\n
- The multi-stage chain uses obfuscated JS\/VBS\/PowerShell and legitimate RegSvcs.exe for process injection, making static detection ineffective. <\/li>\n<\/ul>\n\n\n\n