{ "id": "a4227c13-81e3-47c7-a2fc-a021cc149aa3", "created_at": "2026-04-23T02:54:04.587919Z", "updated_at": "2026-04-25T02:19:27.319093Z", "deleted_at": null, "sha1_hash": "1914d07949e371f5649f869e11154120e5b36d33", "title": "When Trust Becomes a Weapon: Google Cloud Storage Phishing Deploying Remcos RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90418, "plain_text": "When Trust Becomes a Weapon: Google Cloud Storage Phishing\r\nDeploying Remcos RAT\r\nBy ANY.RUN\r\nPublished: 2026-04-14 · Archived: 2026-04-23 02:44:49 UTC\r\nModern phishing campaigns increasingly abuse legitimate services. Cloud platforms, file-sharing tools, trusted\r\ndomains, and widely used SaaS applications are now part of the attacker’s toolkit. Instead of breaking trust,\r\nattackers borrow it. \r\nThis shift creates a dangerous asymmetry. Security controls often whitelist or inherently trust these services, while\r\nusers are far less likely to question them. The result is a smoother path from inbox to infection. \r\nKey Takeaways \r\nAttackers are shifting to trusted cloud infrastructure (Google Storage) to bypass email filters and reputation\r\nchecks. \r\nThe multi-stage chain uses obfuscated JS/VBS/PowerShell and legitimate RegSvcs.exe for process\r\ninjection, making static detection ineffective. \r\nRemcos RAT provides full remote control, keylogging, and data exfiltration — turning one compromised\r\nendpoint into a persistent foothold. \r\nCredential harvesting combined with malware delivery creates dual risk: immediate data theft plus long-term network compromise. \r\nTraditional EDR relying on file reputation misses these attacks; behavioral sandboxing and real-time TI\r\nare required. \r\nANY.RUN’s Interactive Sandbox, TI Lookup, and TI Feeds enable proactive detection and rapid response,\r\nclosing the gap before damage occurs. \r\n \r\nThe New Face of Phishing: When “Legitimate” Becomes Lethal \r\nAccording to ANY.RUN’s annual Malware Trends Report for 2025, phishing driven by multi-stage redirect chains\r\nand trusted-cloud hosting has become the dominant attack vector, with RATs and backdoors rising 28%\r\nand 68% respectively. The abuse of legitimate platforms has made traditional reputation-based filtering\r\nfundamentally unreliable. \r\nEarly detection is no longer simply a technical performance metric. It is a business continuity imperative. When\r\nthreats hide inside trusted infrastructure, the window between initial infection and serious organizational impact\r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 1 of 10\n\ncan be measured in hours, not days. Security teams that cannot identify and contain an attack in its earliest stages\r\n— before the payload executes, before the C2 channel is established, before the attacker pivots deeper into the\r\nnetwork — face an exponentially harder response challenge. \r\nPhishing Campaign Hiding Remcos RAT Inside Google Cloud Storage \r\nIn April 2026, ANY.RUN’s threat research team identified a sophisticated multi-stage phishing campaign that\r\nperfectly exemplifies this new breed of attack. The campaign abuses Google Cloud Storage to host HTML\r\nphishing pages themed as Google Drive document viewers, ultimately delivering the Remcos Remote Access\r\nTrojan (RAT). \r\nView the attack in real time in a live sandbox session \r\nSandbox analysis of a phishing attack \r\nThe attackers parked their phishing pages on a legitimate, widely-trusted Google domain. This single architectural\r\nchoice allowed the campaign to bypass a wide range of conventional email security gateways and web filtering\r\ntools.\r\n Convincing Google Drive-themed phishing pages are hosted on storage.googleapis.com subdomains such as pa-bids, com-bid, contract-bid-0, in-bids, and out-bid. Examples include URLs\r\nlike hxxps://storage[.]googleapis[.]com/com-bid/GoogleDrive.html. These pages mimic legitimate Google\r\nWorkspace sign-in flows, complete with branded logos, file-type icons (PDF, DOC, SHEET, SLIDE), and prompts\r\nto “Sign in to view document in Google Drive.”\r\n The pages are crafted to harvest full account credentials: email address, password, and one-time passcode. But the\r\ncredential theft is just the opening act. After a “successful login,” the page prompts the download of a file named\r\nBid-Packet-INV-Document.js, which serves as the entry point for the malware delivery chain.\r\nAttack Chain \r\nThe delivery chain is deliberately complex and layered to evade detection at every stage: \r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 2 of 10\n\n1. Phishing Email Delivery. Because the sending domain and the linked domain are both associated with\r\nlegitimate Google infrastructure, the email passes standard DMARC, SPF, and DKIM authentication checks, and\r\nis not flagged by reputation-based email filters. \r\n2. Fake Google Drive Login Page. The googleapis.com link opens a convincing replica of the Google Drive\r\ninterface, prompting the victim to authenticate with their email address, password, and one-time passcode.\r\nCredentials entered here are captured and exfiltrated to the attacker’s command-and-control infrastructure. \r\n3. Malicious JavaScript Download. The victim is prompted to download Bid-Packet-INV-Document.js,\r\npresented as a business document. When executed under Windows Script Host, this JavaScript file contains time-based evasion logic — it can delay execution to avoid sandbox detection environments that analyze behavior\r\nwithin a fixed time window. \r\n4. VBS Chain and Persistence. The JavaScript launches a first VBS stage, which downloads and silently\r\nexecutes a second VBS file. This second stage drops components into %APPDATA%\\WindowsUpdate (folder\r\nname chosen to blend in with legitimate Windows processes) and configures Startup persistence, ensuring the\r\nmalware survives system reboots. \r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 3 of 10\n\nMalicious script activity captured by the sandbox \r\n5. PowerShell Orchestration. A PowerShell script (DYHVQ.ps1) then orchestrates the loading of an obfuscated\r\nportable executable stored as ZIFDG.tmp, which contains the Remcos RAT payload. To remain stealthy, the chain\r\nsimultaneously fetches an additional obfuscated .NET loader from Textbin, a text-hosting service, loading it\r\ndirectly in memory via Assembly.Load, leaving no file on disk for traditional antivirus engines to scan. \r\n6. Process Hollowing via RegSvcs.exe. The .NET loader abuses RegSvcs.exe for process hollowing. Because\r\nRegSvcs.exe is signed by Microsoft and carries a clean reputation on VirusTotal, its execution appears benign in\r\nendpoint logs. The loader creates or starts RegSvcs.exe from %TEMP%, hollowing the process and injecting\r\nthe Remcos payload into its memory space. The result is a partially fileless Remcos instance: most of the\r\nmalicious logic executes entirely in memory, never touching the disk in a form that a signature-based scanner\r\nwould recognize. \r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 4 of 10\n\nRemcos RAT detected in the sandbox analysis\r\n7. C2 Establishment. Remcos establishes an encrypted communication channel back to the attacker’s command-and-control server and writes persistence entries into the Windows Registry under\r\nHKEY_CURRENT_USER\\Software\\Remcos-{ID}, ensuring continued access across reboots. From this point,\r\nthe attacker has full, persistent, covert control over the compromised endpoint.  \r\nANY.RUN’s sandbox analysis clearly visualizes this chain: wscript.exe spawns multiple VBS and JS scripts,\r\ncmd.exe and powershell.exe handle staging, and RegSvcs.exe is flagged for Remcos behavior. The entire process\r\ntree demonstrates how attackers chain living-off-the-land binaries (LOLBins) with obfuscation and in-memory\r\nexecution. \r\nWhy This Attack Works — and Why Remcos Makes It So Dangerous \r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 5 of 10\n\nThe attack succeeds because it weaponizes trust at every layer. Google Storage provides reputation immunity.\r\nRegSvcs.exe is a signed Microsoft binary used for .NET service installation: its clean hash means endpoint\r\nprotection rarely flags it. Combined with heavy obfuscation, time-based evasion, and fileless techniques, the\r\ncampaign slips past static analysis and many EDR rules that rely on file reputation or known malicious domains. \r\nAt the heart of the final payload is Remcos RAT — a commercially available Remote Access Trojan that has\r\nbecome a favorite among cybercriminals due to its affordability, ease of use, and powerful feature set. It grants\r\nattackers full remote control over the compromised system. Capabilities include keylogging, credential harvesting\r\nfrom browsers and password managers, screenshot capture, file upload/download, remote command execution,\r\nmicrophone and webcam access, and clipboard monitoring. It supports persistence mechanisms, anti-analysis\r\ntricks, and encrypted C2 communication. \r\nThe dangers of Remcos extend far beyond initial access. It serves as a beachhead for further attacks: ransomware\r\ndeployment, lateral movement across the corporate network, data exfiltration of intellectual property or customer\r\nrecords, and even supply-chain compromise if the infected machine belongs to a vendor. Because it runs in\r\nmemory inside a trusted process, it can remain undetected for weeks or months, silently harvesting sensitive data. \r\nWhy This Matters for Businesses \r\nEnterprises face amplified risk because these campaigns target high-value users (executives, finance teams, and\r\nprocurement staff) who routinely handle sensitive documents and have elevated privileges. A single successful\r\ninfection can lead to: \r\nData Breaches and Regulatory Fines: Stolen credentials and exfiltrated files can trigger GDPR, CCPA,\r\nor industry-specific compliance violations costing millions. \r\nFinancial Losses: Direct wire fraud from compromised email accounts or indirect losses from\r\nransomware. \r\nOperational Disruption: Lateral movement can encrypt servers or exfiltrate intellectual property,\r\nhalting production or R\u0026D. \r\nReputation Damage: Clients and partners lose trust when a breach is publicly disclosed. \r\nSupply-Chain Ripple Effects: If a vendor’s system is compromised via this vector, attackers can pivot\r\ninto larger organizations. \r\nIn attacks that exploit legitimate services, the Mean Time to Detect (MTTD) for conventional security tools is\r\ndramatically extended. When the initial link is clean, the host domain is trusted, and the payload runs inside a\r\nlegitimate Microsoft process, the alert chain that SOC teams depend on generates few or no signals. The\r\nattacker operates in silence while gathering intelligence, escalating privileges, and expanding their foothold. \r\nEnabling Proactive Protection Against Trust-Abuse Phishing \r\nDefending against phishing campaigns that abuse legitimate services requires a security capability that operates at\r\nthe behavioral level — one that can observe what happens after a link is clicked or a file is opened, not just assess\r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 6 of 10\n\nwhether a URL or hash matches a known-bad list. ANY.RUN’s Enterprise Suite is built precisely for this purpose,\r\nand its three core modules address the threat at complementary stages of the detection and response lifecycle. \r\nTriage \u0026 Response: See the Full Kill Chain Before It Reaches Production \r\nThe foundation of ANY.RUN’s detection capability is its Interactive Sandbox: a cloud-based, fully interactive\r\nanalysis environment that allows security analysts to safely detonate suspicious files and URLs in real time.\r\nUnlike automated sandboxes that analyze behavior passively within a fixed time window, ANY.RUN’s sandbox\r\nsupports genuine human interaction: analysts can click, type, scroll, and navigate within the isolated virtual\r\nmachine, triggering behavior that might be blocked by time-delay evasion or anti-automation logic. \r\nIn the Google Cloud Storage / Remcos campaign, this capability is decisive. The malicious JavaScript embedded\r\ntime-based evasion logic is a mechanism designed specifically to defeat automated sandbox analysis. An\r\ninteractive sandbox can wait out that delay, manually trigger the next stage, and observe the complete execution\r\nchain from the initial JS download through the VBS stages, the PowerShell orchestration, the process hollowing\r\nvia RegSvcs.exe, and the final Remcos C2 callback. \r\nThe result is not just a verdict but a full behavioral map: every process spawned, every network\r\nconnection initiated, every registry key written, every file dropped. This map translates directly into actionable\r\ndetection logic — MITRE ATT\u0026CK-mapped TTPs, Sigma rules that can be deployed to SIEM and EDR\r\nplatforms, and concrete IOCs that can be operationalized across the security stack. \r\nMITRE ATT\u0026CK matrix of the attack analyzed in the sandbox\r\nFor SOC teams, this means the difference between seeing an alert that says ‘suspicious JavaScript file’ and\r\nunderstanding the complete threat: this is Remcos RAT, delivered via process hollowing, with these C2 addresses,\r\nusing these persistence mechanisms, and these are the detection rules that will catch the next variant. \r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 7 of 10\n\nThreat Hunting: Enrich, Pivot, and Hunt Proactively \r\nANY.RUN’s Threat Intelligence Lookup is a searchable, continuously updated database of threat intelligence\r\ndrawn from real-time malware analysis conducted by a community of over 600,000 cybersecurity professionals\r\nand 15,000 organizations worldwide. It functions as a force multiplier for threat hunting and incident response,\r\nproviding instant enrichment for any indicator — IP address, domain, file hash, URL, or behavioral signature. \r\nIn the context of the Google Cloud Storage / Remcos campaign, Threat Intelligence Lookup enables analysts to\r\nmove rapidly from a single observed indicator to a comprehensive understanding of the campaign’s scope. A C2\r\nIP address flagged by sandbox analysis can be pivoted to reveal all associated Remcos samples in the database, the\r\ninfrastructure pattern used across the campaign, related file hashes, and behavioral indicators that might be present\r\nin other systems. \r\ndestinationIP:”198.187.29.19″ \r\nDomain associated with Google Cloud Storage/Remcos campaign in TI Lookup \r\nThis pivoting capability is particularly valuable for detecting multi-stage attacks where the initial indicators are\r\nclean (a googleapis.com URL, a signed Microsoft binary) but later-stage indicators — C2 domains, specific\r\nPowerShell script signatures, anomalous RegSvcs.exe activity — can be correlated against historical data to\r\nconfirm campaign attribution and expand detection coverage. \r\nFor threat hunters, Threat Intelligence Lookup supports proactive campaign identification before an organization\r\nis impacted. YARA-based searches, combined with industry and geography filters, allow security teams to identify\r\nwhether active campaigns are targeting their specific sector and region and to build detection rules based on real-world attacker behavior rather than theoretical models. \r\nMonitoring: Automated, Continuous, Real-World Coverage \r\nANY.RUN’s Threat Intelligence Feeds deliver a continuous stream of fresh, verified malicious indicators directly\r\ninto an organization’s security infrastructure — SIEM, SOAR, TIP, XDR — via STIX/TAXII and\r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 8 of 10\n\nAPI/SDK integrations. These feeds are generated from live sandbox analysis across the ANY.RUN community,\r\nmeaning they reflect actual attacker behavior observed in real-world campaigns, not synthetic or retrospectively\r\ncompiled threat data. \r\nTI Feeds benefits and integrations\r\nA critical differentiator is the uniqueness rate: ANY.RUN reports that 99% of indicators in its feeds are unique to\r\nthe platform, not duplicated from public threat intel sources. The feeds also dramatically reduce Tier 1 analyst\r\nworkload by providing malicious-only alerts with full behavioral context, cutting through the alert fatigue that\r\nplagues security operations teams dealing with high volumes of false positives from tools that cannot distinguish\r\nbetween legitimate googleapis.com traffic and the specific pattern of googleapis.com traffic used in this\r\ncampaign. \r\nConclusion \r\nThe Google Storage phishing campaign delivering Remcos RAT is a wake-up call. As attackers continue to abuse\r\ntrusted cloud services and legitimate binaries, organizations can no longer rely on reputation or signatures alone.\r\nEarly detection through behavioral analysis and proactive threat intelligence is no longer optional — it is essential\r\nfor survival. \r\nBy leveraging ANY.RUN’s Enterprise Suite, security leaders can stay ahead of these evolving threats, protect\r\ncritical assets, and maintain business continuity in an increasingly hostile digital landscape. The time to strengthen\r\ndefenses is now — before the next bid document lands in your inbox. \r\nAbout ANY.RUN  \r\nANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security\r\nteams investigate threats faster and with greater clarity across modern enterprise environments.  \r\nIt allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox,\r\nenrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure\r\nusing Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate\r\ntriage, and limit unnecessary escalations across the SOC.  \r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 9 of 10\n\nANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance\r\nexpectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data\r\nand maintaining strong security controls. \r\nFAQ\r\nWhat makes this Google Storage phishing campaign different from traditional attacks?\r\nIt hosts the phishing page on legitimate storage.googleapis.com domains instead of suspicious new sites,\r\nbypassing URL reputation filters entirely.\r\nHow does the attack ultimately deliver Remcos RAT?\r\nThrough a layered chain of JS, VBS, PowerShell, and in-memory loading that culminates in process hollowing of\r\nthe trusted RegSvcs.exe binary.\r\nWhy is RegSvcs.exe particularly dangerous in this context?\r\nIt is a signed Microsoft .NET binary with a clean VirusTotal reputation, allowing attackers to inject the Remcos\r\npayload without triggering file-based alerts.\r\nWhat capabilities does Remcos RAT provide to attackers?\r\nFull remote access, keylogging, credential theft, file exfiltration, screenshot capture, and persistence — all while\r\nrunning inside legitimate processes.\r\nHow can ANY.RUN’s sandbox help my team detect similar threats?\r\nIt detonates suspicious files/URLs in a safe environment, reveals the complete behavioral chain, and provides\r\nIOCs and process trees for immediate response.\r\nWhat should businesses do immediately to protect against these attacks?\r\nEnable behavioral analysis tools, integrate real-time threat intelligence feeds, train staff on cloud-storage lures,\r\nand test suspicious links in an interactive sandbox before opening.\r\nSource: https://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nhttps://any.run/cybersecurity-blog/phishing-google-drive-remcos/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://any.run/cybersecurity-blog/phishing-google-drive-remcos/" ], "report_names": [ "phishing-google-drive-remcos" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-25T02:00:04.06489Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-25T02:00:03.524088Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-25T02:00:04.729218Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776912844, "ts_updated_at": 1777083567, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1914d07949e371f5649f869e11154120e5b36d33.pdf", "text": "https://archive.orkl.eu/1914d07949e371f5649f869e11154120e5b36d33.txt", "img": "https://archive.orkl.eu/1914d07949e371f5649f869e11154120e5b36d33.jpg" } }