Trusted Cloud, Hidden Threat

What happens when attackers stop building shady websites and start hiding in plain sight?

Cybercriminals are now abusing Google Cloud Storage, one of the most trusted platforms on the internet to bypass email security controls and silently deliver Remcos RAT, a powerful remote access trojan.

Instead of registering suspicious domains that trigger reputation‑based defenses, attackers are using storage.googleapis.com, a legitimate Google Cloud domain, to host phishing pages and malware delivery infrastructure.

• The result?
• Email filters are bypassed
• Reputation checks pass
• Web security tools stay quiet

This campaign highlights a growing reality: trusted cloud platforms can no longer be trusted by default.

How the Attack Starts

The campaign begins with phishing emails that link directly to pages hosted on Google Cloud Storage, typically under storage.googleapis.com.

These pages:

• Closely mimic Google Drive login screens‍
• Display familiar Google branding and icons
• Advertise fake PDFs, Docs, Sheets, or Slides

Victims are instructed to “sign in to view a document”, unaware the page exists solely to harvest:

• Email addresses
• Passwords
• One‑time passcodes (OTP)

Once credentials are captured, the attack escalates.

The Infection Entry Point

After the fake login step, victims are prompted to download a file named:

Bid-P-INV-Document.js

This JavaScript file is the true payload launcher, and the gateway into a multi‑stage malware infection chain.

Campaign Attribution & Hosting Abuse

Attackers hosted malicious pages on Google‑associated subdomains such as:

• pa-bids

• com-bid

• contract-bid-0

• out-bid

By “parking” their infrastructure inside Google’s ecosystem, attackers gained natural immunity from reputation‑based email and web filtering systems, dramatically increasing success rates.

Multi‑Stage Infection Chain

This attack is carefully layered to evade detection at every step.

JavaScript Execution

• Runs via Windows Script Host‍
• Uses time‑delay logic to evade sandboxes with short execution windows

Visual Basic Script (VBS)

• A hidden VBS stage is launched
• Downloads and executes an additional VBS payload
• Drops files into:
• %APPDATA%\WindowsUpdate
• Establishes persistence via Startup configuration

PowerShell Loader

• Executes DYHVQ.ps1
• Loads an obfuscated executable (ZIFDG.tmp)
• Fetches an obfuscated .NET loader from Textbin, a public text‑hosting service

In‑Memory Execution

• The .NET loader is loaded directly into memory using Assembly.Load
• Leaves no file artifacts on disk‍
• Bypasses most signature‑based antivirus tools

Living‑off‑the‑Land Injection

• Abuses RegSvcs.exe, a Microsoft‑signed binary
• Uses process hollowing to inject the final payload: Remcos RAT

Because RegSvcs.exe has a clean reputation on VirusTotal, this activity often appears benign without behavioral monitoring.

Final Payload: Remcos RAT

Once installed, Remcos RAT provides attackers with full, persistent control over the infected endpoint.

Capabilities include:

• Keystroke logging
• Credential theft from browsers and password managers
• Screenshot capture
• Webcam and microphone access
• Clipboard monitoring
• Remote file transfer and command execution

Persistence is established via:

HKEY_CURRENT_USER\Software\Remcos-{ID}

A single infected system can rapidly become a launchpad for ransomware, data exfiltration, and lateral movement across enterprise networks.

Why This Threat Is Especially Dangerous

This campaign creates a dual‑risk scenario:

Immediate credential compromise (Google accounts, corporate identities)

Long‑term covert surveillance through remote access malware

That combination allows attackers not only to access accounts, but to quietly observe and expand their presence inside the environment overtime.

Recommended Actions:

Treat storage.googleapis.com links with the same scrutiny as unknown domains

Deploy behavior‑based endpoint detection rather than relying on signatures alone

Monitor for:  

• JavaScript → VBS → PowerShell execution chains
• Abuse of RegSvcs.exe or other signed LOLBins

Train users especially in finance, procurement, and executive roles to recognize cloud‑storage phishing lures

Never run JavaScript or script files directly on production systems

Trust the signal, not the platform. And assume every cloud‑hosted link can be hostile.