Attackers Weaponize Google Cloud Storage to Deliver Remcos RAT Through Phishing Campaigns

Cybercriminals are increasingly leveraging Google Cloud Storage infrastructure to circumvent email and web content filters, deploying Remcos Remote Access Trojan via deceptive Google Drive-themed phishing operations. These sophisticated attacks combine social engineering with advanced fileless execution techniques to evade traditional security detection mechanisms.

Compromised links direct victims to Google Cloud Storage buckets—often named with innocuous identifiers like “com-bid” or “contract-bid-0″—displaying what appears to be a legitimate Google Drive document access request. The dual Google ownership of both sending and hosting infrastructure enables these messages to pass through DMARC, SPF, and DKIM authentication checks, allowing them to slip past legacy secure email gateways that rely on traditional domain reputation.

Security researchers at ANY.RUN recently uncovered this phishing operation, which hosts malicious HTML content on storage.googleapis.com, capitalizing on Google’s trusted cloud infrastructure to bypass both URL filtering and reputation-based security measures.

Sandbox analysis of a phishing attack (Source : ANY.RUN).
Sandbox analysis revealing the attack methodology (Source : ANY.RUN).

Upon clicking the deceptive link, victims encounter a credential harvesting page mimicking the Google Workspace interface, complete with authentic logos and file-type icons. These pages capture not just passwords but also one-time passcodes, establishing complete account access before advancing into the malware delivery phase.

Multi-Stage, Primarily Fileless Infection Chain

Following authentication, users are prompted to download a JavaScript file named Bid-Packet-INV-Document.js, disguised as a business bid packet or document. This script executes under Windows Script Host and employs time-based evasion techniques to postpone malicious activity and survive automated sandbox analysis.

The infection chain progresses through a Visual Basic Script (VBS) chain: an initial downloader retrieves a second VBS stage that deposits components into the %APPDATA%\WindowsUpdate folder while configuring startup persistence to maintain operation across system reboots.

A PowerShell script (e.g., DYHVQ.ps1) orchestrates the final payload execution by loading an obfuscated executable stored as a temporary .tmp file and simultaneously downloading a .NET loader from a text-hosting service. The loader executes directly in memory via Assembly Load, bypassing disk-based detection entirely.

This .NET loader exploits the digitally signed Microsoft binary RegSvcs.exe for process hollowing. By initiating the trusted process from %TEMP% and injecting the Remcos payload into its memory space, the attack achieves complete in-memory execution while maintaining the appearance of legitimate activity.

Remcos RAT detected in the sandbox analysis (Source : ANY.RUN).
Remcos RAT successfully identified through behavioral analysis (Source : ANY.RUN).

The result is a partially fileless Remcos instance running within a legitimate, clean-reputation process. This architectural design renders traditional static and file-hash-based Endpoint Detection and Response (EDR) rules largely ineffective, as the malicious code executes without persistent files on disk.

Once established, Remcos RAT initiates encrypted command-and-control communications and creates persistence entries under registry keys such as HKEY_CURRENT_USER\Software\Remcos-{ID}. This transforms a single compromised endpoint into a long-term operational base for ransomware deployment, lateral movement, and exfiltration of sensitive documents or customer records.

Why Traditional Defenses Fail Against This Attack

This campaign illustrates how attackers are strategically “borrowing” the trust of major cloud providers rather than relying on obviously malicious infrastructure. Google Storage buckets and signed Microsoft binaries both maintain strong reputation scores, meaning filters based on known-bad domains, file hashes, or static indicators often detect nothing suspicious.

When combined with sophisticated obfuscation, time-delayed execution, and in-memory payload loading, these techniques systematically break the fundamental security assumption that malicious traffic and binaries exhibit recognizable patterns.

According to ANY.RUN’s 2025 malware trends report, Remote Access Trojans and backdoors have shown significant increases in prevalence, with multi-stage, trusted-cloud phishing emerging as a primary delivery mechanism. This underscores why behavior-based detection has become a business continuity requirement rather than merely a technical optimization.

Effective defense requires analyzing what occurs after a link is clicked or a script executes—tracking process trees, registry modifications, and network beacons instead of relying solely on reputation scores.

Interactive sandboxing platforms like ANY.RUN’s cloud environment enable analysts to manually traverse the complete attack chain from phishing URL to Remcos command-and-control callback, overcoming time-delay and anti-automation mechanisms while exposing every stage of the kill chain.

MITRE ATT&CK matrix of the attack analyzed in the sandbox (Source : ANY.RUN).
MITRE ATT&CK matrix mapping the attack timeline (Source : ANY.RUN).

From this behavioral mapping, security teams can derive MITRE ATT&CK-mapped techniques, Sigma detection rules, and concrete indicators of compromise (IOCs) for implementation across SIEM systems, EDR platforms, and network security controls.

ANY.RUN’s Threat Intelligence Lookup and Threat Intelligence Feeds further extend defensive capabilities by correlating indicators such as C2 IPs, anomalous RegSvcs.exe behavior, and specific script signatures across a comprehensive community dataset. This surfacing of related Remcos activity enables Security Operations Centers to feed high-fidelity, malicious-only indicators directly into their incident response workflows.

As organizations continue to witness legitimate infrastructure being weaponized by threat actors, behavioral and intelligence-driven defense mechanisms remain essential for detecting and containing trust-abuse phishing campaigns before the next compromised bid document delivers a Remote Access Trojan into production environments.

Related Articles

Back to top button