Hackers Using Google Cloud Storage to Bypass Email Filters and Deliver Remcos RAT

Home Cyber Security News Hackers Using Google Cloud Storage to Bypass Email Filters and Deliver Remcos... Cybercriminals are always looking for smarter ways to bypass security, and their latest method is both simple and effective. Instead of building suspicious new websites, attackers now use Google Cloud Storage — a widely trusted platform — to host phishing pages that deliver dangerous malware. This lets them bypass email filters, reputation checks, and traditional web security tools without triggering any alarms. The campaign starts with phishing emails linking to pages hosted on storage.googleapis.com, a legitimate Google domain. These pages mimic Google Drive login screens with branded logos and file icons for PDF, DOC, SHEET, and SLIDE documents. Victims are prompted to sign in to “view a document in Google Drive,” unaware that the page is built to harvest their email address, password, and one-time passcode. After the fake login, the victim is tricked into downloading a JavaScript file named Bid-P-INV-Document.js — the entry point of the entire infection chain. According to ANY.RUN’s annual Malware Trends Report for 2025, phishing campaigns using trusted cloud hosting have become the dominant attack vector, with remote access trojans rising 28% and backdoors surging 68% year over year. In April 2026, ANY.RUN’s threat research team identified this specific campaign, noting attackers used googleapis.com subdomains — pa-bids, com-bid, contract-bid-0, and out-bid — as hosts for their malicious pages. Parking on Google’s own infrastructure was a calculated move, one that gave the campaign natural immunity from reputation-based email and web security filters. The final payload in this campaign is Remcos RAT, a commercially available remote access trojan that gives attackers full and persistent control over a compromised machine. Once installed, Remcos logs keystrokes, steals credentials from browsers and password managers, captures screenshots, accesses the microphone and webcam, monitors clipboard content, and transfers files remotely. It writes persistence entries into the Windows Registry under HKEY_CURRENT_USER\Software\Remcos-{ID}, ensuring it survives reboots. A single infected endpoint can quickly become a launchpad for ransomware, data theft, and lateral movement across corporate networks. What makes this threat particularly dangerous is the dual-risk it creates. Victims do not just lose their Google account credentials — they also end up with a surveillance tool running silently on their machine. Credential theft combined with remote access gives attackers immediate entry into accounts and long-term visibility inside the compromised environment, making a single phishing click a serious security risk. Multi-Stage Infection Mechanism The infection chain behind this campaign is layered and carefully built to evade detection at every stage.  Sandbox analysis of a phishing attack (Source – Any.Run) After the victim runs the JavaScript file under Windows Script Host, time-based evasion logic delays its execution — a trick designed to defeat automated sandboxes that only analyze behavior within a fixed time window. The script then silently launches a Visual Basic Script stage, which fetches and runs a second VBS file. That stage drops files into %APPDATA%\WindowsUpdate and configures Startup persistence to survive reboots. A PowerShell script named DYHVQ.ps1 then takes over, loading an obfuscated executable stored as ZIFDG.tmp  Malicious script activity captured by the sandbox (Source – Any.Run) At the same time, the chain fetches an obfuscated .NET loader from Textbin — a public text-hosting service — and loads it directly into memory via Assembly.Load, leaving nothing on disk for antivirus tools to scan. The .NET loader then abuses RegSvcs.exe, a legitimate Microsoft-signed binary, to inject the Remcos payload through process hollowing. Since RegSvcs.exe carries a clean reputation on VirusTotal, this stage appears completely normal to most endpoint protection tools, making it nearly invisible without behavioral monitoring. Security teams should treat any storage.googleapis.com link with the same caution as an unknown domain, since trusting a platform name does not guarantee safe content. Behavioral analysis tools that observe post-click activity are far more effective than signature-based detection alone. Employees in finance, procurement, and leadership roles should be trained to recognize cloud-storage phishing lures and never download files from unexpected login prompts. Suspicious JavaScript and script files must always be tested in an isolated environment before running on any production system. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware Cyber Security News Hackers Create Hidden Mailbox Rules in Microsoft 365 to Intercept Sensitive Business Emails Cyber Security News Agentic LLM Browsers Expose New Attack Surface for Prompt Injection and Data Theft Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026