New Phishing Attack Leverages Vercel Hosting Platform to Deliver a Remote Access Tool - CyberSecurityNews

Discover more email Email & Messaging Hacking & Cracking HomeCyber Security News New Phishing Attack Leverages Vercel Hosting Platform to Deliver a Remote Access Tool By Tushar Subhra Dutta January 26, 2026 A sophisticated phishing campaign active between November 2025 and January 2026 has been exploiting Vercel’s legitimate hosting platform to distribute remote access tools to unsuspecting victims. The attack chain combines social engineering with trusted domain exploitation, making it particularly effective at bypassing traditional security layers. Attackers craft phishing emails using financially themed lures such as overdue invoices, payment statements, and shipping documents to pressure users into clicking malicious links. The campaign demonstrates a shift in threat actor tactics, moving beyond simple malware delivery to implement advanced evasion techniques. Victims receive emails containing urgency-driven language like “43 days past due” or threats of service suspension, compelling them to interact with hyperlinked content. ‘Invoice Details’ phishing example (Source – Cloudflare) The attacker relies on Vercel’s reputation as a trusted platform, which naturally bypasses email filters and creates a false sense of security for recipients. Some variants target specific regions, with Spanish-language emails posing as security update notifications, while others impersonate legitimate services like Adobe PDF viewers or financial portals. A phishing email impersonating a secure document signing portal (Source – Cloudflare) Cloudflare analysts identified this threat while examining Vercel abuse patterns and discovered that the campaign had evolved significantly since its initial documentation in June 2025 by CyberArmor. The researchers noted that threat actors implemented sophisticated Telegram-based filtering mechanisms designed to block security researchers and automated sandboxes from accessing the payload. Infection Through Browser Fingerprinting and Conditional Delivery When victims click the malicious Vercel link, they encounter a technically advanced evasion mechanism before payload delivery. The attacker’s infrastructure performs browser fingerprinting, collecting IP addresses, device types, browser information, and geographic location. This harvested data is exfiltrated to a threat-actor-controlled Telegram channel, where automated systems evaluate whether the victim represents a genuine target. A specialized lure targeting business account owners (Source – Cloudflare) Security researchers and suspicious connections are filtered out, while approved victims proceed to a fake document viewer interface. Users are then prompted to download files disguised as legitimate documents, with names like “Statements05122025.exe” or “Invoice06092025.exe.bin.” The payload itself is not custom malware but rather a legitimate, signed copy of GoTo Resolve (formerly LogMeIn) remote access software. By leveraging this “Living off the Land” technique, attackers bypass signature-based antivirus detection systems. Upon execution, the tool establishes connections to remote command servers, granting complete remote control and system access to threat actors. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT Node.js Fixes 12 Vulnerabilities, Including 2 High-Severity Authentication Bypasses In-Browser Data Inspection Lets Analysts Track Phishing Attack Flow Inside Browser Sessions FlutterShell macOS Backdoor Abuses Flutter Framework and WKWebView for Stealthy Attacks Latest News Cyber Security News Microsoft Teams Impersonation Campaign Enables Unauthorized Access Through RMM Abuse Cyber Security News Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware Cyber Security News Malicious Edge Extension Uses Chrome Native Messaging to Execute Code on Victim Systems ANY.RUN EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps   Cyber Security Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access