Hackers Using Google Cloud Storage to Bypass Email Filters and Deliver Remcos RAT

Cybercriminals are always looking for smarter ways to bypass security, and their latest method is both simple and effective.

Instead of building suspicious new websites, attackers now use Google Cloud Storage — a widely trusted platform — to host phishing pages that deliver dangerous malware.

This lets them bypass email filters, reputation checks, and traditional web security tools without triggering any alarms.

The campaign starts with phishing emails linking to pages hosted on storage.googleapis.com, a legitimate Google domain. These pages mimic Google Drive login screens with branded logos and file icons for PDF, DOC, SHEET, and SLIDE documents.

Victims are prompted to sign in to “view a document in Google Drive,” unaware that the page is built to harvest their email address, password, and one-time passcode.

After the fake login, the victim is tricked into downloading a JavaScript file named Bid-P-INV-Document.js — the entry point of the entire infection chain.

According to ANY.RUN’s annual Malware Trends Report for 2025, phishing campaigns using trusted cloud hosting have become the dominant attack vector, with remote access trojans rising 28% and backdoors surging 68% year over year.

In April 2026, ANY.RUN’s threat research team identified this specific campaign, noting attackers used googleapis.com subdomains — pa-bids, com-bid, contract-bid-0, and out-bid — as hosts for their malicious pages.

Parking on Google’s own infrastructure was a calculated move, one that gave the campaign natural immunity from reputation-based email and web security filters.

The final payload in this campaign is Remcos RAT, a commercially available remote access trojan that gives attackers full and persistent control over a compromised machine.

Once installed, Remcos logs keystrokes, steals credentials from browsers and password managers, captures screenshots, accesses the microphone and webcam, monitors clipboard content, and transfers files remotely.

It writes persistence entries into the Windows Registry under HKEY_CURRENT_USERSoftwareRemcos-{ID}, ensuring it survives reboots.

A single infected endpoint can quickly become a launchpad for ransomware, data theft, and lateral movement across corporate networks.

What makes this threat particularly dangerous is the dual-risk it creates. Victims do not just lose their Google account credentials — they also end up with a surveillance tool running silently on their machine.

Credential theft combined with remote access gives attackers immediate entry into accounts and long-term visibility inside the compromised environment, making a single phishing click a serious security risk.

Multi-Stage Infection Mechanism

The infection chain behind this campaign is layered and carefully built to evade detection at every stage. 

After the victim runs the JavaScript file under Windows Script Host, time-based evasion logic delays its execution — a trick designed to defeat automated sandboxes that only analyze behavior within a fixed time window.

The script then silently launches a Visual Basic Script stage, which fetches and runs a second VBS file. That stage drops files into %APPDATA%WindowsUpdate and configures Startup persistence to survive reboots.

A PowerShell script named DYHVQ.ps1 then takes over, loading an obfuscated executable stored as ZIFDG.tmp 

At the same time, the chain fetches an obfuscated .NET loader from Textbin — a public text-hosting service — and loads it directly into memory via Assembly.Load, leaving nothing on disk for antivirus tools to scan.

The .NET loader then abuses RegSvcs.exe, a legitimate Microsoft-signed binary, to inject the Remcos payload through process hollowing.

Since RegSvcs.exe carries a clean reputation on VirusTotal, this stage appears completely normal to most endpoint protection tools, making it nearly invisible without behavioral monitoring.

Security teams should treat any storage.googleapis.com link with the same caution as an unknown domain, since trusting a platform name does not guarantee safe content.

Behavioral analysis tools that observe post-click activity are far more effective than signature-based detection alone.

Employees in finance, procurement, and leadership roles should be trained to recognize cloud-storage phishing lures and never download files from unexpected login prompts.

Suspicious JavaScript and script files must always be tested in an isolated environment before running on any production system.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.