ANY.RUN5d ago

๐Ÿšจ New #phishing wave targets business teams with Google Storage-hosted lures. Steals credentials, drops #Remcos RAT, gives full remote control, keylogging, and persistence.

Trusted infrastructure makes this especially dangerous. Read the breakdown๐Ÿ‘‡
https://any.run/cybersecurity-blog/phishing-google-drive-remcos/?utm_source=mastodon&utm_medium=post&utm_campaign=phishing_google_drive_remcos&utm_content=linktoblog&utm_term=140426

#cybersecurity #infosec

Google Cloud Phishing Drops Remcos RAT

ANY.RUN uncovers a Google Cloud Storage phishing campaign delivering Remcos RAT. See the attack chain and how to protect your business.

ANY.RUN's Cybersecurity Blog
Anonymous ๐Ÿˆ๏ธ๐Ÿพโ˜•๐Ÿต๐Ÿด๐Ÿ‡ต๐Ÿ‡ธ 5d ago

Top 10 last week's threats by uploads ๐ŸŒ
โฌ†๏ธ #Asyncrat 832 (693)
โฌ†๏ธ #Xworm 730 (640)
โฌ‡๏ธ #Gh0st 391 (396)
โฌ‡๏ธ #Stealc 330 (409)
โฌ†๏ธ #Salatstealer 320 (320)
โฌ†๏ธ #Quasar 309 (283)
โฌ‡๏ธ #Vidar 274 (343)
โฌ‡๏ธ #Remcos 244 (296)
โฌ†๏ธ #Dcrat 242 (238)
โฌ‡๏ธ #Lumma 185 (187)
Explore malware in action:
https://app.any.run/?utm_source=twitter&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister

#Top10Malware

Anonymous ๐Ÿˆ๏ธ๐Ÿพโ˜•๐Ÿต๐Ÿด๐Ÿ‡ต๐Ÿ‡ธ 5d ago

Top 10 last week's threats by uploads ๐ŸŒ
โฌ†๏ธ #Asyncrat 832 (693)
โฌ†๏ธ #Xworm 730 (640)
โฌ‡๏ธ #Gh0st 391 (396)
โฌ‡๏ธ #Stealc 330 (409)
โฌ†๏ธ #Salatstealer 320 (320)
โฌ†๏ธ #Quasar 309 (283)
โฌ‡๏ธ #Vidar 274 (343)
โฌ‡๏ธ #Remcos 244 (296)
โฌ†๏ธ #Dcrat 242 (238)
โฌ‡๏ธ #Lumma 185 (187)
Explore malware in action:
https://app.any.run/?utm_source=twitter&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister

#Top10Malware

ANY.RUN6d ago

Top 10 last week's threats by uploads ๐ŸŒ
โฌ†๏ธ #Asyncrat 832 (693)
โฌ†๏ธ #Xworm 730 (640)
โฌ‡๏ธ #Gh0st 391 (396)
โฌ‡๏ธ #Stealc 330 (409)
โฌ†๏ธ #Salatstealer 320 (320)
โฌ†๏ธ #Quasar 309 (283)
โฌ‡๏ธ #Vidar 274 (343)
โฌ‡๏ธ #Remcos 244 (296)
โฌ†๏ธ #Dcrat 242 (238)
โฌ‡๏ธ #Lumma 185 (187)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=130426&utm_content=linktoregister#register

#cybersecurity #infosec

ANY.RUNApr 9

๐Ÿšจ ๐—ฃ๐—ต๐—ถ๐˜€๐—ต๐—ถ๐—ป๐—ด ๐˜ƒ๐—ถ๐—ฎ ๐—š๐—ผ๐—ผ๐—ด๐—น๐—ฒ ๐—ฆ๐˜๐—ผ๐—ฟ๐—ฎ๐—ด๐—ฒ ๐—”๐—ฏ๐˜‚๐˜€๐—ฒ ๐—Ÿ๐—ฒ๐—ฎ๐—ฑ๐—ถ๐—ป๐—ด ๐˜๐—ผ ๐—ฅ๐—”๐—ง ๐——๐—ฒ๐—ฝ๐—น๐—ผ๐˜†๐—บ๐—ฒ๐—ป๐˜: ๐——๐—ฒ๐˜๐—ฒ๐—ฐ๐˜ ๐—œ๐˜ ๐—˜๐—ฎ๐—ฟ๐—น๐˜†
We identified a multi-stage #phishing campaign using a Google Drive-themed lure and delivering #Remcos RAT. Attackers place the HTML on storage[.]googleapis[.]com, abusing trusted infrastructure instead of hosting the phishing page on a newly registered domain.

โ—๏ธ ๐—ง๐—ต๐—ฒ ๐—ฐ๐—ต๐—ฎ๐—ถ๐—ป ๐—น๐—ฒ๐˜ƒ๐—ฒ๐—ฟ๐—ฎ๐—ด๐—ฒ๐˜€ ๐—ฅ๐—ฒ๐—ด๐—ฆ๐˜ƒ๐—ฐ๐˜€.๐—ฒ๐˜…๐—ฒ, ๐—ฎ ๐—น๐—ฒ๐—ด๐—ถ๐˜๐—ถ๐—บ๐—ฎ๐˜๐—ฒ ๐˜€๐—ถ๐—ด๐—ป๐—ฒ๐—ฑ ๐— ๐—ถ๐—ฐ๐—ฟ๐—ผ๐˜€๐—ผ๐—ณ๐˜/.๐—ก๐—˜๐—ง ๐—ฏ๐—ถ๐—ป๐—ฎ๐—ฟ๐˜† ๐˜„๐—ถ๐˜๐—ต ๐—ฎ ๐—ฐ๐—น๐—ฒ๐—ฎ๐—ป ๐—ฉ๐—ถ๐—ฟ๐˜‚๐˜€๐—ง๐—ผ๐˜๐—ฎ๐—น ๐—ต๐—ฎ๐˜€๐—ต. Combined with trusted hosting, this makes reputation-based detection unreliable and lowers alert priority during triage. File reputation alone is not enough. Detection depends on behavioral analysis and sandboxing.

โš ๏ธ The page mimics a Google Drive login form, collecting email, password, and OTP. After a โ€œsuccessful login,โ€ the victim is prompted to download Bid-Packet-INV-Document.js, triggering a multi-stage delivery chain:

JS (WSH launcher + time-based evasion) โžก๏ธ VBS Stage 1 (download + hidden execution) โžก๏ธ VBS Stage 2 (%APPDATA%\WindowsUpdate + Startup persistence) โžก๏ธ DYHVQ.ps1 (loader orchestration) โžก๏ธ ZIFDG.tmp (obfuscated PE / Remcos payload) โžก๏ธ Textbin-hosted obfuscated .NET loader (in-memory via Assembly.Load) โžก๏ธ %TEMP%\RegSvcs.exe hollowing/injection โžก๏ธ Partially fileless Remcos + C2 ๐Ÿšจ

๐Ÿ‘จโ€๐Ÿ’ป See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktoservice

๐Ÿ” Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_content=linktotilookup&utm_term=08042026#%7B%22query%22:%22domainName:%5C%22www.freepnglogos.com%5C%22%20and%20domainName:%5C%22storage.googleapis.com%5C%22%20and%20threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:30%7D

โšก๏ธ Equip your SOC with stronger phishing detection and contain incidents faster: https://any.run/phishing/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktophishingpage

#cybersecurity #infosec

ANY.RUNApr 6

Top 10 last week's threats by uploads ๐ŸŒ
โฌ†๏ธ #Asyncrat 695 (490)
โฌ†๏ธ #Xworm 640 (460)
โฌ‡๏ธ #Stealc 409 (581)
โฌ†๏ธ #Gh0st 396 (274)
โฌ‡๏ธ #Vidar 343 (371)
โฌ†๏ธ #Salatstealer 320 (243)
โฌ‡๏ธ #Remcos 297 (385)
โฌ†๏ธ #Quasar 283 (221)
โฌ†๏ธ #Dcrat 239 (100)
โฌ†๏ธ #Agenttesla 196 (196)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=060426&utm_content=linktoregister#register

#cybersecurity #infosec

OTX BotApr 5

Advanced Fileless Remcos RAT Abusing Native Windows Tools

Pulse ID: 69d2ba26efd7dcef6be56abc
Pulse Link: https://otx.alienvault.com/pulse/69d2ba26efd7dcef6be56abc
Pulse Author: cryptocti
Created: 2026-04-05 19:38:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #Windows #bot #cryptocti

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX BotApr 1

From Inbox to Intrusion: Multiโ€‘Stage Remcos RAT and C2โ€‘Delivered Payloads in Network

This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server.

Pulse ID: 69cd1ac8518646002a1a0fbc
Pulse Link: https://otx.alienvault.com/pulse/69cd1ac8518646002a1a0fbc
Pulse Author: AlienVault
Created: 2026-04-01 13:16:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASPNet #ASPNet_Compiler #CyberSecurity #InfoSec #Java #JavaScript #NET #OTX #OpenThreatExchange #Phishing #PowerShell #Proxy #RAT #Remcos #RemcosRAT #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
ANY.RUNMar 30

Top 10 last week's threats by uploads ๐ŸŒ
โฌ‡๏ธ #Stealc 581 (600)
โฌ‡๏ธ #Asyncrat 493 (541)
โฌ‡๏ธ #Xworm 460 (509)
โฌ†๏ธ #Remcos 389 (272)
โฌ†๏ธ #Vidar 371 (368)
โฌ‡๏ธ #Gh0st 274 (298)
โฌ†๏ธ #Salatstealer 243 (195)
โฌ†๏ธ #Quasar 221 (185)
โฌ†๏ธ #Lokibot 217 (119)
โฌ‡๏ธ #Agenttesla 196 (216)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=300326&utm_content=linktoregister#register

#cybersecurity #infosec

SANS Internet Storm Center - SANS.edu - Go Sentinels!Mar 25
ISC Diary: #SmartApeSG campaign pushes #Remcos #RAT, #NetSupportRAT, #StealC and #SectopRAT (#ArechC https://isc.sans.edu/diary/32826