ANY.RUN

๐Ÿšจ ๐—ฃ๐—ต๐—ถ๐˜€๐—ต๐—ถ๐—ป๐—ด ๐˜ƒ๐—ถ๐—ฎ ๐—š๐—ผ๐—ผ๐—ด๐—น๐—ฒ ๐—ฆ๐˜๐—ผ๐—ฟ๐—ฎ๐—ด๐—ฒ ๐—”๐—ฏ๐˜‚๐˜€๐—ฒ ๐—Ÿ๐—ฒ๐—ฎ๐—ฑ๐—ถ๐—ป๐—ด ๐˜๐—ผ ๐—ฅ๐—”๐—ง ๐——๐—ฒ๐—ฝ๐—น๐—ผ๐˜†๐—บ๐—ฒ๐—ป๐˜: ๐——๐—ฒ๐˜๐—ฒ๐—ฐ๐˜ ๐—œ๐˜ ๐—˜๐—ฎ๐—ฟ๐—น๐˜†
We identified a multi-stage #phishing campaign using a Google Drive-themed lure and delivering #Remcos RAT. Attackers place the HTML on storage[.]googleapis[.]com, abusing trusted infrastructure instead of hosting the phishing page on a newly registered domain.

โ—๏ธ ๐—ง๐—ต๐—ฒ ๐—ฐ๐—ต๐—ฎ๐—ถ๐—ป ๐—น๐—ฒ๐˜ƒ๐—ฒ๐—ฟ๐—ฎ๐—ด๐—ฒ๐˜€ ๐—ฅ๐—ฒ๐—ด๐—ฆ๐˜ƒ๐—ฐ๐˜€.๐—ฒ๐˜…๐—ฒ, ๐—ฎ ๐—น๐—ฒ๐—ด๐—ถ๐˜๐—ถ๐—บ๐—ฎ๐˜๐—ฒ ๐˜€๐—ถ๐—ด๐—ป๐—ฒ๐—ฑ ๐— ๐—ถ๐—ฐ๐—ฟ๐—ผ๐˜€๐—ผ๐—ณ๐˜/.๐—ก๐—˜๐—ง ๐—ฏ๐—ถ๐—ป๐—ฎ๐—ฟ๐˜† ๐˜„๐—ถ๐˜๐—ต ๐—ฎ ๐—ฐ๐—น๐—ฒ๐—ฎ๐—ป ๐—ฉ๐—ถ๐—ฟ๐˜‚๐˜€๐—ง๐—ผ๐˜๐—ฎ๐—น ๐—ต๐—ฎ๐˜€๐—ต. Combined with trusted hosting, this makes reputation-based detection unreliable and lowers alert priority during triage. File reputation alone is not enough. Detection depends on behavioral analysis and sandboxing.

โš ๏ธ The page mimics a Google Drive login form, collecting email, password, and OTP. After a โ€œsuccessful login,โ€ the victim is prompted to download Bid-Packet-INV-Document.js, triggering a multi-stage delivery chain:

JS (WSH launcher + time-based evasion) โžก๏ธ VBS Stage 1 (download + hidden execution) โžก๏ธ VBS Stage 2 (%APPDATA%\WindowsUpdate + Startup persistence) โžก๏ธ DYHVQ.ps1 (loader orchestration) โžก๏ธ ZIFDG.tmp (obfuscated PE / Remcos payload) โžก๏ธ Textbin-hosted obfuscated .NET loader (in-memory via Assembly.Load) โžก๏ธ %TEMP%\RegSvcs.exe hollowing/injection โžก๏ธ Partially fileless Remcos + C2 ๐Ÿšจ

๐Ÿ‘จโ€๐Ÿ’ป See the analysis session and collect #IOCs to speed up detection and response: https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktoservice

๐Ÿ” Use this TI Lookup query to pivot from IOCs, review related activity, and validate your detection coverage: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_content=linktotilookup&utm_term=08042026#%7B%22query%22:%22domainName:%5C%22www.freepnglogos.com%5C%22%20and%20domainName:%5C%22storage.googleapis.com%5C%22%20and%20threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:30%7D

โšก๏ธ Equip your SOC with stronger phishing detection and contain incidents faster: https://any.run/phishing/?utm_source=mastodon&utm_medium=post&utm_campaign=google_storage_abuse_phishing&utm_term=080426&utm_content=linktophishingpage

#cybersecurity #infosec

Apr 9 at 7:56amWeb