Hackers are exploiting Google Cloud Storage to push Remcos RAT through phishing emails that masquerade as routine document-sharing notices, using trusted Google infrastructure to improve delivery rates and reduce the chance of being blocked by legacy email and web filters. Researchers tracking the campaign say the operation blends credential theft, scripted malware staging and in-memory execution, giving attackers a stealthier route into corporate systems.
The campaign centres on phishing messages that direct targets to pages hosted on Google Cloud Storage, including buckets using names such as “com-bid” and “contract-bid-0”. The lures are dressed up as Google Drive document-access requests, a familiar format for staff in procurement, finance and administration roles who regularly handle shared files. Because the links sit on legitimate Google-owned infrastructure rather than suspicious newly registered domains, they can appear less risky to both users and automated screening systems.
Researchers at ANY. RUN said the operation they analysed in April 2026 began with a Google Drive-style page designed to capture account credentials. After the victim enters login details, the site moves into a second phase, prompting the download of a JavaScript file presented as a bid or document packet. That script then launches a sequence involving VBS and PowerShell components, with parts of the payload loaded directly into memory rather than written plainly to disk. Security analysts say such multi-stage chains are designed to frustrate signature-based scanning and to outlast short automated sandbox sessions.
At the centre of the infection chain is Remcos, a remote access tool that has long been associated with unauthorised surveillance, credential theft and persistent control of compromised machines. Analysts say the malware in this campaign is injected into memory through abuse of RegSvcs. exe, a signed Microsoft binary, helping the attackers hide malicious activity inside a process with a clean reputation. The result is a partly fileless compromise in which defenders may see little more than trusted tools interacting in suspicious ways unless they are monitoring behaviour rather than relying mainly on domain reputation, hashes or attachment scanning.
The technique reflects a broader shift in phishing operations, where criminal groups increasingly “borrow” the trust of major platforms instead of building crude fake infrastructure from scratch. Check Point documented a separate campaign in late 2025 in which attackers abused Google Cloud Application Integration to send phishing emails from a Google address, while Malwarebytes reported another operation in January 2026 that routed victims through multiple Google-owned services before stealing Microsoft 365 credentials. Taken together, those findings suggest that abuse of well-known cloud brands is becoming an established tactic rather than an isolated experiment.
That trend matters because many organisations still calibrate defences around the assumption that trustworthy domains and signed binaries deserve a lower level of scrutiny. Security vendors have been warning that attackers are taking advantage of that gap. Microsoft wrote in January that phishing actors were exploiting routing weaknesses and spoof-protection gaps to make malicious emails appear legitimate, while Proofpoint has separately highlighted how cloud and email features can be misused to increase message credibility and bypass older controls. The Google Cloud Storage–Remcos case fits squarely within that pattern of trust abuse.
Remcos itself remains a favoured payload because it is versatile, commercially available and familiar to a wide range of threat actors. Fortinet described a fileless Remcos campaign in January that used fake shipping documents and an old Microsoft Office exploit, while Seqrite reported a layoff-themed email operation in December that used human-resources lures to draw victims into opening malicious files. VMRay’s 2025 threat landscape reporting also placed Remcos among the most frequently observed malware families, alongside other remote access trojans and information stealers that are popular because they offer persistence and resale value in criminal ecosystems.
The campaign centres on phishing messages that direct targets to pages hosted on Google Cloud Storage, including buckets using names such as “com-bid” and “contract-bid-0”. The lures are dressed up as Google Drive document-access requests, a familiar format for staff in procurement, finance and administration roles who regularly handle shared files. Because the links sit on legitimate Google-owned infrastructure rather than suspicious newly registered domains, they can appear less risky to both users and automated screening systems.
Researchers at ANY. RUN said the operation they analysed in April 2026 began with a Google Drive-style page designed to capture account credentials. After the victim enters login details, the site moves into a second phase, prompting the download of a JavaScript file presented as a bid or document packet. That script then launches a sequence involving VBS and PowerShell components, with parts of the payload loaded directly into memory rather than written plainly to disk. Security analysts say such multi-stage chains are designed to frustrate signature-based scanning and to outlast short automated sandbox sessions.
At the centre of the infection chain is Remcos, a remote access tool that has long been associated with unauthorised surveillance, credential theft and persistent control of compromised machines. Analysts say the malware in this campaign is injected into memory through abuse of RegSvcs. exe, a signed Microsoft binary, helping the attackers hide malicious activity inside a process with a clean reputation. The result is a partly fileless compromise in which defenders may see little more than trusted tools interacting in suspicious ways unless they are monitoring behaviour rather than relying mainly on domain reputation, hashes or attachment scanning.
The technique reflects a broader shift in phishing operations, where criminal groups increasingly “borrow” the trust of major platforms instead of building crude fake infrastructure from scratch. Check Point documented a separate campaign in late 2025 in which attackers abused Google Cloud Application Integration to send phishing emails from a Google address, while Malwarebytes reported another operation in January 2026 that routed victims through multiple Google-owned services before stealing Microsoft 365 credentials. Taken together, those findings suggest that abuse of well-known cloud brands is becoming an established tactic rather than an isolated experiment.
That trend matters because many organisations still calibrate defences around the assumption that trustworthy domains and signed binaries deserve a lower level of scrutiny. Security vendors have been warning that attackers are taking advantage of that gap. Microsoft wrote in January that phishing actors were exploiting routing weaknesses and spoof-protection gaps to make malicious emails appear legitimate, while Proofpoint has separately highlighted how cloud and email features can be misused to increase message credibility and bypass older controls. The Google Cloud Storage–Remcos case fits squarely within that pattern of trust abuse.
Remcos itself remains a favoured payload because it is versatile, commercially available and familiar to a wide range of threat actors. Fortinet described a fileless Remcos campaign in January that used fake shipping documents and an old Microsoft Office exploit, while Seqrite reported a layoff-themed email operation in December that used human-resources lures to draw victims into opening malicious files. VMRay’s 2025 threat landscape reporting also placed Remcos among the most frequently observed malware families, alongside other remote access trojans and information stealers that are popular because they offer persistence and resale value in criminal ecosystems.
Topics
Technology