Cybercriminals are increasingly abusing trusted cloud platforms, and a new campaign demonstrates just how dangerous this shift has become. Attackers are leveraging Google Cloud Storage phishing pages hosted on storage.googleapis.com to bypass email security filters and deliver the powerful Remcos RAT malware.
This campaign highlights a critical evolution in phishing tactics: instead of relying on suspicious domains, attackers now hide malicious infrastructure inside legitimate cloud services, making detection significantly harder for traditional security tools.
In this article, we break down how the attack works, why it is so effective, the infection chain behind Remcos RAT, and what security teams must do to defend against it.
What Is the Google Cloud Storage Phishing Attack?
The Google Cloud Storage phishing campaign is a multi-stage cyberattack where threat actors:
- Abuse trusted Google infrastructure (storage.googleapis.com)
- Host fake Google Drive login pages
- Steal credentials and one-time passcodes
- Deliver malicious JavaScript payloads
- Install Remcos RAT for full system control
The attack is especially dangerous because it blends into normal cloud traffic, making it appear legitimate to both users and security systems.
Key takeaway: Attackers are no longer just spoofing brands—they are abusing real infrastructure to gain trust.
How the Attack Works: Step-by-Step Breakdown
This campaign uses a structured phishing and malware delivery chain designed to evade detection at every stage.
1. Phishing Email Delivery
Victims receive emails containing links to pages hosted on:
storage.googleapis.com
These emails often impersonate:
- Document sharing alerts
- Google Drive notifications
- File access requests
2. Fake Google Drive Login Page
The landing page mimics a legitimate Google Drive interface, including:
- Google branding
- File icons (PDF, DOC, SHEET, SLIDE)
- Login prompts
Victims are instructed to “sign in to view a document.”
Once credentials are entered, attackers capture:
- Email addresses
- Passwords
- One-time passcodes (OTP)
Key takeaway: This is a full credential harvesting operation, not just a phishing page.
3. Malicious JavaScript Download
After authentication, victims are prompted to download:
Bid-P-INV-Document.js
This file is the initial execution trigger for the infection chain.
Why Google Cloud Storage Is Being Abused
Attackers are deliberately hosting malicious content on Google infrastructure for one major reason: trust bypass.
Advantages for attackers:
- Google domains have strong reputation scoring
- Email security filters often whitelist cloud providers
- HTTPS encryption increases perceived legitimacy
- URLs look safe to end users
Researchers observed subdomain patterns such as:
- pa-bids
- com-bid
- contract-bid-0
- out-bid
These structures allow attackers to scale operations while maintaining legitimacy signals.
Key takeaway: Trusted infrastructure is becoming the new phishing weapon.
Remcos RAT: The Final Payload
The final stage of the attack delivers Remcos RAT (Remote Access Trojan), a widely used commercial malware tool.
Once installed, it provides attackers with complete system control.
Capabilities of Remcos RAT:
- Keystroke logging (credential theft)
- Browser password extraction
- Screenshot capture
- Webcam and microphone access
- Clipboard monitoring
- File upload/download
- Remote command execution
It also establishes persistence via Windows Registry keys such as:
HKEY_CURRENT_USER\Software\Remcos-{ID}
Key takeaway: A single infection can result in full system surveillance.
Multi-Stage Infection Chain Explained
This campaign is particularly dangerous due to its layered execution model.
Stage 1: JavaScript Execution
- Runs under Windows Script Host
- Uses time-based delays to evade sandboxes
Stage 2: VBScript Loader
- Executes secondary VBS payload
- Drops files into
%APPDATA%\WindowsUpdate - Establishes persistence via startup entries
Stage 3: PowerShell Execution
- Executes obfuscated script (
DYHVQ.ps1) - Loads hidden payload (
ZIFDG.tmp)
Stage 4: Memory-Based .NET Loading
- Fetches obfuscated .NET loader from external text service
- Executes via
Assembly.Load - Avoids disk-based detection
Stage 5: Process Injection
- Uses
RegSvcs.exe(legitimate Microsoft binary) - Performs process hollowing
- Injects Remcos RAT payload
Key takeaway: This is a fileless, multi-language attack chain designed for stealth and persistence.
Why This Attack Is So Dangerous
1. Trusted Domain Abuse
Using Google infrastructure bypasses:
- Email filters
- URL reputation systems
- User suspicion
2. Multi-Layer Evasion
- Delayed execution
- Memory-based payloads
- Signed binary abuse
3. Dual Impact Risk
Victims suffer:
- Credential theft (Google accounts, enterprise logins)
- Full endpoint compromise via RAT
Key takeaway: This combines identity compromise + endpoint takeover in a single attack.
Real-World Security Impact
According to threat intelligence trends:
- Remote access trojans increased 28% year-over-year
- Backdoor attacks surged 68% year-over-year
- Cloud-hosted phishing is now a dominant attack vector
This shows a clear shift toward:
- SaaS abuse
- Cloud trust exploitation
- Hybrid identity-endpoint attacks
Common Misconceptions
Misconception 1: “Google links are always safe”
False. Attackers frequently abuse legitimate cloud storage services.
Misconception 2: “Login pages = secure authentication”
False. Fake login pages hosted on trusted domains are common phishing tools.
Misconception 3: “Antivirus will detect this easily”
False. Fileless execution and signed binary abuse reduce detection rates.
Key takeaway: Trust in infrastructure does not equal trust in content.
Detection and Mitigation Strategies
1. Treat Cloud Links as Untrusted
Security teams should:
- Inspect all
storage.googleapis.comlinks - Apply behavioral analysis post-click
- Avoid domain-based trust assumptions
2. Email Security Controls
- Enable advanced phishing protection
- Detect credential harvesting pages
- Block suspicious file downloads (JS, VBS, PS1)
3. Endpoint Detection (EDR)
Monitor for:
- Windows Script Host execution
- PowerShell obfuscation
- RegSvcs.exe process injection
- Registry persistence creation
4. Network Security Controls
- Inspect encrypted traffic behavior
- Block unknown script download sources
- Monitor anomalous Google Cloud subdomain activity
5. User Awareness Training
Employees should be trained to:
- Avoid unexpected Google Drive login prompts
- Never download scripts from email links
- Verify document access requests independently
Key takeaway: Human awareness is as critical as technical controls.
MITRE ATT&CK Mapping
This campaign aligns with multiple ATT&CK techniques:
- T1566: Phishing
- T1204: User Execution
- T1059: Command and Scripting Interpreter
- T1105: Ingress Tool Transfer
- T1055: Process Injection
- T1547: Boot or Logon Autostart Execution
Expert Security Insights
This attack represents a broader industry shift:
- Abuse of trusted SaaS platforms
- Multi-stage fileless malware delivery
- Identity + endpoint convergence attacks
Risk Analysis
- Confidentiality: Very High (credential + surveillance theft)
- Integrity: High (system manipulation via RAT)
- Availability: Medium (secondary ransomware risk)
Operational Insight
Security teams must move beyond static detection and adopt:
- Behavioral analytics
- Cloud traffic inspection
- Identity-based threat detection
FAQs: Google Cloud Storage Phishing & Remcos RAT
1. What is the Google Cloud Storage phishing attack?
It is a campaign where attackers use storage.googleapis.com to host fake login pages and deliver malware.
2. Why do attackers use Google Cloud Storage?
Because it is trusted infrastructure that helps bypass email and web security filters.
3. What is Remcos RAT?
A remote access trojan that gives attackers full control over infected systems.
4. How does the infection chain work?
It uses JavaScript, PowerShell, VBScript, and .NET loaders in multiple stages to evade detection.
5. Can antivirus detect this attack?
Not reliably, as it uses fileless execution and legitimate signed binaries.
6. How can organizations protect themselves?
By using EDR, blocking script execution, and treating cloud-hosted links as untrusted.
Conclusion
The abuse of Google Cloud Storage in phishing campaigns marks a major shift in cyberattack strategy. By combining trusted infrastructure, multi-stage malware delivery, and powerful remote access tools like Remcos RAT, attackers are able to bypass traditional defenses and maintain stealthy control over compromised systems.
Organizations must assume that any cloud-hosted link can be weaponized and implement layered defenses that focus on behavior, not just reputation.
Final takeaway: Trust must be verified—never assumed.
