Google Forms Exploited in New PureHVNC Malware Attack

Google Forms Exploited in New PureHVNC Malware Attack

Posted on By CWS

Cybersecurity experts have uncovered a sophisticated malware campaign leveraging Google Forms to distribute a Remote Access Trojan (RAT) known as PureHVNC. This new threat, identified by Malwarebytes analysts, employs business-themed lures, such as fake job interviews and project documents, to deceive victims into downloading malicious software.

Deceptive Use of Google Forms

In a novel approach, attackers are using Google Forms to imitate legitimate recruitment or business processes, requesting professional information to establish credibility. Once users submit their details, they are redirected to download business-themed ZIP files from platforms like Dropbox and fshare.vn, cleverly masked by URL shorteners.

These malicious links are also distributed through professional networks such as LinkedIn, targeting individuals seeking job opportunities. The forms often impersonate reputable companies in various sectors, displaying authentic logos and branding to enhance the illusion of legitimacy.

Understanding PureHVNC RAT

The PureHVNC RAT is a modular .NET-based Trojan from the ‘Pure’ malware family, granting attackers full control over infected machines. Capabilities include executing commands, stealing browser data, and extracting information from cryptocurrency wallets and messaging apps. The malware’s configuration is base64 encoded and compressed, with its command-and-control server operating on specific IP ports.

The infection begins when victims extract the downloaded ZIP, revealing job-related documents alongside hidden executables. The malware uses DLL hijacking to load malicious code, evading immediate detection. If debugging environments are detected, the malware halts operations to avoid analysis.

Mitigation Strategies and Security Recommendations

To counter this threat, individuals and organizations should verify the authenticity of Google Forms and scrutinize unexpected job offers through official channels. Avoid clicking on shortened URLs without verifying their destination, and maintain up-to-date endpoint defenses to detect unusual DLL loads and PowerShell activity.

Security teams are advised to monitor for unauthorized process injections and encoded PowerShell tasks, particularly those targeting Windows processes like SearchUI.exe. By staying vigilant and implementing these measures, the risk of falling victim to such sophisticated cyber threats can be significantly reduced.

For ongoing updates and insights into cybersecurity trends, follow us on Google News, LinkedIn, and X. Ensure your digital resilience by setting CSN as a preferred source in Google.

Cyber Security News Tags:, , , , , , , , , , , , ,

Related Posts

Arizona Woman Sentenced for Helping North Korean IT Workers by Operating Laptop Farm Arizona Woman Sentenced for Helping North Korean IT Workers by Operating Laptop Farm Cyber Security News
Ransomware Negotiation When and How to Engage Attackers Ransomware Negotiation When and How to Engage Attackers Cyber Security News
MuddyWater APT Weaponizing Word Documents to Deliver ‘RustyWater’ Toolkit Evading AV and EDR Tools MuddyWater APT Weaponizing Word Documents to Deliver ‘RustyWater’ Toolkit Evading AV and EDR Tools Cyber Security News
Identity and Access Management Trends Shaping 2025 Identity and Access Management Trends Shaping 2025 Cyber Security News
Ransomware Actors Exploit Unpatched SimpleHelp RMM to Compromise Billing Software Provider Ransomware Actors Exploit Unpatched SimpleHelp RMM to Compromise Billing Software Provider Cyber Security News
UK Government Sets Timeline to Replace Passwords With Passkeys UK Government Sets Timeline to Replace Passwords With Passkeys Cyber Security News