Cybercriminals have devised a new strategy to circumvent security measures by leveraging Google Cloud Storage for their malicious activities. This trusted platform is now being used to host phishing pages that deliver harmful malware, allowing attackers to bypass traditional email filters and web security tools without raising any alarms.
The campaign begins with phishing emails that direct recipients to pages hosted on storage.googleapis.com, a legitimate Google domain. These pages are cleverly designed to resemble Google Drive login screens, complete with branded logos and familiar document icons such as PDF, DOC, SHEET, and SLIDE. Unsuspecting victims are prompted to sign in to view a document, not realizing that their email credentials, including passwords and one-time passcodes, are being harvested.
Phishing Tactics and Malware Delivery
Once victims enter their credentials, they are deceived into downloading a JavaScript file labeled Bid-P-INV-Document.js, which serves as the starting point for the infection process. According to ANY.RUN’s Malware Trends Report for 2025, phishing campaigns utilizing trusted cloud hosting have surged, with remote access trojans increasing by 28% and backdoors by 68% year-on-year.
In April 2026, ANY.RUN’s team identified this specific attack, noting that subdomains such as pa-bids, com-bid, contract-bid-0, and out-bid were used to host malicious content. By using Google’s infrastructure, attackers achieve a level of immunity from reputation-based security filters traditionally used in email and web protection.
The Threat of Remcos RAT
The end goal of this campaign is the distribution of Remcos RAT, a remote access trojan that grants attackers extensive control over compromised systems. Once installed, it can log keystrokes, steal passwords, take screenshots, access microphones and webcams, monitor clipboard activity, and transfer files remotely. It embeds persistence in the Windows Registry under HKEY_CURRENT_USERSoftwareRemcos-{ID}, ensuring it survives reboots.
Not only do victims risk losing their Google account credentials, but they also unknowingly install a surveillance tool that operates silently on their devices. This combination of credential theft and remote access delivers attackers immediate and long-term access to compromised environments, turning a single phishing click into a significant security threat.
Layered Infection Strategy
The infection chain is intricately designed to evade detection at every stage. After executing the JavaScript file under Windows Script Host, a time-based evasion tactic delays execution to evade automated sandbox analysis. Subsequently, a Visual Basic Script fetches and runs additional scripts, dropping files into %APPDATA%WindowsUpdate and establishing startup persistence.
A PowerShell script named DYHVQ.ps1 then loads an obfuscated executable, ZIFDG.tmp, while an obfuscated .NET loader is fetched from Textbin, executing via memory to avoid antivirus detection. The .NET loader exploits RegSvcs.exe, a legitimate Microsoft tool, to inject the Remcos payload through process hollowing, evading endpoint protection.
Security professionals should approach storage.googleapis.com links with skepticism, treating them as potential threats. Behavioral analysis tools observing post-click activity prove more effective than relying solely on signature-based detection. Training employees, particularly in finance and leadership roles, to recognize phishing tactics and avoid unexpected file downloads is crucial.
