Google Forms Exploited in New PureHVNC Malware Attack

Google Forms Exploited in New PureHVNC Malware Attack

Posted on By CWS

Cybersecurity experts have uncovered a sophisticated malware campaign leveraging Google Forms to distribute a Remote Access Trojan (RAT) known as PureHVNC. This new threat, identified by Malwarebytes analysts, employs business-themed lures, such as fake job interviews and project documents, to deceive victims into downloading malicious software.

Deceptive Use of Google Forms

In a novel approach, attackers are using Google Forms to imitate legitimate recruitment or business processes, requesting professional information to establish credibility. Once users submit their details, they are redirected to download business-themed ZIP files from platforms like Dropbox and fshare.vn, cleverly masked by URL shorteners.

These malicious links are also distributed through professional networks such as LinkedIn, targeting individuals seeking job opportunities. The forms often impersonate reputable companies in various sectors, displaying authentic logos and branding to enhance the illusion of legitimacy.

Understanding PureHVNC RAT

The PureHVNC RAT is a modular .NET-based Trojan from the ‘Pure’ malware family, granting attackers full control over infected machines. Capabilities include executing commands, stealing browser data, and extracting information from cryptocurrency wallets and messaging apps. The malware’s configuration is base64 encoded and compressed, with its command-and-control server operating on specific IP ports.

The infection begins when victims extract the downloaded ZIP, revealing job-related documents alongside hidden executables. The malware uses DLL hijacking to load malicious code, evading immediate detection. If debugging environments are detected, the malware halts operations to avoid analysis.

Mitigation Strategies and Security Recommendations

To counter this threat, individuals and organizations should verify the authenticity of Google Forms and scrutinize unexpected job offers through official channels. Avoid clicking on shortened URLs without verifying their destination, and maintain up-to-date endpoint defenses to detect unusual DLL loads and PowerShell activity.

Security teams are advised to monitor for unauthorized process injections and encoded PowerShell tasks, particularly those targeting Windows processes like SearchUI.exe. By staying vigilant and implementing these measures, the risk of falling victim to such sophisticated cyber threats can be significantly reduced.

For ongoing updates and insights into cybersecurity trends, follow us on Google News, LinkedIn, and X. Ensure your digital resilience by setting CSN as a preferred source in Google.

Cyber Security News Tags:, , , , , , , , , , , , ,

Related Posts

How Prompt Injection Attacks Bypassing AI Agents With Users Input How Prompt Injection Attacks Bypassing AI Agents With Users Input Cyber Security News
Threat Actors Leveraging GenAI for Phishing Attacks Impersonating Government Websites Threat Actors Leveraging GenAI for Phishing Attacks Impersonating Government Websites Cyber Security News
NCSC Urges Organizations to Upgrade Microsoft Windows 11 to Defend Cyberattacks NCSC Urges Organizations to Upgrade Microsoft Windows 11 to Defend Cyberattacks Cyber Security News
Critical Apple WebKit Flaw Patched on iOS and macOS Critical Apple WebKit Flaw Patched on iOS and macOS Cyber Security News
Self-Propagating GlassWorm Weaponizing VS Code Extensions to Attack macOS Users Self-Propagating GlassWorm Weaponizing VS Code Extensions to Attack macOS Users Cyber Security News
GitGuardian Ends 2025 with Strong Enterprise Momentum GitGuardian Ends 2025 with Strong Enterprise Momentum Cyber Security News