Phishing Campaigns Abuse Trusted Platforms and Tools to Deliver Remote Access Malware
Multiple reports describe phishing-led malware delivery that abuses trusted services and “living off the land” execution paths to evade controls and deploy remote access tooling. Cloudflare-tracked activity shows attackers using Vercel-hosted pages to lend legitimacy to malicious links and bypass email/security filtering, with lures themed around invoices, payments, shipping, and document portals; the infrastructure includes Telegram-based filtering and browser fingerprinting/conditional delivery to hinder researchers and sandboxes before serving payloads that install a remote access tool (RAT).
A separate campaign (tracked as PHALT#BLYX) targets hospitality staff with Booking[.]com-style reservation emails and uses a fake browser error + fake BSOD to coerce victims into running the ClickFix technique (Win+R paste/execute), launching PowerShell that pulls malicious project files and executes them via MSBuild.exe to deliver DCRat, consistent with LOLBins-based evasion; researchers noted Russian-language artifacts in the malware. Broader weekly/newsletter roundups also highlight the same risk theme—attackers increasingly blend social engineering with trusted infrastructure and tools—while mixing in unrelated items (e.g., firewall CVEs, general malware research links) that are not part of a single, specific incident narrative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
ANY.RUN reports Google Cloud Storage phishing campaign delivering Remcos RAT
In April 2026, ANY.RUN reported a phishing campaign abusing storage.googleapis.com to host fake Google Drive login pages that steal credentials and one-time passcodes before delivering a multi-stage infection chain. The attack used JavaScript, VBS, PowerShell, an in-memory .NET loader from Textbin, and process hollowing via Microsoft-signed RegSvcs.exe to deploy Remcos RAT.
Cloudflare reports updated Vercel campaign using Telegram filtering
On January 26, 2026, Cloudflare analysts reported that the Vercel-based phishing campaign had evolved from earlier activity, adding Telegram-based filtering to block researchers and sandboxes from reaching the payload. The report also detailed the use of fake document viewers and signed GoTo Resolve binaries to gain full remote control of victim systems.
Researchers detail DCRat delivery and defense evasion in PHALT#BLYX campaign
Analysis published on January 26, 2026 described how the PHALT#BLYX infection chain weakened Windows Defender with broad exclusions, attempted privilege escalation through repeated UAC prompts, and deployed an obfuscated DCRat variant for persistence, reconnaissance, keylogging, and remote access. The report highlighted the campaign's use of living-off-the-land techniques and potential for follow-on actions such as credential theft or ransomware deployment.
PHALT#BLYX targets hospitality firms with fake Booking.com alerts
By January 2026, a campaign tracked as PHALT#BLYX was targeting hospitality businesses with phishing emails posing as Booking.com reservation cancellation notices. Victims were redirected to fake Booking.com pages using fake browser errors, a simulated BSOD, and ClickFix social engineering to launch PowerShell and execute malware via MSBuild.exe.
Vercel phishing campaign runs with evolving delivery tactics
Between November 2025 and January 2026, threat actors continued a phishing campaign that abused Vercel's legitimate hosting platform with lures such as invoices, payment statements, shipping documents, and fake document portals. The operation used browser fingerprinting and Telegram-based target validation before delivering a signed copy of GoTo Resolve for remote access.
CyberArmor first documents Vercel-based phishing campaign
In June 2025, CyberArmor first documented a phishing campaign abusing Vercel-hosted pages to deliver malware and remote access tooling. This established the earlier known activity later analyzed by Cloudflare.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Hackers Using Google Cloud Storage to Bypass Email Filters and Deliver Remcos RAT
cybersecuritynews.com
Open sourceNew Phishing Attack Leverages Vercel Hosting Platform to Deliver a Remote Access Tool
cybersecuritynews.com
Open sourceThreat Actors Fake BSODs and Trusted Build Tools to Bypass Defenses and Deploy DCRat - Cyber Security News
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail **social-engineering-driven malware delivery** that results in **remote access trojans (RATs)** and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“**Sitting Ducks**”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of **~57M logs** over two weeks and visibility into widespread **scams and brand impersonation** delivered via push ads. Nextron Systems separately reported recurring **malvertising** chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing **persistent RATs**, with common artifacts such as Windows **Mark-of-the-Web** (`ZoneId=3`) indicating internet origin. Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a **phishing** campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses **VBScript/PowerShell** to load a **fileless .NET module**, ultimately downloading and injecting a **Remcos** variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s **“Contagious Interview”** campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden **VS Code `tasks` configuration**, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
Mar 21, 2026
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
Mar 21, 2026
Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe **social-engineering-led initial access** that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets **Web3/crypto professionals** by impersonating legitimate companies and driving candidates to install fake interview software (e.g., `collaborex_setup.msi`) that initiates command-and-control to infrastructure such as `179.43.159.106`, with the added risk that victims often use corporate endpoints that also have personal wallets installed. In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. **ValleyRAT_S2** (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including **DLL side-loading** (e.g., a malicious `steam_api64.dll`) and C2 over custom TCP (e.g., `27.124.3.175:14852`), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under `C:\ProgramData\Microsoft Diagnostic\Tasks` before delivering an **infostealer**. A separate blog post discusses phishing enabled by **misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement**, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
Apr 12, 2026