Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple iOS 17 Scam Alerts Protect iPhone Users From Phishing
July 3, 2026
Former MEP Investigating Spyware Abuses Hacked With Pegasus
July 3, 2026
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Home/Threats/New Phishing Attack Leverages Vercel Hosting Platform to Deliver a Remote Access Tool
Threats

New Phishing Attack Leverages Vercel Hosting Platform to Deliver a Remote Access Tool

A sophisticated phishing campaign, active between November 2025 and January 2026, has been exploiting Vercel’s legitimate hosting platform to distribute remote access tools to unsuspecting victims....

Marcus Rodriguez
Marcus Rodriguez
January 26, 2026 2 Min Read
33 0

A sophisticated phishing campaign, active between November 2025 and January 2026, has been exploiting Vercel’s legitimate hosting platform to distribute remote access tools to unsuspecting victims.

The attack chain combines social engineering with trusted domain exploitation, making it particularly effective at bypassing traditional security layers.

Attackers craft phishing emails using financially themed lures such as overdue invoices, payment statements, and shipping documents to pressure users into clicking malicious links.

The campaign demonstrates a shift in threat actor tactics, moving beyond simple malware delivery to implement advanced evasion techniques.

Victims receive emails containing urgency-driven language like “43 days past due” or threats of service suspension, compelling them to interact with hyperlinked content.

'Invoice Details' phishing example (Source - Cloudflare)
‘Invoice Details’ phishing example (Source – Cloudflare)

The attacker relies on Vercel’s reputation as a trusted platform, which naturally bypasses email filters and creates a false sense of security for recipients.

Some variants target specific regions, with Spanish-language emails posing as security update notifications, while others impersonate legitimate services like Adobe PDF viewers or financial portals.

A phishing email impersonating a secure document signing portal (Source - Cloudflare)
A phishing email impersonating a secure document signing portal (Source – Cloudflare)

Cloudflare analysts identified this threat while examining Vercel abuse patterns and discovered that the campaign had evolved significantly since its initial documentation in June 2025 by CyberArmor.

The researchers noted that threat actors implemented sophisticated Telegram-based filtering mechanisms designed to block security researchers and automated sandboxes from accessing the payload.

Infection Through Browser Fingerprinting and Conditional Delivery

When victims click the malicious Vercel link, they encounter a technically advanced evasion mechanism before payload delivery.

The attacker’s infrastructure performs browser fingerprinting, collecting IP addresses, device types, browser information, and geographic location.

This harvested data is exfiltrated to a threat-actor-controlled Telegram channel, where automated systems evaluate whether the victim represents a genuine target.

A specialized lure targeting business account owners (Source - Cloudflare)
A specialized lure targeting business account owners (Source – Cloudflare)

Security researchers and suspicious connections are filtered out, while approved victims proceed to a fake document viewer interface.

Users are then prompted to download files disguised as legitimate documents, with names like “Statements05122025.exe” or “Invoice06092025.exe.bin.”

The payload itself is not custom malware but rather a legitimate, signed copy of GoTo Resolve (formerly LogMeIn) remote access software. By leveraging this “Living off the Land” technique, attackers bypass signature-based antivirus detection systems.

Upon execution, the tool establishes connections to remote command servers, granting complete remote control and system access to threat actors.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarephishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

48M Gmail, 6.5M Instagram Exposed Online From Unprotected Database

Next Post

Sandworm APT Group Targeting Poland’s Power Grid with DynoWiper Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us