Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/Threats/New PureHVNC Malware Campaign Uses Google Forms to Lure Victims
Threats

New PureHVNC Malware Campaign Uses Google Forms to Lure Victims

Key Takeaways A new campaign is leveraging Google Forms to distribute the PureHVNC Remote Access Trojan (RAT). Threat actors are impersonating legitimate companies across various sectors, using fake...

David kimber
David kimber
March 24, 2026 4 Min Read
56 0

Key Takeaways

  • A new campaign is leveraging Google Forms to distribute the PureHVNC Remote Access Trojan (RAT).
  • Threat actors are impersonating legitimate companies across various sectors, using fake job offers and business documents as lures.
  • The infection chain involves DLL hijacking, obfuscated Python scripts, Donut shellcode, and process injection into SearchUI.exe.
  • PureHVNC grants attackers extensive remote control, enabling data theft from browsers, crypto wallets, and messaging apps.
  • Defenders should verify form sources, scrutinize unexpected offers, and monitor for specific malicious behaviors like unusual DLL loads and PowerShell task creation.

Cybersecurity researchers have uncovered a novel malware distribution campaign that ingeniously weaponizes Google Forms, a widely adopted and trusted online tool, to ensnare victims. This sophisticated operation primarily aims to disseminate the PureHVNC Remote Access Trojan (RAT) through a series of business-themed deceptions.

Table Of Content

  • Key Takeaways
  • The PureHVNC Remote Access Trojan
  • Multi-Stage Infection Mechanism
  • What You Should Do

The campaign stands out not for the novelty of the PureHVNC RAT itself, but for its cunning use of Google Forms as an initial vector. Attackers are crafting highly convincing forms, masquerading as legitimate recruitment processes, project briefs, or financial documentation, to lure unsuspecting professionals into downloading malicious payloads.

According to analysis by Malwarebytes, these threat actors are impersonating well-known entities across diverse industries, including finance, logistics, technology, sustainability, and energy. The fake forms meticulously incorporate real company names, logos, and branding elements, making them exceptionally difficult for an average user to identify as fraudulent.

Once a target submits their professional details via the deceptive Google Form, they are directed to download a business-themed ZIP archive. These malicious archives are hosted on various platforms such as Dropbox, filedn.com, and fshare.vn, with links often obscured by URL shorteners like tr.ee and goo.su. The campaign also leverages professional networking platforms like LinkedIn to reach individuals actively seeking employment or new business opportunities.

Examples of archive names, such as “Project_Information_Summary_2026.zip” and “{CompanyName}_GlobalLogistics_Ad_Strategy.zip,” highlight the meticulous planning and calculated deception employed by the attackers. These names are designed to appear innocuous and relevant to the business context established by the initial Google Form lure.

The PureHVNC Remote Access Trojan

PureHVNC is a modular .NET-based Remote Access Trojan belonging to the “Pure” malware family. Upon successful infection, it grants attackers extensive control over the compromised machine. This includes the ability to execute arbitrary commands, exfiltrate sensitive data from web browsers, cryptocurrency wallets, and messaging applications like Telegram and Foxmail, gather system hardware and software information, and deploy additional malicious plugins.

The RAT’s configuration data is base64-encoded and compressed using GZIP. The identified Command and Control (C2) server for this campaign is located at IP address 207.148.66.14, communicating over ports 56001, 56002, and 56003. The broad targeting across industries where document sharing is commonplace and external file exchange is routine makes it challenging for users to distinguish legitimate attachments from malicious ones.

Multi-Stage Infection Mechanism

The PureHVNC infection chain is meticulously crafted, featuring multiple layers designed to evade detection. Upon extracting the downloaded ZIP archive, victims encounter legitimate-looking job-related documents alongside a concealed executable and a malicious DLL file named msimg32.dll. This DLL leverages a technique known as DLL hijacking, tricking a legitimate application into loading the malicious code without triggering immediate security alerts.

Once active, the malicious DLL employs XOR encryption with the key “4B” to decrypt its strings. It also performs anti-analysis checks using functions like IsDebuggerPresent() and time64() to detect sandbox or debugging environments. If such activity is identified, the malware displays an error message stating “This software has expired or debugger detected” and terminates its execution.

Following these checks, the DLL removes itself from the disk and drops a decoy PDF document to keep the victim occupied while establishing persistence. This is achieved by creating a registry entry at CurrentVersionRunMiroupdate.

In the subsequent stage, a hidden archive named final.zip is extracted into a randomly named folder within the ProgramData directory. An obfuscated Python script, typically named config.log or image.mp3 depending on the variant, then decodes and launches Donut shellcode directly into memory. This shellcode is responsible for injecting the PureHVNC RAT into SearchUI.exe, a legitimate Windows process, to further mask its presence.

To maintain persistent access, the malware creates a scheduled task using a base64-encoded PowerShell command. This task is configured to run with the highest possible privileges, provided administrator rights are available. The presence of the mutex “Rluukgz” on the compromised host serves as a unique identifier for the malware’s activity.

What You Should Do

  • Verify Sources: Always independently verify the legitimacy of any Google Form before submitting personal or professional information, especially if it relates to unexpected job offers or project requests. Cross-reference through official company websites or known contacts.
  • Exercise Caution with Links: Be highly suspicious of links hidden behind URL shorteners. Use online tools to preview the full URL before clicking to understand the true destination.
  • Scrutinize Attachments: Treat any unsolicited ZIP files or documents, even those from seemingly legitimate sources, with extreme caution. Enable “show file extensions” in Windows to help identify potentially malicious executables disguised as documents.
  • Monitor for Anomalous Behavior: Security teams should implement and monitor for indicators of compromise, including unusual DLL loads, the creation of encoded PowerShell scheduled tasks, and process injection into legitimate Windows processes like SearchUI.exe.
  • Strengthen Endpoint Defenses: Ensure endpoint detection and response (EDR) solutions are up-to-date and configured to flag suspicious activities, such as Python processes executing from unusual locations within ProgramData directories.
  • Educate Users: Conduct regular cybersecurity awareness training for employees, emphasizing the tactics used in phishing and social engineering campaigns, especially those leveraging familiar tools like Google Forms and LinkedIn.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

APT Hackers Exploit RDP Servers to Deploy Malware, Establish Persistence

Next Post

Threat Actors Exploit MS-SQL Servers to Deploy ICE Cloud Scanner

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us