Hackers Use Google Cloud to Bypass Filters, Deliver Remcos

Threat actors are actively exploiting Google Cloud Storage (GCS) to host malicious files, bypassing traditional email security filters and delivering the Remcos Remote Access Trojan (RAT). This sophisticated campaign targets organizations across various sectors, utilizing phishing emails as the initial compromise vector. Recipients receive emails containing a malicious link that directs them to a GCS bucket, where a ZIP archive awaits download.

Since RegSvcs.exe carries a clean reputation on VirusTotal, this stage appears completely normal to most endpoint protection tools, making it nearly invisible without behavioral monitoring.

Security teams should treat any storage.googleapis.com link with the same caution as an unknown domain, since trusting a platform name does not guarantee safe content.

Behavioral analysis tools that observe post-click activity are far more effective than signature-based detection alone.

Employees in finance, procurement, and leadership roles should be trained to recognize cloud-storage phishing lures and never download files from unexpected login prompts.

Suspicious JavaScript and script files must always be tested in an isolated environment before running on any production system.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.