Google Cloud Storage Weaponized for Clandestine Remcos RAT Delivery

The rise of cloud‑native infrastructure has given attackers a new playground for stealthy campaigns. Google Cloud Storage, with its globally trusted storage.googleapis.com domain, offers a veneer of legitimacy that phishing lures can exploit. By hosting malicious HTML and JavaScript on a platform that rarely raises red flags, threat actors sidestep many URL‑based security controls, a tactic that mirrors earlier abuses of services like Amazon S3 and Microsoft Azure Blob.

In this campaign, the intrusion begins with a crafted email that appears to request a document review. The link lands on a counterfeit Google Drive login page, where victims willingly enter their corporate credentials, including one‑time passcodes. Upon submission, a hidden JavaScript file is fetched, which silently drops the Remcos RAT onto the endpoint. Once installed, Remcos provides full remote control: keystroke logging, screenshot capture, microphone and webcam hijacking, and exfiltration of files. Persistence is achieved by writing entries to the Windows Registry, ensuring the malware survives reboots and evades basic cleanup attempts.

Defenders must adapt by augmenting traditional URL filtering with behavioral analytics that monitor post‑click activity. Deploying sandboxing for downloaded scripts, enforcing multi‑factor authentication, and educating users about the subtle differences in legitimate cloud URLs are essential steps. Moreover, organizations should leverage threat‑intelligence feeds that flag suspicious storage.googleapis.com patterns and integrate them into SIEM correlation rules. As cloud services continue to be co‑opted for malicious purposes, a shift toward context‑aware detection will be critical to protect enterprise assets.