New Phishing Attack Exploits Vercel to Host and Deliver Remote Access Malware

The rise of "inherited trust" attacks reflects a broader shift toward exploiting reputable cloud platforms for malicious purposes. Vercel, known for its developer‑friendly hosting, offers a globally trusted *.vercel.app domain that often slips past email filters and URL reputation services. Attackers capitalize on this legitimacy, crafting short, urgent emails that appear to reference invoices or legal notices, and embed Vercel links that lead victims to convincing fake portals. This tactic mirrors earlier abuses of services like Surge.sh, underscoring the need for security teams to treat any third‑party subdomain with heightened scrutiny, regardless of its public reputation.

Technically, the campaign employs a multi‑stage delivery chain. After a victim clicks the Vercel link, a lightweight script gathers browser fingerprints—IP address, location, device type—and forwards the data to a private Telegram channel. The attackers use this intelligence to filter out sandbox environments and non‑target regions, ensuring only high‑value victims receive the payload. The final download is not a custom trojan but a signed GoTo Resolve installer, a legitimate remote‑access product. By leveraging this "living‑off‑the‑land" approach, the malware evades signature‑based AV solutions and benefits from the inherent trust placed in well‑known software vendors.

Defending against this vector requires a blend of technology and awareness. Organizations should implement URL‑analysis gateways that flag newly registered subdomains, especially those serving executable files. Application control policies must restrict the installation of remote‑support tools to approved personnel, and security awareness programs should emphasize that a padlock icon or familiar domain does not guarantee safety. Continuous monitoring of Vercel‑related traffic, coupled with threat‑intel feeds that surface emerging dropper URLs, will help security operations centers detect and disrupt these campaigns before they achieve foothold. As cloud‑native services proliferate, attackers will increasingly weaponize them, making proactive detection and user education essential components of a resilient cyber‑defense posture.