When Trust Becomes a Weapon: Google Cloud Storage Phishing Deploying Remcos RAT

ANY.RUN researchers report an April 2026 phishing campaign that uses legitimate Google Cloud Storage hosts to present Google Drive-themed pages which capture credentials and prompt a malicious JavaScript download; the multi-stage delivery (JS → VBS → PowerShell → in-memory .NET loader) culminates in Remcos RAT being injected into a signed RegSvcs.exe process via process hollowing, enabling credential theft, persistent encrypted C2, and full remote access. The analysis emphasizes the campaign's fileless techniques, time-based sandbox evasion, and use of trusted infrastructure to bypass reputation-based defenses, and recommends behavioral sandboxing, real-time threat intelligence feeds, and proactive hunting to detect and mitigate similar attacks.