Cybercriminals Exploit Vercel Hosting to Deploy Remote Access Tools
Between November 2025 and January 2026, a sophisticated phishing campaign has been identified, exploiting Vercel’s reputable hosting platform to distribute remote access tools (RATs) to unsuspecting users. This method combines social engineering tactics with the misuse of trusted domains, effectively circumventing traditional security defenses.
Phishing Tactics and Lures
Attackers initiate the scheme by sending phishing emails that employ financial themes to create a sense of urgency. Subjects like overdue invoices, pending payment statements, and shipping notifications are commonly used to pressure recipients into clicking on embedded malicious links. For instance, emails may contain phrases such as 43 days past due or warnings about potential service suspension, compelling users to act swiftly.
These emails often impersonate legitimate services, including Adobe PDF viewers or financial institutions, to enhance their credibility. Some variants are tailored to specific regions, with Spanish-language emails posing as security update notifications.
Exploitation of Vercel’s Platform
The attackers leverage Vercel’s hosting services to host their malicious content. By utilizing Vercel’s trusted domain, the phishing emails are more likely to bypass email filters and appear legitimate to recipients. This exploitation underscores a growing trend where cybercriminals misuse reputable platforms to lend authenticity to their malicious activities.
Advanced Evasion Techniques
Upon clicking the malicious link, victims are subjected to sophisticated evasion mechanisms designed to filter out security researchers and automated analysis tools. The attacker’s infrastructure performs browser fingerprinting, collecting data such as IP addresses, device types, browser information, and geographic location. This information is then transmitted to a Telegram channel controlled by the attackers, where automated systems assess whether the victim is a genuine target.
If deemed a legitimate target, the victim is redirected to a counterfeit document viewer interface, prompting them to download files disguised as legitimate documents, with names like Statements05122025.exe or Invoice06092025.exe.bin.
Payload Delivery and Execution
The downloaded files are not custom malware but legitimate, signed copies of GoTo Resolve (formerly LogMeIn) remote access software. This Living off the Land technique allows attackers to bypass signature-based antivirus detection systems. Once executed, the tool establishes connections to remote command servers, granting attackers complete control over the victim’s system.
Implications and Recommendations
This campaign highlights the evolving tactics of cybercriminals, who are increasingly exploiting trusted platforms and employing advanced evasion techniques to distribute remote access tools. Organizations and individuals must remain vigilant, scrutinizing unexpected emails, especially those with urgent financial themes, and verifying the legitimacy of links before clicking.
Implementing robust email filtering solutions, educating users about phishing tactics, and maintaining up-to-date security software are crucial steps in mitigating such threats.
