Cybercriminals Exploit Google Forms to Deploy PureHVNC Malware in Sophisticated Job Scam
In a recent and alarming development, cybercriminals have begun exploiting Google Forms—a widely trusted tool—to distribute the PureHVNC Remote Access Trojan (RAT). This campaign employs deceptive job-related lures, such as fake interviews and project briefs, to infiltrate victims’ systems.
The Deceptive Strategy
The attack initiates with a meticulously crafted Google Form that mirrors legitimate recruitment or business processes. These forms solicit professional information, including work history and background details, to establish credibility. Upon submission, victims are directed to download business-themed ZIP files from platforms like Dropbox, filedn.com, and fshare.vn, or through URL shorteners like tr.ee and goo.su, which obscure the actual destination. Additionally, attackers disseminate these malicious links via LinkedIn, targeting professionals seeking employment or new opportunities.
Malwarebytes analysts have identified multiple variants of this campaign, noting that threat actors impersonate reputable companies across sectors such as finance, logistics, technology, sustainability, and energy. The fraudulent forms incorporate authentic company names, logos, and branding, making it challenging for users to detect the deception. Archive names like Project_Information_Summary_2026.zip and {CompanyName}_GlobalLogistics_Ad_Strategy.zip further enhance the illusion of legitimacy.
Understanding PureHVNC
PureHVNC is a modular .NET-based RAT belonging to the Pure malware family. Once installed, it grants attackers full remote control over the infected machine, enabling them to execute commands, exfiltrate data from browsers, cryptocurrency wallets, and messaging applications like Telegram and Foxmail, gather hardware and software information, and deploy additional plugins. The malware’s configuration is encoded in base64 and compressed with GZIP, with the identified command-and-control (C2) server located at IP 207.148.66.14, accessible on ports 56001, 56002, and 56003.
Multi-Stage Infection Process
The infection chain employed in this campaign is intricate and designed to evade detection at each stage. After extracting the downloaded ZIP file, victims encounter job-related documents alongside a hidden executable and a DLL named `msimg32.dll`. This DLL executes through DLL hijacking, tricking a legitimate application into loading the malicious code without raising immediate alarms.
Once activated, the DLL decrypts strings using XOR with the key 4B and checks for analysis environments using `IsDebuggerPresent()` and `time64()`. If sandboxing or debugging is detected, the malware displays the error message This software has expired or debugger detected and terminates.
Subsequently, the DLL removes itself from the disk, drops a decoy PDF to distract the victim, and adds a registry entry at `CurrentVersion\Run\Miroupdate` to establish persistence. In the next phase, a hidden archive named `final.zip` is extracted into a random folder within ProgramData. An obfuscated Python script—named `config.log` or `image.mp3` depending on the variant—decodes and launches Donut shellcode in memory. This shellcode injects PureHVNC into `SearchUI.exe`, a legitimate Windows process.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit trusted platforms like Google Forms to distribute malware. By leveraging professional networking sites and impersonating reputable companies, attackers increase the likelihood of deceiving victims.
To mitigate the risk of such attacks, individuals and organizations should:
– Verify the Authenticity of Communications: Scrutinize unsolicited job offers or project proposals, especially those received via email or social media platforms.
– Exercise Caution with File Downloads: Avoid downloading files from unfamiliar sources or links provided in unsolicited communications.
– Implement Robust Security Measures: Utilize up-to-date antivirus software and enable firewalls to detect and prevent malware infections.
– Educate Employees: Conduct regular training sessions to raise awareness about phishing tactics and the importance of verifying the legitimacy of job offers and project proposals.
By remaining vigilant and adopting proactive security practices, individuals and organizations can better protect themselves against sophisticated cyber threats like the PureHVNC campaign.
