Wednesday, May 21, 2025
HomeComputer SecurityHackers Using Google Cloud Computing Platform To Deliver Targeted Malware Attacks via...

Hackers Using Google Cloud Computing Platform To Deliver Targeted Malware Attacks via Weaponized PDF

Published on

SIEM as a Service

Follow Us on Google News

Threat actors use the Google computing platform (GCP) to deliver the malware through malicious PDF files. The attack targeted governments and financial firms worldwide.

According to Netskope Threat Research Labs detected the target based on its 42 customer instances and likely the attacks to be launched by the infamous hacking group Cobalt Strike.

Last year Cybercriminals abused legitimate Google Cloud Storage services to host malicious payloads and delivered to compromise the organization’s networks by bypassing the security controls.

- Advertisement - Google News

In this campaign, attackers used traditional email Crafted in a way to appear like a legitimate one and carry the malicious PDF document as an attachment in the mail.

The PDF’s found to be created with Adobe Acrobat and they contain HTTPS URLs in a compressed form and all the decoys used in delivering the payload.

“The targeted attack is more convincing than the traditional attacks and these attacks are carried out by abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload.”

Attackers abused the GoogleApp Engine URL and redirect the victim to download the malware-hosted sites, which makes the victims to believe that they are downloading from a trusted source.

URL Redirection – Google Cloud Computing

According ot Netskope illustration on the decoy URL is accessed by the user, it logs out from appengine.google.com and generates a 302 status code of redirection.

once this action is triggered it redirects the user to google.com/logout?continue=, by using those redirection logic threat actors make the victims reach the destination landing page and download Doc102018[.]doc to the victim machine.

Even though it is an unvalidated redirect GCP App Engine application successfully validated all the redirection and delivers the payload to the victim’s machine.

Threat actors abused the Unvalidated Redirects and Forwards vulnerability with GCP App Engine and redirect victims to download to a malicious appended URL hosting the malicious payload, reads Netscape report.

The word document Doc102018.doc downloaded from https://transef[.]biz contains macros that download the second stage of the payloads from https://transef[.]biz/fr.txt.

Downloaded txt document “fr[.]txt” exploits use native Windows application Microsoft Connection Manager Profile Installer to download and execute the payload, researchers call it a Squiblydoo technique.

“Based on our threat intelligence research, more than 20 other banking, government, and financial institutions were targeted with the same attack via phishing emails sent by the attackers posing as legitimate customers of those institutions say Netscape.”

You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated.

Also Read:

8.8.8.8 – Google Public DNS now Support DNS-over-TLS to Protect Customer Search Queries

Cloud Computing Penetration Testing Checklist & Important Considerations

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Hazy Hawk Targets DNS Vulnerabilities to Hijack Cloud Resources and Spread Malware

The threat actor gained attention in February 2025 after successfully hijacking a subdomain of...