Threat researchers have found a new malware campaign that uses Google Forms to spread the PureHVNC Remote Access Trojan (RAT). Instead of using fake emails or malicious landing pages, attackers are taking advantage of the fact that people trust real services like Google Forms, Dropbox, and LinkedIn to start their attacks. The threat actors were able to trick professionals into downloading a dangerous multi-stage payload by using business-related lures like job interviews, project summaries, and financial documents.
The Google Forms Infection Chain: The attack starts when a victim is sent to a fake Google Form, which is often done through links shared on professional networking sites like LinkedIn.
These forms pretend to be from well-known companies in the finance, technology, logistics, and energy fields. They ask users to give them professional information like their background and experience. Google Forms Spreads PureHVNC (Source: malwarebytes) In the end, the form gives you a link to a ZIP file that is hosted on file-sharing sites or hidden behind URL shorteners to hide where it leads.
To avoid drawing attention to themselves, the ZIP files are named after business topics, like "Project_Information_Summary_2026.zip" or "Company_and_Job_Overview.pdf.rar." The archive shows how the infection process works in several steps after it is downloaded. It usually has a real decoy document, an executable, and a bad DLL file, which is often called msimg32.dll. When the victim runs the executable, it uses a DLL hijacking method to trick the real program into loading the bad code.
The DLL does a number of things to avoid detection, such as using a simple XOR cipher to decrypt strings and looking for debugging environments. If it doesn't get caught, it drops the fake PDF to keep up the appearance of being real while setting up initial persistence through the Windows registry. Google Forms Spreads PureHVNC (Source: malwarebytes) Indicators and Capabilities of PureHVNC PureHVNC is a very flexible .NET RAT that lets you take full control of your system and steal data.
After being injected, the malware uses Windows Management Instrumentation (WMI) queries to find out information about the infected device, such as what antivirus software is installed, what version of Windows is running, and what hardware is present. It creates a scheduled task that runs with the highest privileges using base64-encoded PowerShell commands. This makes it very hard to remove.
Example of files found in one of the archives that were looked at (Source: malwarebytes) Malware Bytes says that the main goal of PureHVNC is to steal a lot of data. It methodically takes private data from web browsers, browser add-ons, cryptocurrency wallets, and messaging apps like Telegram and Foxmail. The malware talks to its command-and-control (C2) server using a configuration that is encoded in base64 and compressed with GZIP.
This lets attackers send commands from afar and get stolen data without any problems. To stay safe from these threats, professionals should check job applications through official company channels and not download attachments from Google Forms that they can't be sure are real. These are the known Indicators of Compromise (IOCs) that are linked to this campaign. IP Address: 207.148.66.14 (Ports: 56001, 56002, 56003) File Hashes (SHA-256) ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3 d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386 e7b9f608a90bf0c1e477a28f41cb6bd2484b997990018b72a87268bf46708320 e221bb31e3539381d4753633443c1595bd28821ab6c4a89ad00ea03b2e98aa00
