Between November 2025 and January 2026, a sophisticated phishing campaign distributed remote access tools to unwary victims by taking advantage of Vercel's legitimate hosting platform. The attack chain is especially successful at getting around conventional security layers because it combines social engineering with trusted domain exploitation. Learn more Modules for hardware security Software as a service Planning guides for incident response Endpoint detection response software exploitation Apps for secure messaging News stories about cybersecurity Cybersecurity Evaluation of cybersecurity vulnerabilities In order to trick users into clicking on harmful links, attackers create phishing emails with financial themes like past-due invoices, payment statements, and shipping documents.

The campaign shows how threat actors are using more sophisticated evasion strategies instead of just delivering malware.

Victims are forced to interact with hyperlinked content in emails that contain urgency-driven language, such as "43 days past due" or threats of service suspension. Phishing example "Invoice Details" (Source: Cloudflare) The attacker takes advantage of Vercel's standing as a reliable platform, which inevitably gets around email filters and gives recipients a false sense of security. Certain variations target particular geographical areas, such as Spanish-language emails that pretend to be security update notifications, while others mimic reputable services like financial portals or Adobe PDF viewers.

While analyzing Vercel abuse patterns, Cloudflare analysts discovered a phishing email posing as a secure document signing portal (Source: Cloudflare). They also found that the campaign had changed significantly since CyberArmor first documented it in June 2025.

Threat actors used advanced Telegram-based filtering techniques, according to the researchers, to prevent automated sandboxes and security researchers from accessing the payload. Infection via Conditional Delivery and Browser Fingerprinting Before the payload is delivered, victims who click on the malicious Vercel link are presented with a sophisticated evasion mechanism. Browser fingerprinting is carried out by the attacker's infrastructure, which gathers IP addresses, device types, browser data, and geographic location.

Learn more Making use of cloud computing Cloud Safe web hosting Cloud-based ethical hacking training Cyber Cybersecurity tools for ethical hacking Guide to Hacker Tools This collected information is transferred to a Telegram channel under the control of a threat actor, where automated systems assess whether the victim is a legitimate target.

A specific lure that targets owners of business accounts (Source: Cloudflare) filters out security researchers and dubious connections, while victims who are approved move on to a phony document viewer interface. After that, users are asked to download files that appear to be authentic documents, such as "Statements05122025.exe" or "Invoice06092025.exe.bin." The payload is a genuine, signed copy of GoTo Resolve (formerly LogMeIn) remote access software rather than custom malware.

Attackers get around signature-based antivirus detection systems by using this "Living off the Land" tactic. Threat actors are given full remote control and system access when the tool is executed. LinkedIn and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.