Exploiting Trust: PureHVNC RAT Delivery via Malicious Google Forms
The threat landscape is constantly evolving, with attackers frequently pivoting toward legitimate cloud services to bypass traditional email security filters. Recently, SecLookup identified and tracked a sophisticated campaign that leverages Google Forms as a primary delivery mechanism for the PureHVNC Remote Access Trojan (RAT). By masquerading as legitimate recruitment processes, project briefs, and financial documentation, threat actors are successfully compromising corporate endpoints under the guise of professional communication.
Executive Summary
The campaign, first identified in early 2026, represents a tactical shift in initial access procedures. Rather than relying on direct email attachments or suspicious landing pages—which are often flagged by Secure Email Gateways (SEGs)—attackers are utilizing Google Forms to host links to malicious payloads. These forms often impersonate well-known brands and are distributed via professional networking platforms like LinkedIn. Once a victim interacts with the form and downloads the linked "project brief" or "job description," a multi-stage infection chain begins, culminating in the deployment of PureHVNC. PureHVNC is a modular .NET-based RAT capable of comprehensive system control, data exfiltration from messaging apps and crypto wallets, and persistent surveillance.
Threat Analysis: The PureHVNC Infection Chain
The sophistication of this campaign lies not in the malware itself, but in the social engineering and delivery infrastructure utilized by the threat actors.
Initial Access and Social Engineering
Attackers target professionals primarily through LinkedIn, sending direct messages that invite the recipient to review a job opportunity or a project proposal. These messages contain a link to a Google Form. Because Google is a trusted domain, these links frequently bypass automated security checks and do not trigger the same level of suspicion as a direct link to a ZIP file or an unknown domain.
The Google Forms are meticulously crafted, featuring:
Stolen corporate logos and branding.
Professional language consistent with HR or project management roles.
Requests for the victim’s professional background to add a layer of perceived legitimacy.
A "Download Brief" or "Document Link" section that redirects to external file-sharing services.
Delivery and Execution
The Google Forms link to malicious archives hosted on platforms like Dropbox or fshare.vn, often obscured by URL shorteners like goo.su. The downloaded ZIP file typically contains a heavily obfuscated loader or a malicious shortcut (LNK) file designed to appear as a PDF or Word document.
Upon execution, the loader initiates a multi-stage process:
De-obfuscation: The primary loader decrypts the next stage of the payload in memory to avoid signature-based detection.
Environment Checking: The malware checks for the presence of virtual machines, sandboxes, or specific security software.
Payload Injection: The final PureHVNC payload is injected into a legitimate system process (Process Hollowing).
PureHVNC Capabilities
PureHVNC belongs to the "Pure" family of malware, known for its modularity and effectiveness. As a Remote Access Trojan, it provides the operator with a "Hidden Virtual Network Computing" (HVNC) capability, allowing them to control the victim's desktop without the user's knowledge.
Key functionalities include:
Data Theft: Targeted extraction of data from browsers (passwords, cookies), browser extensions (authenticator apps), and cryptocurrency wallets.
Application Monitoring: Specific modules for stealing data from Telegram and Foxmail.
System Profiling: Collection of OS details, hardware specifications, and information on connected network devices.
Remote Command Execution: A full-featured shell for executing arbitrary commands or PowerShell scripts.
Modular Architecture: The ability to download and execute additional plugins based on the value of the infected host.
MITRE ATT&CK Mapping
The TTPs observed in this campaign align with the following MITRE ATT&CK techniques:
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1566.002 | Phishing: Spearphishing Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1055 | Process Injection |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1082 | System Information Discovery |
| Collection | T1560 | Archive Collected Data |
| Command & Control | T1071.001 | Application Layer Protocol: Web Protocols |
SecLookup Detection
At SecLookup, our threat intelligence platform has been actively monitoring the infrastructure associated with this campaign. We are pleased to confirm that SecLookup was actively detecting and blocking the domains goo.su, fshare.vn, and the specific URL structures used in these Google Form lures prior to the widespread public disclosure of the campaign.
Our proactive scanning identified the malicious nature of these file-sharing links and the underlying IP addresses (207.148.66.14) associated with the PureHVNC C2 infrastructure. Customers utilizing SecLookup’s API integrations and threat feeds were protected from these initial access attempts via automated DNS and URL filtering.
Indicators of Compromise (IOCs)
Confirmed Malicious Domains
goo.su
fshare.vn
www.fshare.vn
IP Addresses
207.148.66.14
File Hashes (SHA-256)
b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357
481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62
e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c
d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386
7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b
85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37
59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3
8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0
ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3
1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d
a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a
ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a
b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66
4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4
fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc
URLs
https://tr..ee/R9y0SK
https://www.fshare.vn/file/F57BN4BZPC8W
https://dl.dropbox.com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9
https://goo.su/CmLknt7
Detection Rules
YARA Rules
The following YARA rules can be used to scan for PureHVNC binaries and campaign-specific markers within your environment.
rule Malware_PureHVNC_Generic {
meta:
description = "Detects generic PureHVNC RAT identifiers and capabilities based on campaign report"
author = "SecLookup Threat Intelligence"
date = "2024-05-22"
strings:
$name1 = "PureHVNC" ascii wide
$name2 = "PureLogs" ascii wide
$cap1 = "Foxmail" ascii wide
$cap2 = "Telegram" ascii wide
$cap3 = "crypto" ascii wide
$cap4 = "wallet" ascii wide
$net = "MSIL" ascii
condition:
uint16(0) == 0x5A4D and (any of (\(name*)) or (all of (\)cap*) and $net)
}
rule PureHVNC_Campaign_Indicators {
meta:
description = "Detects indicators related to the PureHVNC delivery campaign via Google Forms and file sharing sites"
author = "SecLookup Threat Intelligence"
date = "2024-05-22"
strings:
$url1 = "goo.su" ascii wide
$url2 = "fshare.vn" ascii wide
$lure1 = "job interview" ascii wide nocase
$lure2 = "project brief" ascii wide nocase
$lure3 = "financial document" ascii wide nocase
condition:
any of (\(url*) and any of (\)lure*)
}
Recommendations
To defend against this and similar campaigns, SecLookup recommends the following actions:
Enhance Web Filtering: Implement strict URL filtering to block known malicious domains and common URL shorteners used in malware delivery (e.g.,
goo.su). Restrict access to personal file-sharing sites (e.g.,fshare.vn) from corporate networks unless there is a verified business need.User Awareness Training: Educate employees on the dangers of clicking links within unsolicited LinkedIn messages or Google Forms. Emphasize that legitimate recruitment processes rarely require downloading ZIP files from third-party file-sharing sites.
Monitor for Persistence: Use EDR (Endpoint Detection and Response) tools to monitor for the creation of unusual scheduled tasks or registry keys, which are common persistence mechanisms for PureHVNC.
Process Monitoring: Monitor for process hollowing or injection into common Windows binaries (e.g.,
svchost.exe,explorer.exe).Audit Crypto-Assets: For organizations handling cryptocurrency, ensure that wallets are protected with hardware-based keys and that browser-based wallet extensions are strictly audited.
References
- That “job brief” on Google Forms could infect your device by Malwarebytes Labs, Malwarebytes Labs
