Cybercriminals are increasingly using Google Cloud Storage to host phishing pages that imitate Google Drive and deliver malware, in a tactic designed to bypass email filters, reputation checks and traditional web security tools.
The campaign begins with phishing emails linking victims to pages hosted on storage.googleapis.com, a legitimate Google domain, where users are prompted to sign in to what appears to be a Google Drive document page.
How the phishing chain works
The fake pages are built to mimic Google Drive login screens and use branded logos and file icons for PDF, DOC, SHEET and SLIDE documents. Victims are told they must sign in to view a document in Google Drive, but the page is designed to harvest their email address, password and one-time passcode.
After the fake login, the victim is tricked into downloading a JavaScript file named Bid-P-INV-Document.js, which are described as the entry point of the infection chain. ANY.RUN’s annual Malware Trends Report for 2025 is cited as saying phishing campaigns using trusted cloud hosting have become the dominant attack vector, with remote access trojans rising 28 per cent and backdoors surging 68 per cent year on year.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Why trusted cloud hosting is being exploited
In April 2026, ANY.RUN’s threat research team said it identified this specific campaign and found that attackers were using googleapis.com subdomains including pg-bids, com-bid, contract-bid-0 and out-bid to host malicious pages.
Placing the operation on Google’s own infrastructure was a calculated move because it gave the campaign natural immunity from reputation-based email and web security filters.
The final payload is identified as Remcos RAT, a commercially available remote access trojan that gives attackers full and persistent control over a compromised machine. Once installed it can log keystrokes, steal credentials from browsers and password managers, capture screenshots, access the microphone and webcam, monitor clipboard content and transfer files remotely.
Why the campaign poses a wider risk
The screenshots say Remcos writes persistence entries into the Windows Registry under HKEY_CURRENT_USER\Software\Remcos-{ID}, allowing it to survive reboots. A single infected endpoint can then become a launchpad for ransomware, data theft and lateral movement across corporate networks.
What makes the threat especially dangerous is the dual harm it creates. Victims not only lose their Google account credentials but also end up with a surveillance tool running silently on their machine. The result is that one phishing click can give attackers both immediate account access and long-term visibility inside the compromised environment.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
