Attackers have found a new way to push malware by weaponizing one of the most trusted everyday tools — Google Forms.
A newly identified campaign is exploiting business-themed lures, including fake job interviews, project briefs, and financial documents, to deliver a Remote Access Trojan (RAT) known as PureHVNC onto victim machines.
What sets this campaign apart is not the malware itself but the unusual channel attackers chose to start the infection.
The campaign begins with a convincing Google Form crafted to resemble a real recruitment or business process. These forms ask for professional details like work history and background, building a sense of authenticity.
Once submitted, targets are directed to a business-themed ZIP file hosted on platforms like Dropbox, filedn.com, and fshare.vn, or through shorteners like tr.ee and goo.su that hide the real destination.
Attackers also spread links through LinkedIn, reaching professionals looking for jobs or new opportunities.
Malwarebytes analysts identified multiple variants of this campaign and noted that threat actors impersonate well-known companies in the financial, logistics, technology, sustainability, and energy sectors.
The fake forms display real company names, logos, and branding, making it difficult for an average user to spot the fraud.
.webp)
Archive names like “Project_Information_Summary_2026.zip” and “{CompanyName}_GlobalLogistics_Ad_Strategy.zip” show how deliberate and calculated the deception truly is.
PureHVNC is a modular .NET RAT from the “Pure” malware family. Once on a machine, it gives attackers full remote control, letting them execute commands, steal data from browsers, cryptocurrency wallets, and messaging apps like Telegram and Foxmail, gather hardware and software information, and install additional plugins.
Its configuration is encoded in base64 and compressed with GZIP, with the identified C2 server at IP 207.148.66.14 reachable on ports 56001, 56002, and 56003.
The campaign’s reach is wide, hitting industries where document sharing is routine and professionals frequently receive files from outside contacts, making a malicious attachment hard to spot.
Multi-Stage Infection Mechanism
The infection chain behind PureHVNC is layered and deliberate, built to avoid detection at each step. Once a victim extracts the downloaded ZIP, they find job-related documents alongside a hidden executable and a DLL named msimg32.dll.
That DLL executes through DLL hijacking, tricking a legitimate application into loading the malicious code without raising obvious alerts.
Once running, the DLL decrypts strings through XOR with the key “4B” and checks for analysis environments using IsDebuggerPresent() and time64().
If sandbox or debugging activity is found, the malware shows the error “This software has expired or debugger detected” and halts.
.webp)
The DLL then removes itself from disk, drops a fake PDF to keep the victim occupied, and adds a registry entry at CurrentVersionRunMiroupdate for early persistence.
In the next stage, a hidden archive named final.zip is extracted into a random folder inside ProgramData.
An obfuscated Python script — named config.log or image.mp3 depending on the variant — decodes and launches Donut shellcode in memory.
The shellcode injects PureHVNC into SearchUI.exe, a legitimate Windows process.
.webp)
To hold access, the malware creates a scheduled task through a base64-encoded PowerShell command at the highest privilege level when admin rights are present, leaving the mutex “Rluukgz” on the host as a marker.
Users and organizations should take the following steps to reduce exposure to this campaign. Always verify the source of a Google Form before submitting any information or downloading linked files.
Cross-check unexpected job offers or project requests through official company websites and known contacts. Avoid following links hidden behind URL shorteners without first confirming where they lead.
Security teams should watch for unusual DLL loads, encoded PowerShell task creation, and process injection into SearchUI.exe. Endpoint defenses should be kept current to flag Python processes running unexpectedly from inside ProgramData directories.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
