New Phishing Attack Exploits Vercel to Host and Deliver Remote Access Malware

A new phishing campaign abusing the Vercel hosting platform has been active since at least November 2025 and is becoming increasingly sophisticated.

The core trick is “inherited trust.” Attackers send short phishing emails with financial or business themes such as unpaid invoices, payment statements, or document reviews. The real hook is not the text, but the embedded *.vercel.app link.

Because vercel.app is a legitimate and widely used hosting domain, many email filters are less likely to flag it.

The linked pages are dressed up to look like a secure PDF viewer, a financial portal, a document-signing service, or a software download page. In some cases, attackers pose as IT or support staff and guide victims to “install a fix” via the Vercel page.

First documented by CyberArmor in June 2025, the operation has now evolved from simple file delivery into a selective, “conditional” infection chain that uses Telegram for gating and GoTo Resolve as a remote access backdoor.

Themes observed include overdue invoices (“43 days past due”), service suspension warnings in Spanish, potential lawsuit notices, and even Meta “Community Standards” alerts aimed at business page owners.

Stages of Phishing Attack

When a victim clicks the Vercel link, the payload is not delivered right away. Instead, the page first fingerprints the browser, collecting IP address, location, device type, and browser details. This information is then sent to a Telegram channel controlled by the attackers.

Using this data, the backend decides whether to serve the payload. Suspected sandboxes, security researchers, or off-target regions are filtered out.

The email body is often minimal, using urgent language (“due payment,” “invoice attached”) to pressure the user into clicking the embedded vercel.app link.

Only “valid” targets see the fake viewer or invoice page and are prompted to download a file, often named like “Statements05122025.exe” or “Invoice06092025.exe.bin”.

The downloaded file is not custom malware but a signed installer for GoTo Resolve (formerly LogMeIn), a legitimate remote access and support tool.

By abusing this “Living off the Land” approach using trusted software instead of obvious malware the attackers can slip past many signature-based antivirus engines.

Once executed, GoTo Resolve connects to remote servers and gives the attacker full remote control of the victim’s system, effectively acting as a stealthy backdoor.

Detection and defense

Defenders should focus on time-of-click URL analysis, detection of service abuse and brand impersonation, and stricter monitoring of vercel.app and similar subdomains like surge.sh.

Application control policies should limit who can install remote support tools, and user training should stress that a padlock icon and known domain do not guarantee safety.

Cloudflare Email Security has released multiple detections for this activity, including rules such as SentimentCM.Banking.Invoice.Service_Abuse.Vercel.Link, Brand_Impersonation.Facebook.Service_Abuse.Vercel.Link, and Service_Abuse.Vercel.URL_Shortener.Link, some already recording tens of thousands of hits in the last 30 days, underscoring that this threat is active and widespread.

IOCs

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.