Threat Actors Exploit Vercel Hosting Platform to Distribute Remote Access Malware
CyberArmor has uncovered a sophisticated phishing campaign exploiting Vercel, a widely used frontend hosting platform, to distribute a malicious variant of LogMeIn, a legitimate remote access tool.
Over the past two months, threat actors have orchestrated at least 28 distinct campaigns, targeting more than 1,271 users with deceptive emails that lead to fraudulent pages hosted on Vercel subdomains.
Clever Abuse of Legitimate Platforms
These pages, designed to mimic trusted interfaces such as an Adobe PDF viewer, trick users into downloading a malicious executable disguised as a legitimate document.
This file, once executed, establishes a connection to a LogMeIn server, granting cybercriminals full remote control over the victim’s machine.
The use of a legitimate platform like Vercel, often associated with trusted development projects, lends an air of credibility to the phishing sites, making them harder for users and security tools to detect.
The success of this campaign hinges on a potent mix of social engineering and the abuse of trusted software.
The phishing emails often pose as urgent notifications such as unpaid invoices or delivery updates prompting recipients to click on embedded links that direct them to malicious Vercel-hosted pages.
Legitimate Tools Amplify Threat Impact
Upon visiting, victims are coerced into downloading a file named “Invoice06092025.exe.bin” (with specific hashes: MD5 f3f8379ce6e0b8f80faf259db2443f13, SHA1 5fd4bcca28553ebe759ec97fcbc3a2a732268f85, and SHA256 0a1a85a026b6d477f59bc3d965b07d0d06e6ff2d34381aff79ea71c38fed802b).
What makes this attack particularly insidious is the use of LogMeIn itself a genuine remote access tool that evades detection by many security solutions since it isn’t inherently malicious.
Victims, often under the impression they are receiving legitimate technical support, voluntarily install the software, unknowingly handing over access to their systems.
This tactic of leveraging legitimate infrastructure and software underscores a growing trend among cybercriminals to blend malicious intent with trusted environments, amplifying the difficulty of early detection and mitigation.
According to the Report, CyberArmor advises organizations to adopt proactive defenses against such threats.
This includes monitoring and restricting access to suspicious Vercel subdomains, which are increasingly abused for hosting phishing content.
Additionally, educating employees about the risks of fake support scams and unsolicited remote assistance offers is critical.
Implementing strict controls over the installation of remote access tools can further reduce exposure.
As cybercriminals continue to exploit trusted platforms like Vercel to mask their activities, a combination of vigilant monitoring, user awareness, and robust policy enforcement remains essential for staying ahead of these evolving threats.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| MD5 | e230bf859e582fe95df0b203892048df |
| MD5 | f3f8379ce6e0b8f80faf259db2443f13 |
| MD5 | f782c936249b9786cc7fac580da3ae0f |
| MD5 | 322a92b443faefe48fce629e8947e4e2 |
| Domains | unpaidinvoiceremitaath.vercel[.]app, waybill-deliveryticket.vercel[.]app, and others (full list available in original report) |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
