Threat Actors Leverage Hosting Platform Vercel to Deliver Remote Access Malware

Cybercriminals have discovered a sophisticated new method to distribute malicious remote access tools by exploiting Vercel, a legitimate frontend hosting platform, to host convincing phishing pages that deliver weaponized versions of LogMeIn software.

This emerging threat demonstrates how attackers increasingly abuse trusted infrastructure to bypass security measures and gain unauthorized access to victims’ systems.

The attack begins with carefully crafted phishing emails containing links that redirect recipients to malicious pages hosted on Vercel’s *.vercel.app domains.

These fraudulent pages impersonate Adobe PDF viewers, creating a false sense of legitimacy that encourages users to download what appears to be a standard document but is actually an executable file disguised as “Invoice06092025.exe.bin”.

CyberArmor researchers identified this campaign through extensive monitoring of malicious activities targeting enterprise environments.

The security firm’s analysis revealed that once executed, the malware automatically installs itself and establishes connections to LogMeIn servers, providing cybercriminals with complete remote control over compromised machines.

The campaign’s scope is particularly concerning, with researchers documenting over 28 distinct attack campaigns targeting more than 1,271 users across a two-month period.

The malware’s effectiveness stems from its abuse of legitimate platforms, making detection significantly more challenging for traditional security solutions.

Infection Mechanism

The malware employs several sophisticated techniques to evade detection.

The primary sample analyzed shows the following cryptographic signatures: MD5 hash f3f8379ce6e0b8f80faf259db2443f13, SHA1 5fd4bcca28553ebe759ec97fcbc3a2a732268f85, and SHA256 0a1a85a026b6d477f59bc3d965b07d0d06e6ff2d34381aff79ea71c38fed802b.

Attackers leverage numerous Vercel subdomains including “unpaidinvoiceremitaath.vercel.app” and “waybill-deliveryticket.vercel.app” to host their malicious content[1], exploiting the platform’s reputation to bypass email security filters and browser warnings.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial