Malware - Google Forms Used to Deliver PureHVNC RAT

What Happened

Attackers have discovered a novel method to distribute malware by exploiting Google Forms, a tool many trust. This campaign uses business-themed lures, such as fake job interviews and project briefs, to deliver a Remote Access Trojan (RAT) known as PureHVNC. The attackers craft convincing forms that request professional details, creating a facade of legitimacy. Once victims submit their information, they are directed to download a malicious ZIP file from various file-sharing platforms.

The campaign's cleverness lies in its use of familiar platforms. Attackers spread links through LinkedIn, targeting professionals seeking job opportunities. By impersonating well-known companies and using real logos, they make it hard for victims to identify the fraud. The ZIP files often have names like "Project_Information_Summary_2026.zip," further enhancing their credibility.

Who's Being Targeted

This malware campaign primarily targets professionals in industries where document sharing is routine. The deception is particularly effective among job seekers and employees who frequently interact with external contacts. The use of Google Forms makes it easy for attackers to reach a wide audience, as many individuals are accustomed to filling out forms for job applications or project proposals.

The campaign's reach is extensive, affecting various sectors, including finance, logistics, technology, and sustainability. As professionals receive files from outside sources regularly, they may not easily recognize the malicious attachments hidden within seemingly legitimate documents.

Signs of Infection

Once a victim extracts the ZIP file, they encounter job-related documents alongside a hidden executable and a DLL named msimg32.dll. This DLL utilizes DLL hijacking to execute malicious code without raising alarms. If the malware detects any debugging or sandboxing attempts, it halts its operation, making it harder to analyze.

The infection mechanism is multi-layered. After execution, the DLL removes itself and drops a fake PDF to distract the user. It then creates a registry entry for persistence and extracts additional malicious payloads into the system, allowing the attackers to maintain control over the infected machine.

How to Protect Yourself

To mitigate the risk of falling victim to this campaign, users should verify the source of any Google Form before submitting personal information or downloading files. Cross-check unexpected job offers through official channels and avoid clicking on links shortened by URL shorteners without confirming their destinations.

Organizations should monitor for unusual DLL loads and unexpected PowerShell commands. Keeping endpoint defenses updated is crucial to flagging suspicious processes that may indicate a PureHVNC infection. By staying vigilant and informed, individuals and businesses can better protect themselves against these sophisticated malware campaigns.