Malicious Google Forms Campaign Delivers PureHVNC RAT via Business‑Themed ZIP Files
What Happened – Attackers are leveraging legitimate‑looking Google Forms to host links to malicious ZIP archives. The archives contain a legitimate‑looking PDF and a malicious executable/DLL that uses DLL hijacking to install the PureHVNC Remote Access Trojan on the victim’s machine. The campaign spreads via LinkedIn and other professional networks, impersonating well‑known companies in finance, logistics, technology, sustainability and energy.
Why It Matters for TPRM –
- Third‑party platforms (Google Forms, Dropbox, URL shorteners) are abused as infection vectors, expanding the attack surface of any vendor that relies on them.
- PureHVNC provides full remote control and can exfiltrate credentials, browser data, crypto wallets and messaging app contents, creating downstream data‑loss risk for your ecosystem.
- The use of business‑centric lures (job interviews, project briefs) targets the same professional contacts your organization routinely engages, increasing the likelihood of successful compromise.
Who Is Affected – Financial services, logistics, technology, energy and sustainability firms; any organization that receives recruitment or project‑related communications via Google Forms or LinkedIn.
Recommended Actions –
- Educate staff to verify Google Form links and avoid downloading ZIP files from unsolicited sources.
- Enforce URL filtering and block known malicious file‑sharing domains and short‑link services.
- Deploy endpoint protection that detects DLL hijacking and PureHVNC indicators.
- Monitor network traffic for unusual remote‑control activity and data exfiltration patterns.
Technical Notes – Attack vector: phishing‑style social engineering using Google Forms → malicious ZIP → DLL hijacking → PureHVNC RAT installation. No specific CVE cited. Data types at risk include system information, browser credentials, crypto wallet files, and messaging app data. Source: Malwarebytes Labs