A sophisticated phishing campaign active between November 2025 and January 2026 has been exploiting Vercel\u2019s legitimate hosting platform to distribute remote access tools to unsuspecting victims. <\/p>\n
The attack chain combines social engineering with trusted domain exploitation, making it particularly effective at bypassing traditional security layers. <\/p>\n
Attackers craft phishing emails using financially themed lures such as overdue invoices, payment statements, and shipping documents to pressure users into clicking malicious links<\/a>.<\/p>\n The campaign demonstrates a shift in threat actor tactics, moving beyond simple malware delivery to implement advanced evasion techniques. <\/p>\n Victims receive emails containing urgency-driven language like \u201c43 days past due\u201d or threats of service suspension, compelling them to interact with hyperlinked content. <\/p>\n The attacker relies on Vercel\u2019s reputation as a trusted platform, which naturally bypasses email filters and creates a false sense of security for recipients. <\/p>\n Some variants target specific regions, with Spanish-language emails posing as security update notifications, while others impersonate legitimate services like Adobe PDF viewers or financial portals.<\/p>\n Cloudflare analysts identified<\/a> this threat while examining Vercel abuse patterns and discovered that the campaign had evolved significantly since its initial documentation in June 2025 by CyberArmor. <\/p>\n The researchers noted that threat actors implemented sophisticated Telegram-based filtering mechanisms designed to block security researchers and automated sandboxes from accessing the payload.<\/p>\n When victims click the malicious Vercel link, they encounter a technically advanced evasion mechanism before payload delivery. <\/p>\n The attacker\u2019s infrastructure performs browser fingerprinting<\/a>, collecting IP addresses, device types, browser information, and geographic location. <\/p>\n This harvested data<\/a> is exfiltrated to a threat-actor-controlled Telegram channel, where automated systems evaluate whether the victim represents a genuine target. <\/p>\n Security researchers and suspicious connections are filtered out, while approved victims proceed to a fake document viewer interface.<\/p>\n Users are then prompted to download files disguised as legitimate documents, with names like \u201cStatements05122025.exe\u201d or \u201cInvoice06092025.exe.bin.\u201d <\/p>\n The payload itself is not custom malware<\/a> but rather a legitimate, signed copy of GoTo Resolve (formerly LogMeIn) remote access software. By leveraging this \u201cLiving off the Land\u201d technique, attackers bypass signature-based antivirus detection systems. <\/p>\n Upon execution, the tool establishes connections to remote command servers, granting complete remote control and system access to threat actors.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Phishing Attack Leverages Vercel Hosting Platform to Deliver a Remote Access Tool<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"'Invoice](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhCjPhqfEhASSkfvUS0cwItNgATbE1HBI520LplyIaJwk_DHI3C2K6YkAhSv-2HLkdnLRmU8yu_syGZtSZUIgnyvpJWZhvuIV2cCDSif9CHh1xQs9wdLUJ2JW42uyUVkThTCHu6D9wSGmafMGNuFVva9bgD6cjIr3vge_pJxaRX4va0VfOMl83Ok8MKpfk\/s16000\/%27Invoice%2520Details%27%2520phishing%2520example%2520%28Source%2520-%2520Cloudflare%29.webp?ssl=1\")
![\"A](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEglrpF7PiD9nTjDr8oiux8T7zvQBykDY4xjT6AHItR_9_whUIXLFujA21cA7cAvo-geuLOJfgLxmKTQDZNZC-j9Dwd0rO5S3LDd4-S9r_TiaBiPe6yPQZ28KXy6r6TeyPcHA00F9otKQKzNGELSRpkeFVJi0CdWVfyoZKopJEgo8SdpEJmDlR5kdhDovJ4\/s16000\/A%2520phishing%2520email%2520impersonating%2520a%2520secure%2520document%2520signing%2520portal%2520%28Source%2520-%2520Cloudflare%29.webp?ssl=1\")
Infection Through Browser Fingerprinting and Conditional Delivery<\/strong><\/h2>\n
![\"A](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghvloZCVJBPnlOI6hIpgO_CAJEqhQRKnMuyyieJP0gLjd0JW8KtYRN7fz-_77f7y4ry4_9wXLia7BcqZm2q1GGsI-OT3b9L4_HUYvjYz-F1RkiLYCxm9E-Vnerb96CcLpcPdxcSrg3l6_PcX-8f3au85V78cwznmvfvzDAO7AfC40BCf8Qh7pPOJhyphenhyphenFvM\/s16000\/A%2520specialized%2520lure%2520targeting%2520business%2520account%2520owners%2520%28Source%2520-%2520Cloudflare%29.webp?ssl=1\")