Attackers are using malicious Google Forms linking to business-themed ZIP files (job interviews, project briefs, financial documents) to distribute a multi-stage infection chain that ultimately installs the PureHVNC .NET RAT. The campaign employs DLL hijacking, obfuscated Python/Donut shellcode, scheduled tasks and process injection (into SearchUI.exe) while using services like Dropbox and URL shorteners to host payloads and C2 infrastructure. #PureHVNC #GoogleForms
Keypoints
- Attackers distribute malicious ZIP archives via Google Forms posing as legitimate business or recruitment materials, often shared through LinkedIn or hosted on file-sharing services and URL shorteners.
- The ZIPs typically contain legitimate lure files (PDFs) plus an executable and a malicious DLL (often msimg32.dll) that uses DLL hijacking to execute payloads.
- Malicious DLLs perform string XOR decryption, anti-debug/sandbox checks, self-deletion, drop fake PDFs, extract a final.zip, and launch obfuscated Python scripts that load Donut shellcode.
- PureHVNC is the final payload: a modular .NET RAT that performs system control, data collection (browsers, extensions, crypto wallets, Telegram, Foxmail), plugin installation, and persistence via scheduled tasks or registry Run keys.
- The campaign uses in-memory techniques and process injection (example: injecting PureHVNC into SearchUI.exe), WMI queries for discovery, and a base64+GZIP-encoded configuration pointing to C2 infrastructure (207.148.66.14, ports 56001–56003).
- Indicators include multiple malicious URLs, a C2 IP, and numerous file hashes; defenses recommended are verifying Google Forms origin, avoiding downloads from untrusted forms/shortened links, and validating requests through official channels.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious File – The campaign relies on victims downloading and opening business-themed ZIPs to start the chain (‘victim downloads a business-themed ZIP file linked from a Google Form.’)
- [T1574.001 ] DLL Search Order Hijacking – Malicious code is delivered via a DLL that is loaded by a legitimate program through DLL hijacking (‘the DLL is executed via DLL hijacking (tricking a legitimate program into loading malicious code)’)
- [T1053.005 ] Scheduled Task – Persistence is achieved by creating scheduled tasks via base64-encoded PowerShell commands, using elevated flags when available (‘it creates a scheduled task using a base64-PowerShell command, with the flag “-RunLevel Highest” if the user has admin rights.’)
- [T1547.001 ] Registry Run Keys / Startup Folder – The malware adds a Run key for persistence (‘Achieving persistence via the registry key CurrentVersionRunMiroupdate.’)
- [T1055 ] Process Injection – The RAT is injected into legitimate processes (example: SearchUI.exe) to evade detection and run payloads (‘PureHVNC was injected into SearchUI.exe.’)
- [T1047 ] Windows Management Instrumentation – The malware uses WMI queries to enumerate security products, devices and OS details (‘PureHVNC executes the following WMI queries… SELECT * FROM AntiVirusProduct … SELECT Caption FROM Win32_OperatingSystem’)
- [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The chain uses cmd.exe to start files and run tar extraction commands (‘cmd.exe /c start “” “C:UsersuserDesktopMarketing Director Assessment ProjectMarketing_Director_Assessment_Project.pdf”‘)
- [T1059.006 ] Command and Scripting Interpreter: Python – Obfuscated Python scripts are executed (e.g., config.log) to decode and run Donut shellcode (‘an obfuscated Python script called config.log is executed. It ultimately decodes and runs a Donut shellcode.’)
- [T1027 ] Obfuscated Files or Information – Configuration and payloads are obfuscated/encoded (base64 + GZIP) and strings are XOR-encrypted to hinder analysis (‘The malware configuration is encoded with base64 and compressed with GZIP.’ and ‘Decrypting strings with a simple XOR, in this case with the “4B” key.’)
- [T1005 ] Data from Local System – The RAT enumerates and collects data from browsers, extensions and cryptocurrency wallets for exfiltration (‘PureHVNC performs enumeration to exfiltrate information related to various browsers, extensions, and cryptocurrency wallets.’)
- [T1041 ] Exfiltration Over C2 Channel – Collected data is sent to C2 servers listed in the configuration (example C2 IP and ports) (‘C2: 207.148.66.14 … C2 ports: 56001, 56002, 56003’)
Indicators of Compromise
- [IP ] C2 infrastructure – 207.148.66.14
- [URL ] Malicious hosting and redirect links – https://goo[.]su/CmLknt7, https://dl.dropbox[.]com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9, and other shortened/hosted links
- [HASH ] Malware and payload files – ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3, d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386, and 18 more hashes
- [FILE NAME ] Dropped/executed filenames used in campaigns – msimg32.dll (malicious DLL used in hijacking), final.zip / config.log (obfuscated Python) and file names like Marketing_Director_Assessment_Project.pdf used as decoy