Hackers Exploit Google Forms to Deliver PureHVNC Malware in Sophisticated Job-Themed Cyberattack Campaign

Recent investigations by security researchers have uncovered a well-crafted malware campaign that leverages trusted business workflows to compromise victims. Rather than relying on traditional phishing emails or malicious websites, attackers are now using Google Forms as the entry point into the infection chain. This shift in initial access technique highlights a growing trend where threat actors exploit legitimate platforms to bypass user suspicion and security controls.

The campaign primarily distributes the PureHVNC Remote Access Trojan (RAT) using business-related themes such as job applications, project documentation, and financial discussions. While the malware itself is not new, the delivery mechanism and execution chain demonstrate notable evolution and sophistication.

PDFs masquerading as a real job description, Source : Malwarebytes

Background and Threat Overview

The attack begins in a subtle and convincing manner. Victims are typically directed to a Google Form that appears to belong to a legitimate organization. These forms are often shared through professional platforms such as LinkedIn, making them appear authentic and relevant.

The forms request standard professional information, such as work experience and background details. This creates a sense of legitimacy and lowers suspicion. Embedded within these forms are links to downloadable ZIP files that are presented as business documents.

These ZIP files act as the initial payload carriers and mark the beginning of a multi-stage infection process.

Understanding PureHVNC RAT

PureHVNC is a modular remote access trojan developed using the .NET framework. It belongs to the “Pure” malware family and is designed to give attackers extensive control over compromised systems.

Once installed, it enables remote command execution, allowing attackers to fully operate the infected device. It gathers detailed system information, including operating system data, hardware specifications, installed security tools, and user activity. Additionally, it can extract sensitive information from browsers, extensions, and cryptocurrency wallets.

The malware is also capable of accessing communication tools such as Telegram and Foxmail. Its modular design allows attackers to deploy additional plugins, enhancing functionality based on their objectives. Persistence is achieved through multiple techniques, ensuring long-term access to the system.

Initial Access: Social Engineering via Google Forms

One of the most striking aspects of this campaign is its use of Google Forms as a delivery mechanism. This approach takes advantage of user trust in well-known platforms.

The forms are designed to impersonate reputable companies, often including logos and branding elements to reinforce credibility. Victims are led to believe they are participating in legitimate recruitment processes or business collaborations.

The downloadable files linked in these forms are hosted on various platforms, including file-sharing services such as Dropbox and fshare.vn, as well as URL shorteners that obscure the final destination. In some cases, Google redirect links are used to further disguise malicious intent.

The filenames themselves are carefully chosen to align with professional contexts. Examples include project summaries, interview materials, and company overviews. These naming conventions play a key role in convincing victims to proceed with the download.

Infection Chain and Execution Flow

Once the victim downloads and extracts the ZIP archive, the infection process begins.

The archive typically contains a mix of legitimate-looking files and malicious components. Among these are executable files and a DLL, commonly named msimg32.dll, which is used in a DLL hijacking technique. This method tricks legitimate applications into loading malicious code.

The malicious DLL performs several operations. It decrypts embedded strings using a simple XOR key and includes mechanisms to detect debugging or sandbox environments. If such environments are detected, it displays an error message to avoid analysis.

The malware then deletes traces of itself and launches a decoy PDF file to maintain the illusion of legitimacy. Meanwhile, it establishes persistence through registry modifications, specifically under the CurrentVersion\Run key.

At a later stage, an additional archive named final.zip is extracted into a randomly generated directory within the ProgramData folder. This archive contains Python-related components that drive the next phase of execution.

Advanced Payload Delivery

The extracted files include an obfuscated Python script, often disguised with misleading file extensions such as .log or .mp3. This script is executed using a bundled Python interpreter.

Its primary function is to decode and execute a Donut shellcode payload. This shellcode ultimately leads to the injection of PureHVNC into a legitimate system process, commonly SearchUI.exe, though variations exist across samples.

This injection technique helps the malware blend into normal system activity, making detection more difficult.

System Reconnaissance and Data Exfiltration

Once active, PureHVNC begins collecting detailed information about the infected system. It uses Windows Management Instrumentation (WMI) queries to gather data related to antivirus products, connected imaging devices, and operating system details.

The malware proceeds to enumerate browser data, extensions, and cryptocurrency wallets. This information is then prepared for exfiltration to command-and-control (C2) servers.

The configuration data used by the malware is encoded using Base64 and compressed with GZIP, ensuring efficient and concealed communication.

Persistence Mechanisms

To maintain long-term access, the malware establishes persistence through scheduled tasks. These tasks are created using PowerShell commands encoded in Base64. If administrative privileges are available, the tasks are configured to run with the highest level of access.

This ensures that the malware remains active even after system reboots.

Infrastructure and Indicators of Compromise

The campaign relies on a centralized command-and-control server with the IP address:

207.148.66[.]14

Communication occurs over multiple ports, including 56001, 56002, and 56003. The malware uses a predefined campaign identifier and mutex to manage execution.

Several URLs associated with file hosting and redirection have been identified, along with numerous file hashes linked to different variants of the malware.

Defensive Recommendations

This campaign demonstrates how attackers exploit trust in widely used platforms. Users should approach unsolicited Google Forms with caution, especially when they involve downloading files.

It is important to verify the authenticity of requests through official company channels. Links that rely on URL shorteners or redirection services should be treated with suspicion.

Organizations should implement endpoint detection and response (EDR) solutions capable of identifying unusual process behavior, such as DLL hijacking and process injection.

CyberP1 Opinion

From an analytical standpoint, this campaign represents a subtle but important shift in how attackers approach initial access. The use of Google Forms is not technically complex, yet it is highly effective. This suggests that threat actors are focusing more on exploiting human behavior rather than relying solely on advanced technical exploits.

The campaign reflects a deep understanding of professional workflows. By mimicking recruitment processes and business communications, attackers are inserting themselves into environments where users are already expecting to interact with unknown entities. This reduces friction and increases the likelihood of success.

What stands out is the layered approach used throughout the infection chain. Each stage is designed to appear legitimate while quietly advancing the attack. The inclusion of real-looking documents, the use of trusted platforms, and the gradual escalation of execution all contribute to a highly convincing attack scenario.

The technical components, such as DLL hijacking, Python-based payload execution, and shellcode injection, are not entirely new. However, their combination within this context demonstrates careful planning and adaptation. It shows that attackers are not necessarily inventing new malware but are refining how it is delivered and executed.

Another important observation is the reliance on common tools and services. By using platforms like Google Forms and Dropbox, attackers are effectively blending into normal network traffic. This makes detection more challenging for traditional security systems that rely on identifying known malicious domains.

This campaign also highlights the growing importance of user awareness. Even the most advanced security tools can be bypassed if users are convinced to willingly download and execute malicious files. The human element remains one of the most vulnerable points in any security framework.

In conclusion, this case reinforces the idea that modern cybersecurity threats are as much about psychology as they are about technology. Defending against such attacks requires a balanced approach that combines technical controls with continuous user education and awareness.