CyberArmor has identified a phishing campaign leveraging Vercel, a legitimate frontend hosting platform, to distribute a malicious version of LogMeIn — a legitimate remote access tool — used by cybercriminals to gain full control over victims’ machines.
Phishing Technique
Cybercriminals sent phishing emails containing a link that directed recipients to a malicious page hosted on Vercel, a legitimate website hosting platform. Upon visiting the page, it impersonated an Adobe PDF viewer and prompted the user to download a file. This resulted in an executable being offered for download, disguised as a legitimate document.
Figure 1 illustrates how the phishing page is rendered to the user.
Malware File Overview
The malware has the following properties.
- File name: Invoice06092025.exe.bin
- MD5: f3f8379ce6e0b8f80faf259db2443f13
- SHA1: 5fd4bcca28553ebe759ec97fcbc3a2a732268f85
- SHA256: 0a1a85a026b6d477f59bc3d965b07d0d06e6ff2d34381aff79ea71c38fed802b
Once executed, the application automatically installs on the system and establishes a connection to the LogMeIn server, allowing the cybercriminal to remotely access and control the compromised machine.
Scope Of Impact
Over the past two months, we have observed more than 28 distinct campaigns targeting over 1,271 users.
Why It Works
- Legitimate Platform Abuse: Hosting on *.vercel.app domains makes the phishing site appear trustworthy.
- No Malware Required: LogMeIn is a legitimate tool, reducing detection by security software.
- Social Engineering: Victims are often tricked into believing the support is real and voluntarily install the tool.
CyberArmor Recommendations
- Monitor and restrict access to suspicious vercel.app subdomains, as threat actors increasingly abuse this platform to host phishing pages and distribute malware.
- Educate employees about fake support scams and unsolicited remote assistance.
- Implement strict controls for remote access software installations.
Cybercriminals are increasingly turning to trusted platforms to disguise malicious activity. Proactive monitoring and awareness are key to staying ahead.
IOCs
MD5: e230bf859e582fe95df0b203892048df
MD5: f3f8379ce6e0b8f80faf259db2443f13
MD5: f782c936249b9786cc7fac580da3ae0f
MD5: 322a92b443faefe48fce629e8947e4e2
unpaidinvoiceremitaath.vercel[.]app
waybill-deliveryticket.vercel[.]app
invstatement2025.vercel[.]app
invstatement.vercel[.]app
windowscorps.vercel[.]app
mail.blta[.]ro
invoices-attachedpdf.vercel[.]app
dhl-delivery-report.vercel[.]app
hoferunpaidinvoicestatementinvds.vercel[.]app
dhl-shipment-detail.vercel[.]app
statementpaysundrreviewdfg.vercel[.]app
express-delivery-note.vercel[.]app
dhl-shipment-document.vercel[.]app
invoice-statement-overdue.vercel[.]app
statementinfromcrllc.vercel[.]app
attached-documentation-sent.vercel[.]app
findhome.cl
peacepaymentsettlementsinvs.vercel[.]app
invoicereunpaiadinv-beta.vercel[.]app
statementinvs.vercel[.]app
docreview-rho.vercel[.]app
docsignstatements.vercel[.]app
invoices-overdues100.vercel[.]app
waybill-directory-express.vercel[.]app
statment-inv.vercel[.]app
statment-two.vercel[.]app
shipment-docspdf.surge[.]sh
pastduefromhomi.vercel[.]app
