CyberArmor’s threat intelligence team has uncovered a sophisticated phishing campaign exploiting Vercel, a widely used legitimate frontend hosting platform, to deploy malicious remote access software under the guise of trusted business applications.
Over the last two months, cybercriminals have orchestrated at least 28 distinct attack waves, targeting more than 1,271 victims with a tailored version of LogMeIn a remote access tool generally used for technical support and IT management.
Legitimate Cloud Infrastructure
The attack methodology involves a phishing email carrying a link to a Vercel-hosted page, cleverly disguised as an Adobe PDF viewer.
The phishing page is visually convincing, complete with the familiar interface elements users expect from legitimate online document viewers.
Victims are prompted to download what appears to be an invoice or business document; however, the file delivered, often named “Invoice06092025.exe.bin,” is an executable binary designed to auto-install on the victim’s device upon execution. This malware immediately establishes a connection to LogMeIn’s remote servers.
Although LogMeIn is a recognized and usually benign tool, its unauthorized installation enables the attacker to obtain full remote control of the compromised machine, bypassing many traditional malware detection mechanisms.
By using such legitimate tools, the malicious actors reduce their risk of early detection by security software, leveraging trust in both the LogMeIn application and the credibility of Vercel’s hosting infrastructure.
Malicious LogMeIn Variant
One of the central factors behind the campaign’s effectiveness is the use of vercel.app subdomains for hosting malicious content.
Since Vercel is a legitimate and reputable platform, security filters and end-users are less likely to identify these domains as suspicious.
Additionally, the attackers employ strong social engineering tactics, masquerading as technical support personnel and urging victims to install the malware under the pretense of resolving urgent account or invoice issues.
CyberArmor highlights that with the increasing abuse of trusted platforms for malware distribution and phishing, organizations must adapt their security measures.
Recommendations include enhanced monitoring for suspicious activity associated with vercel.app and surge.sh domains, user awareness programs focusing on remote access scams, and the application of strict policies governing the installation of remote desktop and support tools.
This incident underscores a growing trend: attackers are shifting tactics to exploit legitimate IT infrastructure as camouflage for their operations.
Proactive monitoring, threat intelligence sharing, and employee education are critical to defending against such sophisticated social engineering and supply chain attacks.
According to the Report, CyberArmor urges all organizations to review these indicators and strengthen defenses against the evolving threat landscape.
Indicators of Compromise (IOC)
| File Hash (MD5) | Associated Domain/URL |
|---|---|
| e230bf859e582fe95df0b203892048df | unpaidinvoiceremitaath.vercel[.]app |
| f3f8379ce6e0b8f80faf259db2443f13 | waybill-deliveryticket.vercel[.]app |
| f782c936249b9786cc7fac580da3ae0f | invstatement2025.vercel[.]app |
| 322a92b443faefe48fce629e8947e4e2 | invstatement.vercel[.]app |
| windowscorps.vercel[.]app | |
| mail.blta[.]ro | |
| invoices-attachedpdf.vercel[.]app | |
| dhl-delivery-report.vercel[.]app | |
| hoferunpaidinvoicestatementinvds.vercel[.]app | |
| dhl-shipment-detail.vercel[.]app | |
| statementpaysundrreviewdfg.vercel[.]app | |
| express-delivery-note.vercel[.]app | |
| dhl-shipment-document.vercel[.]app | |
| invoice-statement-overdue.vercel[.]app | |
| statementinfromcrllc.vercel[.]app | |
| attached-documentation-sent.vercel[.]app | |
| findhome.cl | |
| peacepaymentsettlementsinvs.vercel[.]app | |
| invoicereunpaiadinv-beta.vercel[.]app | |
| statementinvs.vercel[.]app | |
| docreview-rho.vercel[.]app | |
| docsignstatements.vercel[.]app | |
| invoices-overdues100.vercel[.]app | |
| waybill-directory-express.vercel[.]app | |
| statment-inv.vercel[.]app | |
| statment-two.vercel[.]app | |
| shipment-docspdf.surge[.]sh | |
| pastduefromhomi.vercel[.]app |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
