A newly identified phishing campaign active between November 2025 and January 2026 has been abusing Vercel’s legitimate hosting infrastructure to distribute remote access tools to targeted victims. By combining social engineering with trusted cloud services, the attackers have significantly increased their success rate while evading traditional security defenses.
The campaign relies heavily on urgency-based phishing emails that use financial themes such as overdue invoices, payment summaries, and shipping notifications. These messages are carefully written to pressure recipients into clicking embedded links without verifying their authenticity.
Security analysts note that this activity reflects an evolution in attacker tactics, moving away from simple malware attachments toward more complex delivery chains designed to evade detection.
Abuse of Trusted Platforms and Regional Targeting
Victims commonly receive emails containing alarming phrases such as “43 days past due” or warnings of imminent service suspension. These messages direct users to links hosted on Vercel, a platform widely trusted by developers and enterprises, which allows the malicious URLs to bypass many email security filters.
Some variants of the campaign show regional customization. Spanish-language emails impersonate security update notifications, while other lures mimic well-known services such as Adobe PDF viewers or online financial portals. This adaptability suggests a deliberate effort to tailor attacks based on geographic or organizational context.
Cloudflare researchers uncovered the activity while analyzing abuse patterns related to Vercel-hosted content. Their investigation revealed that the campaign had undergone significant refinement since it was first documented in June 2025 by CyberArmor.
Advanced Filtering and Payload Protection
To protect the operation from exposure, the attackers implemented Telegram-based filtering mechanisms that prevent security researchers and automated sandbox environments from accessing the final payload.
When a user clicks the malicious Vercel link, the infrastructure initiates a pre-delivery evaluation process. Browser fingerprinting techniques are used to collect information such as IP address, device type, browser configuration, and geographic location. This data is then transmitted to a Telegram channel controlled by the threat actors, where automated logic determines whether the visitor is a legitimate target.
Suspicious connections are blocked, while approved victims are redirected to a fake document viewer designed to appear legitimate.
Living off the Land Remote Access Deployment
Once approved, users are prompted to download files disguised as standard business documents, with filenames such as “Statements05122025.exe” or “Invoice06092025.exe.bin.” Rather than deploying custom malware, the attackers use a signed and legitimate copy of GoTo Resolve, previously known as LogMeIn.
This Living off the Land approach allows the campaign to evade signature-based antivirus tools by abusing trusted software. After execution, the remote access tool establishes a connection to external command servers, granting attackers full control over the compromised system.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
