This threat involves a sophisticated phishing campaign leveraging the legitimate frontend hosting platform Vercel to distribute a malicious variant of the remote access tool LogMeIn. Attackers send phishing emails containing links to malicious pages hosted on Vercel, which impersonate an Adobe PDF viewer interface to deceive users. The malicious page prompts users to download an executable disguised as a legitimate file. Upon execution, the malware installs itself and establishes a connection to a LogMeIn server controlled by the attacker, granting remote access and control over the compromised system. This campaign has been active for at least two months, with over 28 distinct campaigns targeting more than 1,271 users. The attack's success is attributed to the abuse of a trusted platform (Vercel), use of a genuine remote access tool (LogMeIn), and effective social engineering tactics such as impersonation of common software and fake support scams. Indicators of compromise include multiple file hashes and suspicious domains. The campaign techniques align with MITRE ATT&CK tactics such as T1566 (phishing), T1204 (user execution), T1219 (remote access software), T1036 (masquerading), and T1105 (remote file copy). No known exploits or threat actors have been identified, and no CVSS score is assigned. The threat is rated medium severity due to its reliance on user interaction and social engineering, but it poses significant risk due to the potential for unauthorized remote access and control.

For European organizations, this threat poses a considerable risk to confidentiality, integrity, and availability. Successful compromise allows attackers to remotely control infected machines, potentially leading to data exfiltration, lateral movement within networks, deployment of additional malware, or disruption of business operations. The use of a legitimate platform and software reduces suspicion and increases the likelihood of successful infection, especially in environments with less mature security awareness. Organizations handling sensitive data, intellectual property, or critical infrastructure could face severe operational and reputational damage. The campaign’s scale and persistence indicate a broad targeting approach, which could affect various sectors including finance, manufacturing, and public administration across Europe. The threat also highlights the risk of supply chain and platform abuse, emphasizing the need for vigilance even when interacting with trusted services.

1. Implement advanced email filtering and phishing detection solutions that specifically analyze URLs and attachments for signs of platform abuse and masquerading. 2. Monitor DNS and web traffic for suspicious or newly created Vercel subdomains, especially those mimicking legitimate services or software interfaces. 3. Enforce application whitelisting and restrict installation of remote access software to approved and verified tools only. 4. Conduct targeted security awareness training focusing on recognizing fake support scams, phishing emails impersonating common software (e.g., Adobe PDF viewers), and the risks of executing unsolicited downloads. 5. Deploy endpoint detection and response (EDR) solutions capable of identifying unusual LogMeIn connections or unauthorized remote access sessions. 6. Use multi-factor authentication (MFA) for remote access tools and VPNs to reduce the risk of unauthorized access even if credentials are compromised. 7. Regularly audit and update remote access policies, ensuring least privilege principles are applied and remote access is logged and monitored. 8. Collaborate with platform providers like Vercel to report and takedown malicious subdomains promptly. 9. Maintain updated threat intelligence feeds to quickly identify and block known malicious hashes and domains associated with this campaign.