Solutions
By Platform
DarkArmor

Enterprise-level Prebreach Technology

PreBreach Identity Guard

Advanced Identity Protection

By Industry
Retail

Customer, supply chain, and vendor access protection

Education

Protect staff and student credentials, brand, and reputation

Finance

Comprehensive monitoring for the data types most relevant to fintech

Government

Security and protection for government and infrastructure

All Solutions
Why Us
About Us
Blog
Contact

Threat Insight: Cybercriminals Abusing Vercel to Deliver Remote Access Malware

Written by
Nguyen Nguyen

Phishing Technique

Cybercriminals sent phishing emails containing a link that directed recipients to a malicious page hosted on Vercel, a legitimate website hosting platform. Upon visiting the page, it impersonated an Adobe PDF viewer and prompted the user to download a file. This resulted in an executable being offered for download, disguised as a legitimate document.

Malware File Overview

The malware has the following properties.

File name: Invoice06092025.exe.bin
MD5: f3f8379ce6e0b8f80faf259db2443f13
SHA1: 5fd4bcca28553ebe759ec97fcbc3a2a732268f85
SHA256: 0a1a85a026b6d477f59bc3d965b07d0d06e6ff2d34381aff79ea71c38fed802b

Once executed, the application automatically installs on the system and establishes a connection to the LogMeIn server, allowing the cybercriminal to remotely access and control the compromised machine.

Scope Of Impact

Over the past two months, we have observed more than 28 distinct campaigns targeting over 1,271 users.

Why It Works

CyberArmor Recommendations

Cybercriminals are increasingly turning to trusted platforms to disguise malicious activity. Proactive monitoring and awareness are key to staying ahead.

IOCs

MD5: e230bf859e582fe95df0b203892048df
MD5: f3f8379ce6e0b8f80faf259db2443f13
MD5: f782c936249b9786cc7fac580da3ae0f
MD5: 322a92b443faefe48fce629e8947e4e2
unpaidinvoiceremitaath.vercel[.]appwaybill-deliveryticket.vercel[.]appinvstatement2025.vercel[.]appinvstatement.vercel[.]appwindowscorps.vercel[.]appmail.blta[.]roinvoices-attachedpdf.vercel[.]appdhl-delivery-report.vercel[.]apphoferunpaidinvoicestatementinvds.vercel[.]appdhl-shipment-detail.vercel[.]appstatementpaysundrreviewdfg.vercel[.]appexpress-delivery-note.vercel[.]appdhl-shipment-document.vercel[.]appinvoice-statement-overdue.vercel[.]appstatementinfromcrllc.vercel[.]appattached-documentation-sent.vercel[.]appfindhome.clpeacepaymentsettlementsinvs.vercel[.]appinvoicereunpaiadinv-beta.vercel[.]appstatementinvs.vercel[.]appdocreview-rho.vercel[.]appdocsignstatements.vercel[.]appinvoices-overdues100.vercel[.]appwaybill-directory-express.vercel[.]appstatment-inv.vercel[.]appstatment-two.vercel[.]appshipment-docspdf.surge[.]shpastduefromhomi.vercel[.]app

Nguyen Nguyen
About the Author

Nguyen Nguyen

LinkedIn Profile
Share
Share on LinkedIn

Read More...

Device Authentication Phishing: Account Takeover via Microsoft Device Code Flow
Nguyen Nguyen
Device Authentication Phishing: Account Takeover via Microsoft Device Code Flow

How attackers exploit Microsoft device code flow to bypass MFA and gain persistent account access

Autumn Dragon: China-nexus APT Group Targets South East Asia
Nguyen Nguyen
Autumn Dragon: China-nexus APT Group Targets South East Asia

Nguyen Nguyen
Uncovered: How Cybercriminals Scam Each Other Using Fake USDT Sender Software