The Attack Chain
In early April 2026, security researchers observed a targeted campaign against a legal firm where attackers exploited Microsoft Teams and Google Drive to deploy malware rapidly. The intrusion began with an email bombing tactic that flooded the victim’s inbox with over 280 legitimate subscription messages. This created confusion and urgency, setting the stage for a fake IT helpdesk call on Microsoft Teams.
Posing as internal support staff, the attacker convinced the user to launch Windows Quick Assist and follow instructions delivered through a Pastebin link. Within 20 minutes, the threat actor had delivered a Java based remote access trojan called Nimbus RAT. The malicious payload was hosted on a compromised Microsoft 365 SharePoint site to strengthen the illusion of legitimacy.
Cloud Based Command and Control
Nimbus RAT distinguishes itself by using Google Drive and Google Sheets as command and control channels instead of traditional malicious infrastructure. The malware communicates with legitimate Google APIs, making network level detection extremely difficult. Commands are fetched from attacker controlled Google Drive files, and stolen data is uploaded through the same channels.
This design ensures that malicious traffic blends seamlessly with normal enterprise cloud activity. The malware also bundles its own OpenJDK runtime, allowing it to execute on any Windows system regardless of installed dependencies. Once active, it establishes persistence and maintains encrypted communications with its operators, highlighting the growing sophistication of cloud aware attack campaigns.
Source: Cyber Security News
