That “job brief” on Google Forms could infect your device
None
<p>We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT).</p><p>It’s not the malware that’s new, but how the attack starts.</p><p>Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.</p><h2 class="wp-block-heading" id="h-what-is-purehvnc">What is PureHVNC?</h2><p>PureHVNC is a <strong>modular</strong> <strong>.NET</strong> <strong>RAT </strong>from the “Pure” malware family. In simple terms, it gives attackers remote control over an infected device and lets them steal sensitive information. </p><p>Once installed, it can:</p><ul class="wp-block-list"> <li>Take control of the system and run commands remotely.</li> <li>Collect information about the device, including operating system, hardware, security software, and info about the user and connected devices.</li> <li>Steal data from browsers, extensions and crypto wallets.</li> <li>Extract data from apps like Telegram and Foxmail.</li> <li>Install additional plugins.</li> <li>Achieve persistence in several ways (for example, via scheduled tasks).</li> </ul><h2 class="wp-block-heading" id="h-different-lures-same-goal-compromise-your-device">Different lures, same goal: compromise your device</h2><p>In our research, we found multiple Google Forms hosting links to malicious ZIP files that start the infection chain. These forms are convincing, impersonating real company names, logos and links. LinkedIn is one of the platforms used to send links to these malicious forms.</p><div class="wp-block-jetpack-slideshow aligncenter" data-effect="slide" style="--aspect-ratio:calc(711 / 730)"> <div class="wp-block-jetpack-slideshow_container swiper"> <ul class="wp-block-jetpack-slideshow_swiper-wrapper swiper-wrapper"> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="711" height="730" alt="" class="wp-block-jetpack-slideshow_image wp-image-390399" data-id="390399" data-aspect-ratio="711 / 730" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/google-forms-lure-1.png?w=711"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Fake Google Forms that distribute malicious ZIPs.</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="716" height="866" alt="" class="wp-block-jetpack-slideshow_image wp-image-390400" data-id="390400" data-aspect-ratio="716 / 866" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/ad-partnership.png?w=716"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">The attackers impersonate real companies</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="678" height="957" alt="" class="wp-block-jetpack-slideshow_image wp-image-390401" data-id="390401" data-aspect-ratio="678 / 957" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/project-details-lure.png?w=678"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Well-known brands are impersonated to lend credibility</figcaption></figure> </li> </ul> <p><a class="wp-block-jetpack-slideshow_button-prev swiper-button-prev swiper-button-white" role="button"></a><a class="wp-block-jetpack-slideshow_button-next swiper-button-next swiper-button-white" role="button"></a><a aria-label="Pause Slideshow" class="wp-block-jetpack-slideshow_button-pause" role="button"></a></p> <div class="wp-block-jetpack-slideshow_pagination swiper-pagination swiper-pagination-white"></div> </div> </div><p>The forms typically ask for professional information (experience, background, etc.), making them feel like part of a real recruitment or business process.</p><div class="wp-block-jetpack-slideshow aligncenter" data-effect="slide" style="--aspect-ratio:calc(820 / 868)"> <div class="wp-block-jetpack-slideshow_container swiper"> <ul class="wp-block-jetpack-slideshow_swiper-wrapper swiper-wrapper"> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="820" height="868" alt="Information requested from the user to make the form appear legitimate." class="wp-block-jetpack-slideshow_image wp-image-390225" data-id="390225" data-aspect-ratio="820 / 868" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_82ca84.png?w=820"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">Information requested from the user to make the form appear legitimate.</figcaption></figure> </li> <li class="wp-block-jetpack-slideshow_slide swiper-slide"> <figure><img decoding="async" loading="lazy" width="840" height="977" alt="Information requested from the user to make the form appear legitimate." class="wp-block-jetpack-slideshow_image wp-image-390224" data-id="390224" data-aspect-ratio="840 / 977" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_d751b9.png?w=840"><figcaption class="wp-block-jetpack-slideshow_caption gallery-caption">More information.</figcaption></figure> </li> </ul> <p><a class="wp-block-jetpack-slideshow_button-prev swiper-button-prev swiper-button-white" role="button"></a><a class="wp-block-jetpack-slideshow_button-next swiper-button-next swiper-button-white" role="button"></a><a aria-label="Pause Slideshow" class="wp-block-jetpack-slideshow_button-pause" role="button"></a></p> <div class="wp-block-jetpack-slideshow_pagination swiper-pagination swiper-pagination-white"></div> </div> </div><p>The forms link to ZIP files hosted on:</p><ul class="wp-block-list"> <li>File-sharing services such as Dropbox, filedn.com, and fshare.vn</li> <li>URL shorteners such as tr.ee and goo.su</li> <li>Google redirect links that obscure the final destination</li> </ul><p>The ZIP archives use various names and are tied to different business-related themes (marketing, interviews, projects, job offers, budgets, partnerships, benefits) to avoid suspicion, for example:</p><ul class="wp-block-list"> <li><code>{CompanyName}_GlobalLogistics_Ad_Strategy.zip</code></li> <li><code>Project_Information_Summary_2026.zip</code></li> <li><code>{CompanyName} Project 2026 Interview Materials.zip</code></li> <li><code>{CompanyName}_Company_and_Job_Overview.pdf.rar</code></li> <li><code>Collaboration Project with {CompanyName} Company 2026.zip</code></li> </ul><p>The lures use the names of well-known companies, particularly in the financial, logistic, technology, sustainability and energy sectors. Impersonating legitimate organizations add credibility to their campaign.</p><h2 class="wp-block-heading" id="h-what-happens-after-you-download-the-file">What happens after you download the file</h2><p>The ZIP archives usually contain legitimate files (such as PDFs of job descriptions) and an executable file along with a DLL, typically named <code>msimg32.dll</code>. The DLL is executed via DLL hijacking (tricking a legitimate program into loading malicious code), although the technique has undergone multiple modifications and upgrades over time.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="497" height="701" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/google-form-pdf-image-1.png" alt="Legitimate PDFs are present in some ZIP files, like this one pretending to be a job description from a real company." class="wp-image-390430"><figcaption class="wp-element-caption">Legitimate PDFs are present in some ZIP files, like this one masquerading as a real job description.</figcaption></figure><h2 class="wp-block-heading" id="h-analysis-of-the-malicious-campaign">Analysis of the malicious campaign</h2><p>We identified multiple variants of this campaign, each using different methods to extract the archive, distinct Python code, and varying folder structures. Across these variants, the campaign typically includes an executable file along with a DLL hidden in a separate folder. In some cases, attackers also include legitimate files related to the lure’s theme, enhancing the overall credibility of the attack.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="872" height="157" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_35cd55.png" alt="Example of files present in one of the archives analyzed." class="wp-image-390222"><figcaption class="wp-element-caption">Example of files present in one of the archives analyzed.</figcaption></figure><p>The malicious code is present in the DLL, and carries out various operations, including:</p><ul class="wp-block-list"> <li>Decrypting strings with a simple XOR, in this case with the “4B” key.</li> <li>Detecting debugging and sandboxing with <code>IsDebuggerPresent()</code> and <code>time64()</code>, and displaying the error “This software has expired or debugger detected” if triggered.</li> <li>Deleting itself, then dropping and launching a fake PDF.</li> <li>Achieving persistence via the registry key <code>CurrentVersion\Run\Miroupdate</code>.</li> <li>Extracting the “final.zip” archive and running it.</li> </ul><p>In this case, the PDF was started with the following command:</p><p><code>cmd.exe /c start "" "C:\Users\user\Desktop\Marketing Director Assessment Project\Marketing_Director_Assessment_Project.pdf"</code></p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="815" height="890" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_bbc624.png" alt="The PDF opened during the infection chain." class="wp-image-390231"><figcaption class="wp-element-caption">The PDF opened during the infection chain.</figcaption></figure><p>The archive <code>final.zip</code> is unzipped using different commands across the analyzed campaigns into a random folder under <code>ProgramData</code>. In this example, the <code>tar</code> command is used:</p><p><code>cmd.exe /c tar -xf "C:\ProgramData\{random folder}\{random folder \final.zip" -C "C:\ProgramData\{random folder \{random folder} " >nul 2>&1</code></p><p>The zip contains several files associated with Python and the next stage.</p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="385" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_2bfbd9.png?w=1024" alt="Python files compressed into a random folder in ProgramData." class="wp-image-390233"><figcaption class="wp-element-caption">Python files compressed into a random folder in ProgramData.</figcaption></figure><p>Next, an obfuscated Python script called <code>config.log</code> is executed. It ultimately decodes and runs a Donut shellcode. This script appears under different names (e.g., <code>image.mp3</code>) and formats in the different chains analyzed.</p><p><code>"C:\ProgramData\{random folder}\{random folder}\pythonw.exe" "C:\ProgramData\{random folder}\{random folder}\config.log"</code></p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="447" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_12924c.png?w=1024" alt="Obfuscated Python script that ultimately loads the Donut shellcode." class="wp-image-390226"><figcaption class="wp-element-caption">Obfuscated Python script that ultimately loads the Donut shellcode.</figcaption></figure><p>At the end of the infection chain, PureHVNC was injected into <code>SearchUI.exe</code>. The injected process may vary across the analyzed samples.</p><p>PureHVNC executes the following WMI queries to gather information about the compromised device:</p><ul class="wp-block-list"> <li><code>SELECT * FROM AntiVirusProduct</code></li> <li><code>SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')</code></li> <li><code>SELECT Caption FROM Win32_OperatingSystem</code></li> </ul><p>For persistence, it creates a scheduled task using a base64-PowerShell command, with the flag <code>“-RunLevel Highest”</code> if the user has admin rights.</p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="567" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/powershell-commnand-for-scheduled-task.png?w=1024" alt="" class="wp-image-390414"><figcaption class="wp-element-caption">PowerShell command for the Scheduled Task</figcaption></figure><p>PureHVNC performs enumeration to exfiltrate information related to various browsers, extensions, and cryptocurrency wallets.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="875" height="632" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_2a7963.png" alt="Methods related to wallet and browser data exfiltration." class="wp-image-390221"></figure><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="988" height="647" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/03/image_a587b6.png" alt="Methods related to wallet and browser data exfiltration." class="wp-image-390230"><figcaption class="wp-element-caption">Methods related to wallet and browser data exfiltration.</figcaption></figure><p>The malware configuration is encoded with base64 and compressed with GZIP.</p><p>In this case, the configuration includes:</p><ul class="wp-block-list"> <li><strong>C2</strong>: <code>207.148.66.14</code></li> <li><strong>C2 ports</strong>: <code>56001, 56002, 56003</code></li> <li><strong>Campaign ID</strong>: <code>Default</code> </li> <li><strong>Sleeping Flag</strong>: <code>0</code></li> <li><strong>Persistence Path</strong>: <code>APPDATA</code></li> <li><strong>Mutex Name</strong>: <code>Rluukgz</code> </li> </ul><h2 class="wp-block-heading" id="h-how-to-stay-safe">How to stay safe</h2><p>Using Google Forms is a highly effective method for distributing malware. Attackers are relying on trust in familiar tools like Google Forms, Dropbox, and LinkedIn, and impersonating legitimate companies to get past your guard.</p><p>If you deal with job offers, partnerships, or project work online, this is worth paying attention to:</p><ul class="wp-block-list"> <li>Always check the origin of Google Forms, don’t enter sensitive information, and don’t download files unless you fully trust the source.</li> <li>Verify requests through official company channels before engaging.</li> <li>Be wary of links hidden behind URL shorteners or redirects.</li> </ul><h2 class="wp-block-heading" id="h-indicators-of-compromise-iocs">Indicators of Compromise (IOCs)</h2><p><strong>IP</strong></p><p><code>207.148.66.14</code></p><p><strong>URL</strong></p><p><code>https://goo[.]su/CmLknt7</code></p><p><code>https://www.fshare[.]vn/file/F57BN4BZPC8W</code></p><p><code>https://tr[.].ee/R9y0SK</code></p><p><code>https://dl.dropbox[.]com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9</code></p><p><strong>HASH</strong></p><p><code>ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3</code></p><p><code>d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386</code></p><p><code>e7b9f608a90bf0c1e477a28f41cb6bd2484b997990018b72a87268bf46708320</code></p><p><code>e221bb31e3539381d4753633443c1595bd28821ab6c4a89ad00ea03b2e98aa00</code></p><p><code>7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b</code></p><p><code>e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c</code></p><p><code>b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66</code></p><p><code>85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37</code></p><p><code>b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357</code></p><p><code>fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc</code></p><p><code>1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d</code></p><p><code>c149158f18321badd71d63409d08c8f4d953d9cd4a832a6baca0f22a2d6a3877</code></p><p><code>83ce196489a2b2d18a8b17cd36818f7538128ed08ca230a92d6ee688cf143a6c</code></p><p><code>ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a</code></p><p><code>59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3</code></p><p><code>a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a</code></p><p><code>4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4</code></p><p><code>481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62</code></p><p><code>8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0</code></p><p><code>258adaed24ac6a25000c9c1240bf6834482ef62c22b413614856b8973e11a79f</code></p><p><strong>Pro tip: </strong>This is only a partial list of malicious URLs. Download the <a href="https://www.malwarebytes.com/browserguard" rel="noreferrer noopener">Malwarebytes Browser Guard plugin</a> for full protection and to block the remaining malicious domains.</p><hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide"><p><strong>We don’t just report on threats—we remove them</strong></p><p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by <a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/03/that-job-brief-on-google-forms-could-infect-your-device/" data-a2a-title="That “job brief” on Google Forms could infect your device"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F03%2Fthat-job-brief-on-google-forms-could-infect-your-device%2F&linkname=That%20%E2%80%9Cjob%20brief%E2%80%9D%20on%20Google%20Forms%20could%20infect%20your%20device" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device">https://www.malwarebytes.com/blog/threat-intel/2026/03/that-job-brief-on-google-forms-could-infect-your-device</a> </p>