THE Malwarebytes article explains a campaign that uses business-themed lures such as job interviews and project briefs distributed via Google Forms to deliver the PureHVNC Remote Access Trojan (RAT). According to Malwarebytes, the infection chain begins when victims download a ZIP file linked from a Google Form, with the ZIP containing an executable and a DLL that is loaded through DLL hijacking.
Once installed, PureHVNC can remotely control the device, gather system and browser data, and exfiltrate information from wallets and apps, while also creating persistence through a registry Run key and launching additional components. The campaign comprises multiple variants that use different archive extraction methods and obfuscated Python scripts that load a Donut shellcode before injecting PureHVNC into SearchUI[.]exe.
IOCs include the IP 207.148.66[.]14 and various URLs such as goo[.]su and Dropbox links, with the article dated 20 March 2026. This highlights how attackers exploit trusted tools like Google Forms and impersonated brands to lower vigilance, according to Malwarebytes.