Google Forms Weaponized: New “PureHVNC” Campaign Targets Professionals via LinkedIn

A sophisticated new malware campaign is turning a trusted business tool into a launchpad for cyber espionage. Security researchers at Malwarebytes Labs have uncovered an infection chain that trades traditional phishing emails for a more credible lure: Google Forms.

This campaign is specifically designed to bait professionals with high-stakes business documents, such as job interview materials, project briefs, and financial summaries. By masquerading as legitimate corporate processes, attackers are successfully deploying the PureHVNC Remote Access Trojan (RAT) onto unsuspecting systems.

The attack often begins on LinkedIn, where victims receive links to convincing Google Forms. These forms are meticulously crafted to impersonate well-known global brands, complete with official logos and corporate branding.

To lend the trap an air of authenticity, the forms request standard professional background information. According to the report:

“The forms typically ask for professional information (experience, background, etc.), making them feel like part of a real recruitment or business process.”

Once the victim is engaged, the form directs them to download a business-themed ZIP file hosted on popular file-sharing services like Dropbox or via obscured Google redirect links.

The downloaded archive often contains a mix of legitimate-looking files—such as a PDF of a job description—and a malicious executable paired with a hidden DLL. The researchers noted that:

“It’s not the malware that’s new, but how the attack starts.”

Once the user opens the file, the infection begins. The primary payload, PureHVNC, is a modular .NET-based RAT that grants attackers near-total control over the compromised device

Key Capabilities of PureHVNC:

• Remote Execution: Attackers can take control of the system and run commands remotely.
• Deep Data Theft: The malware is designed to “steal data from browsers, extensions and crypto wallets”.
• App Exploitation: It can extract private data from applications like Telegram and Foxmail.
• Persistence: It ensures it stays on the system by creating scheduled tasks via PowerShell, often running with the highest privileges.

The campaign utilizes several layers of defense evasion to stay under the radar of traditional security software. The malware is often executed via DLL hijacking, tricking legitimate programs into loading the malicious code.

The researchers also found that the malware uses WMI queries to scan the system for security software like antivirus products, and it can detect if it is being run in a “sandbox” or debugger environment. If it senses it is being watched by researchers, it displays a fake error message stating, “This software has expired or debugger detected”.

The modular nature of this campaign allows attackers to quickly swap out lures and company names. Current themes include marketing strategies, logistics ads, and 2026 project budgets.

To protect yourself, be wary of any recruitment or business process that requires downloading ZIP archives from a Google Form, even if the branding looks official. Always verify the source of the link and be cautious of files requiring you to run an executable to view a document.