Back to Intelligence

Vercel-Hosted Phishing Campaign Distributing LogMeIn RAT: OTX Pulse Analysis

SA
Security Arsenal Team
July 11, 2026
6 min read

Threat Summary

Recent intelligence from the OTX community has uncovered an active campaign wherein threat actors are leveraging the trust associated with legitimate cloud infrastructure to distribute remote access malware. Specifically, adversaries are utilizing the Vercel platform to host phishing pages that mimic legitimate Adobe PDF viewers.

Victims are targeted via email campaigns containing links to these malicious Vercel-hosted pages. Upon interaction, users are prompted to download a file disguised as a PDF document. In reality, this file is an executable payload (named Invoice06092025.exe.bin in analyzed samples) that silently installs the LogMeIn remote access tool (RAT). The objective is immediate persistence and unauthorized remote access to the victim's environment, likely for initial access brokerage or data theft.

Threat Actor / Malware Profile

Malware Family: LogMeIn (Legitimate RAT abused maliciously) Attack Vector: Trusted Platform Exploitation (Vercel), Phishing, Executable Disguise

  • Distribution Method: The campaign relies on phishing emails directing users to Vercel-hosted URLs. These URLs host landing pages designed to look like Adobe PDF readers, tricking the user into downloading what they believe is a document.
  • Payload Behavior: The downloaded file (Invoice06092025.exe.bin) is an executable installer. Upon execution, it automatically installs LogMeIn.
  • Persistence Mechanism: LogMeIn installs as a system service, ensuring that the remote access capability persists across system reboots.
  • C2 Communication: The malware utilizes LogMeIn's legitimate infrastructure for Command and Control (C2), making network detection difficult due to the overlap with authorized administrative traffic.
  • Anti-Analysis: By using a legitimate, signed remote access tool and hosting infrastructure (Vercel), the attackers evade reputation-based blocking and heuristic analysis designed to catch custom malware.

IOC Analysis

The provided Indicators of Compromise (IOCs) are strictly file hashes (MD5, SHA1, SHA256). No network-based IOCs (specific Vercel URLs or IPs) were provided in this specific pulse snapshot.

  • Operationalization: SOC teams should ingest these hashes into EDR solutions (CrowdStrike, SentinelOne, etc.) and SIEM correlation engines to trigger alerts on execution or file creation events.
  • Decoding Tooling: Standard hash validation utilities (HashCheck, CertUtil) can be used to verify files against these IOCs.

Detection Engineering

The following detection logic targets the specific behaviors identified in this pulse: the execution of disguised executables (*.exe.bin), the installation of LogMeIn, and suspicious process spawning from browsers typical of phishing downloads.

YAML
title: Suspicious Executable Creation with .bin Extension
id: 8a2b4c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects creation of executable files with .bin extension often used in phishing to bypass filters and deliver malware like LogMeIn.
references:
  - https://otx.alienvault.com/pulse/6600000000000000
author: Security Arsenal
date: 2026/07/12
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|endswith: '.exe.bin'
  condition: selection
falsepositives:
  - Legitimate software installers utilizing .bin wrappers (rare)
level: high

---
title: LogMeIn Remote Access Software Installation
id: 9b3c5d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the installation of LogMeIn remote access software. While legitimate, its sudden presence in an enterprise environment without approval may indicate compromise.
references:
  - https://otx.alienvault.com/pulse/6600000000000000
author: Security Arsenal
date: 2026/07/12
tags:
  - attack.command_and_control
  - attack.t1219
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|contains:
      - 'LogMeIn.exe'
      - 'LMIGuardian.exe'
      - 'LogMeInSystray.exe'
  selection_cli:
    CommandLine|contains:
      - 'install'
      - '/f'
  condition: 1 of selection_*
falsepositives:
  - Authorized remote administration activities
level: medium

---
title: Browser Process Spawning Suspicious Child Process
id: 0c4d6e3f-7a8b-6c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects web browsers spawning child processes like powershell or cmd, often indicative of a phishing download executing malware.
references:
  - https://otx.alienvault.com/pulse/6600000000000000
author: Security Arsenal
date: 2026/07/12
tags:
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - 'chrome.exe'
      - 'msedge.exe'
      - 'firefox.exe'
  selection_child:
    Image|endswith:
      - 'powershell.exe'
      - 'cmd.exe'
      - 'wscript.exe'
      - 'cscript.exe'
  condition: all of selection_*
falsepositives:
  - System administration or web-based troubleshooting tools
level: medium


kql
// Hunt for LogMeIn installation and execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "LogMeIn" or FileName has_any_("LogMeIn.exe", "LMIGuardian.exe")
| extend Account = AccountName
| project Timestamp, DeviceName, Account, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

// Hunt for specific IOCs (File Hashes) on endpoints
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 == "0a1a85a026b6d477f59bc3d965b07d0d06e6ff2d34381aff79ea71c38fed802b" 
   or MD5 in ("322a92b443faefe48fce629e8947e4e2", "e230bf859e582fe95df0b203892048df", "f3f8379ce6e0b8f80faf259db2443f13", "f782c936249b9786cc7fac580da3ae0f") 
   or SHA1 == "5fd4bcca28553ebe759ec97fcbc3a2a732268f85"
| project Timestamp, DeviceName, FolderPath, SHA256, MD5, InitiatingProcessAccountName, ActionType


powershell
# IOC Hunt Script for LogMeIn Abuse and Vercel Malware
# Requires Administrator Privileges

# Define Hashes from Pulse
$TargetMD5 = @("322a92b443faefe48fce629e8947e4e2","e230bf859e582fe95df0b203892048df","f3f8379ce6e0b8f80faf259db2443f13","f782c936249b9786cc7fac580da3ae0f")
$TargetSHA256 = "0a1a85a026b6d477f59bc3d965b07d0d06e6ff2d34381aff79ea71c38fed802b"
$TargetSHA1 = "5fd4bcca28553ebe759ec97fcbc3a2a732268f85"

Write-Host "[+] Scanning for malicious file hashes (This may take time)..." -ForegroundColor Cyan

# Search common user directories and temp folders
$PathsToScan = @("C:\Users\", "C:\Windows\Temp\", "C:\ProgramData\")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { 
            $_.Extension -match '\.(exe|bin|dll)' -and $_.Length -gt 0kb -and $_.Length -lt 100mb
        } | ForEach-Object {
            $hashMD5 = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            $hashSHA256 = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            $hashSHA1 = (Get-FileHash -Path $_.FullName -Algorithm SHA1 -ErrorAction SilentlyContinue).Hash

            if ($TargetMD5 -contains $hashMD5 -or $TargetSHA256 -eq $hashSHA256 -or $TargetSHA1 -eq $hashSHA1) {
                Write-Host "[CRITICAL] Malicious IOC found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "\n[+] Checking for unauthorized LogMeIn Installation..." -ForegroundColor Cyan
$LogMeInPaths = @("${env:ProgramFiles}\LogMeIn", "${env:ProgramFiles(x86)}\LogMeIn")
foreach ($LMPath in $LogMeInPaths) {
    if (Test-Path $LMPath) {
        Write-Host "[WARNING] LogMeIn detected at $LMPath" -ForegroundColor Yellow
        # Check service status
        Get-Service -Name *LogMeIn* -ErrorAction SilentlyContinue | Select-Object Name, Status, StartType
    }
}

Write-Host "\n[+] Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block execution of the provided file hashes via EDR policies.
    • Hunt for the presence of Invoice*.exe.bin files on user workstations.
    • Quarantine any systems identified as having the specific MD5/SHA256 hashes.
  • 24h:
    • Investigate any active LogMeIn sessions on the network. If the software is not authorized for use, uninstall immediately and rotate credentials for accounts used on those machines.
    • Review email logs for campaigns containing "Vercel" links or "Adobe PDF" lures.
  • 1 week:
    • Update proxy/firewall rules to inspect SSL traffic for generic hosting platforms if policy allows, to detect potential malware staging.
    • Conduct user awareness training specifically regarding the risks of downloading "documents" that require executable permissions.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarevercel-abuselogmein-ratphishingremote-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.