Threat Actors Leverage Google Cloud Services for Malicious Campaigns

What happened

Threat actors abused Google Cloud services to host phishing infrastructure, malware payloads, and command-and-control systems. Attackers used trusted cloud domains, including Cloud Storage, App Engine, and Cloud Functions, to evade reputation-based security controls. Malicious content hosted on cloud platforms appeared legitimate, increasing successful delivery to victims and complicating detection.

Who is affected

Organizations and users interacting with cloud-hosted content face indirect exposure, while enterprises may unknowingly connect to attacker-controlled cloud resources.

Why CISOs should care

Abuse of legitimate cloud platforms undermines traditional perimeter filtering and increases reliance on behavioral detection and threat intelligence.

3 practical actions

Inspect cloud-hosted traffic: Scan inbound links and downloads from cloud platforms.

Monitor outbound connections: Detect unusual communications with cloud-based C2 infrastructure.

Report abuse promptly: Coordinate with cloud providers to disrupt malicious hosting.

John Kevin Hao

+ postsBio ⮌

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

• John Kevin Hao

  CISO Diaries: Alessio Cipolletta on Security in Safety-Critical Aviation Environments
• John Kevin Hao

  FBI Warns of Kali365 Phishing-as-a-Service Platform After April Microsoft 365 Attacks
• John Kevin Hao

  Ukraine Probes Teen Suspect in Cyber Theft Scheme Targeting California Online Shoppers
• John Kevin Hao

  CISO Diaries: Jason Scanlon on Security Culture, Leadership, and the Human Side of Cybersecurity