Threat Overview
On 2026-02-02, the security community was alerted to a new phishing campaign that targets users of popular cloud storage services. The campaign masquerades as legitimate renewal notices, flooding inboxes with emails that appear to be from the cloud provider. The emails contain links that lead to a counterfeit website designed to harvest login credentials or push malicious software. The campaign is being run by a financially motivated threat actor that has been active in the region for the past year. According to the report, the group uses a combination of social engineering, domain spoofing, and compromised email servers to distribute the malicious payload.
Actor Group
The threat actor remains unidentified but is believed to operate under the alias “CloudPay” on underground forums. They have a history of exploiting subscription-based services, taking advantage of the low perceived risk of renewal emails. Their modus operandi involves creating a sense of urgency, often mentioning a “critical security update” or a “payment deadline.” The group’s infrastructure is distributed across several countries, with command-and-control servers residing in jurisdictions with weak enforcement.
Technical Tactics, Techniques and Procedures (TTPs)
- Phishing Emails: Emails use subject lines such as “Your Cloud Storage Account Requires Immediate Action” or “Renewal Notice – Your Subscription Expires Today.” The content is highly convincing, referencing recent usage statistics and including a personalized signature that mimics the official brand.
- Domain Spoofing: The URLs point to domains that closely resemble the legitimate provider’s domain, for example, cloudstorag3.com instead of cloudstorage.com. The landing page is a replica of the official login portal, complete with brand colors and logos.
- Credential Harvesting: Once the victim enters their credentials, the information is sent to the attacker’s server. The attackers also inject a small JavaScript payload that captures the session cookie, allowing them to hijack the victim’s account.
- Malicious Attachments: Some emails include a ZIP file that appears to contain a “renewal invoice.” Opening the ZIP triggers the execution of a hidden payload that installs a keylogger and a remote access trojan.
Indicators of Compromise (IOCs)
- Emails from addresses such as support@cloudstorag3.com
- Links containing the keyword “renewal” and pointing to domains with character substitutions
- IP addresses from 45.67.89.0/24 associated with the IP range used by the phishing site
- Hashes of known malicious attachments: e.g., SHA-256 5f4dcc3b5aa765d61d8327deb882cf99
Impact Assessment
Victims of the campaign may lose access to their data, incur financial charges, or have their accounts hijacked for further attacks. The phishing emails are designed to bypass basic spam filters, achieving a delivery rate of over 70% in test environments. The attackers also use the compromised accounts to send additional phishing emails to contacts, amplifying the attack’s reach.
Recommendations for Security Analysts
- Implement advanced spam filtering rules that flag emails with URLs containing character substitutions and the keyword “renewal.”
- Deploy email authentication mechanisms such as SPF, DKIM, and DMARC to reduce spoofed emails.
- Educate users on recognizing phishing emails, emphasizing the importance of verifying URLs before clicking and using the official website directly.
- Enable multi-factor authentication on all cloud storage accounts to mitigate credential compromise.
- Monitor outbound traffic for connections to known malicious domains and block them at the perimeter firewall.
- Use threat intelligence feeds that include the IOCs identified in the report to enrich security analytics.
Reference Links
The report contains 23 connected elements and is rated with a confidence level of 100 and reliability A, indicating it is completely reliable. The report’s revoke status is false, meaning it remains active. Analysts should incorporate the findings into their threat models and share them with relevant stakeholders to improve defenses against this emerging threat.
