Abuse of Google Cloud Run in LATAM-focused malware campaigns

Since September 2023 Cisco Talo has observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. The infection chains associated with these malware families feature the use of malicious Microsoft Installers that function as droppers or downloaders for the final malware payload. We have observed evidence that the distribution campaigns for these malware families are related with Astaroth and Mekotio being distributed under the same Google Cloud Project.