Cloud complexity meets malware

Cloud security teams are losing ground as companies bolt artificial intelligence tools onto already crowded cloud setups, while attackers hide malware on the same trusted platforms businesses use every day. (techradar.com) A cloud stack is the bundle of online services a company runs instead of a single in-house server. Artificial intelligence projects add more pieces to that bundle, including object storage for files, model gateways that route requests to different models, and vector databases that store data as number patterns for search and retrieval. (techradar.com) TechRadar reported that enterprises are struggling to extract value from “rapidly growing complexity” in cloud environments as those systems spread across multiple providers, tools, and teams. Google Cloud’s Threat Horizons report, published in March 2026, said the cloud threat landscape is “rapidly shifting” and that the gap between a vulnerability becoming public and active exploitation shrank from weeks to days in the second half of 2025. (techradar.com, cloud.google.com) Google Cloud said identity compromise underpinned 83% of compromises it analyzed, and it pointed to unpatched third-party software and permissive firewall rules as common entry points. The same report said attackers are also using “living-off-the-cloud” techniques, which means abusing normal cloud features after getting access instead of deploying obviously malicious infrastructure. (cloud.google.com) That shift shows up in malware delivery too. Google’s H2 2025 Threat Horizons report said attackers used legitimate cloud storage services from multiple providers to deliver decoy files and then pull down additional malicious payloads in the background. (services.google.com) Google’s own security documentation says abuse cases on its platform include malware, unwanted software, and phishing, and says the company notifies affected customers when it becomes aware of abusive activity. The documentation also tells customers to review abuse logs, rotate compromised credentials, and remove unauthorized resources. (docs.cloud.google.com) Remote access malware such as Remcos has long been distributed through phishing campaigns that rely on trusted services to look less suspicious. Microsoft said in an April 3, 2025 report on tax-themed phishing that attackers abused legitimate file-hosting services and business profile pages to evade detection while delivering malware including Remcos. (microsoft.com) Remcos, short for Remote Control and Surveillance, is a remote access Trojan that can give an attacker control of a Windows machine. Trend Micro said the tool is marketed as legitimate remote administration software but is widely used in malicious campaigns, and Microsoft noted that the Cybersecurity and Infrastructure Security Agency listed it among top malware strains in 2021. (trendmicro.com, microsoft.com) The basic problem is that trust signals have flipped. A link pointing to a major cloud provider or a file stored in a mainstream bucket can pass through filters and reassure users even when the final payload is malicious. (services.google.com, microsoft.com) As companies add more cloud services for artificial intelligence, they are also adding more identities, permissions, storage locations, and internet-facing paths to monitor. The result is the same opening and ending point: more cloud complexity for defenders, and more trusted cloud cover for attackers. (techradar.com, cloud.google.com)