Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple Remcos RAT campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named MV MERKET COOPER SPECIFICATION.zip delivered an obfuscated JavaScript file that fetched a PowerShell loader from almacensantangel[.]com; the loader then reconstructed and decrypted payloads in memory, including ALTERNATE.dll and Cqeqpvzeia.exe. The malware injected into the legitimate Microsoft .NET utility aspnet_compiler.exe, communicated with 192[.]3[.]27[.]141:8087, and stored captured keystrokes and other data in C:\ProgramData\remcos\logs.dat, leaving few disk artifacts.
A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through Google Cloud Storage and the trusted googleapis.com domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through process hollowing, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Timeline
Apr 20, 2026
Researchers detail purchase-order Remcos RAT phishing chain
Hornetsecurity documented a Remcos RAT phishing campaign using purchase-order themed emails and a double-extension archive attachment. The infection chain executed VBS via wscript.exe, launched hidden PowerShell to fetch a fake PNG from nrmlogistics.ro, reconstructed a .NET payload in memory, and communicated with dentalux202.ydns.eu at 94.198.96.165.
Apr 9, 2026
Researchers identify Google Cloud Storage-themed Remcos phishing campaign
Researchers identified a separate multi-stage phishing campaign that abused Google Cloud Storage and the trusted googleapis.com domain to deliver Remcos RAT worldwide. The attack used fake Google Drive-sharing pages, staged script-based delivery, process hollowing, Registry persistence, and encrypted command-and-control communications.
Apr 2, 2026
Researchers document obfuscated Remcos RAT phishing campaign
Point Wild’s LAT61 Threat Intelligence Team described a multi-stage Remcos RAT campaign delivered through a phishing email with a ZIP attachment containing obfuscated JavaScript. The infection chain used a PowerShell loader, reconstructed payloads in memory, injected into aspnet_compiler.exe, and communicated with a command-and-control server at 192.3.27.141:8087 while storing stolen data in C:\ProgramData\remcos\logs.dat.
Mar 12, 2026
Breakglass documents four-stage Remcos RAT campaign with exposed staging servers
Breakglass Intelligence reported a four-stage Remcos RAT campaign using business-themed lures such as a JavaScript file named "Purchase Inquiry _.js" to launch PowerShell, decrypt a payload with rotational XOR, load DEV.dll, and hollow aspnet_compiler.exe. The analysis linked 10 related builds over three weeks, identified JS, HTA, and XLS delivery variants, and found exposed operator infrastructure including a live XAMPP staging server and RDP-accessible C2.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
1 months ago
Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail **social-engineering-driven malware delivery** that results in **remote access trojans (RATs)** and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“**Sitting Ducks**”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of **~57M logs** over two weeks and visibility into widespread **scams and brand impersonation** delivered via push ads. Nextron Systems separately reported recurring **malvertising** chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing **persistent RATs**, with common artifacts such as Windows **Mark-of-the-Web** (`ZoneId=3`) indicating internet origin. Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a **phishing** campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses **VBScript/PowerShell** to load a **fileless .NET module**, ultimately downloading and injecting a **Remcos** variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s **“Contagious Interview”** campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden **VS Code `tasks` configuration**, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
1 months ago
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago