- Explore Cisco IOS XE Automation at Cisco Live US 2025
- My top 5 picks for the best Memorial Day phone deals so far: Apple, Samsung, and more
- This smart ring is half the price of Oura Ring 4 and has no subscriptions - here's how it competes
- I highly recommend shopping these early health tracker Memorial Day deals
- The most reliable smart lock I've tested just hit one of its lowest prices ever
PowerShell-Based Loader Deploys Remcos RAT in New Fileless Attack
A stealthy fileless malware attack leveraging PowerShell to deploy Remcos RAT has been observed bypassing traditional antivirus systems by operating entirely in memory, avoiding any obvious traces on disk.
The campaign, uncovered by the Qualys Threat Research Unit (TRU), begins with a ZIP archive containing a deceptive LNK file, disguised as a legitimate document.
Once executed, this file uses MSHTA.exe to launch an obfuscated VBScript, initiating a chain of events that includes:
-
Bypassing Windows Defender
-
Altering registry settings for persistence
-
Dropping multiple payloads into the public user directory
Among these payloads is a heavily obfuscated PowerShell script named 24.ps1, which builds a shellcode loader and executes a 32-bit variant of Remcos RAT directly in memory using Win32 APIs.
Advanced Memory Injection and Evasion
Remcos is deployed using custom shellcode that walks the Process Environment Block (PEB) to resolve API addresses dynamically. This technique allows it to evade static analysis and detection tools by avoiding hardcoded imports.
Once active, Remcos establishes a TLS connection to a command-and-control (C2) server at readysteaurants[.]com, maintaining a persistent channel for data exfiltration and control.
The malware features multiple modules for command execution, keylogging, webcam access and clipboard theft. It also leverages UAC bypass techniques, process hollowing into svchost.exe, and uses anti-debugging methods to thwart analysis.
Features of Remcos V6.0.0 Pro
The latest version of Remcos includes enhancements that bolster its effectiveness:
-
Group view for managing infected hosts
-
Unique UID for each instance
-
Privilege level display
-
Public IP visibility
-
Improved idle-time tracking
Configuration data, stored in encrypted form within the binary, includes server addresses, operational flags and keylogging settings. Notably, it logs keystrokes and browser data, targeting files like logins.json and key3.db.
“Remcos RAT is a stealthy, PowerShell-based malware that uses advanced evasion techniques to avoid detection. It operates in memory, making it hard to catch with security tools. This highlights the importance of monitoring LNK files, MSHTA abuse, registry changes, and unusual PowerShell activity,” Qualys warned.
“To stay protected, ensure PowerShell logging, AMSI monitoring and strong EDR solutions are in place. Early detection is key to stopping threats like Remcos.”
