Listen to this Post
Introduction:
A new wave of cyberattacks has surfaced, using a stealthy and highly sophisticated form of malware that manages to bypass even the most robust antivirus systems. Leveraging PowerShell scripts and operating entirely in memory, this attack does not leave behind any traditional files that security systems typically scan. This method, often referred to as a “fileless” attack, is currently being used to deploy Remcos RAT — a remote access trojan with powerful surveillance and control capabilities. The campaign was exposed by the Qualys Threat Research Unit (TRU), and it represents a sharp reminder of the ever-evolving tactics employed by cybercriminals.
Inside the Attack: How It Works (30-line digest)
This advanced fileless malware campaign starts with a ZIP archive that contains a disguised LNK file posing as a legitimate document. When the user opens this shortcut file, it uses MSHTA.exe to execute an obfuscated VBScript, setting off a chain of malicious activities.
The script first disables Windows Defender protections and tweaks registry settings to ensure persistence across system reboots. It then drops various payloads into the public user directory, including a heavily obfuscated PowerShell script labeled 24.ps1. This script doesn’t rely on disk-stored executables — instead, it builds a shellcode loader that deploys the 32-bit Remcos RAT directly into system memory using Windows API functions.
Remcos employs advanced evasion techniques, such as navigating the Process Environment Block (PEB) to resolve API addresses on the fly. This helps it avoid static analysis tools that look for hardcoded functions. Once the RAT is fully operational, it connects to its command-and-control (C2) server at readysteaurants[.]com through a secure TLS tunnel, which allows for real-time data exfiltration and remote command execution.
Remcos isn’t just watching — it’s fully capable of spying through webcams, recording keystrokes, stealing clipboard data, and running commands. It achieves all this while dodging detection via UAC bypass, process hollowing into svchost.exe, and robust anti-debugging techniques.
The most recent version, Remcos v6.0.0 Pro, brings additional enhancements such as a grouped host view, individual UID assignments for infected machines, visibility into privilege levels, public IP tracking, and improved idle-time analysis. The malware’s configuration is stored encrypted within the binary and includes specifics like keylogger settings and target files, notably logins.json and key3.db.
Qualys emphasized the danger of this technique and urged organizations to monitor LNK files, MSHTA executions, registry edits, and abnormal PowerShell usage. Security teams should implement PowerShell logging, AMSI (Antimalware Scan Interface) monitoring, and robust EDR (Endpoint Detection and Response) systems to counter such threats.
What Undercode Say:
This attack exemplifies the next generation of malware: highly evasive, memory-resident, and invisible to legacy antivirus tools. Fileless malware like Remcos is not just stealthy — it’s insidious. By skipping file-based payloads and living off the land, it uses native Windows tools against the system itself. That’s what makes it such a potent threat.
The deployment method is particularly noteworthy. A LNK file disguised as a document is a clever piece of social engineering, exploiting user trust in familiar-looking file types. From there, the chain involving MSHTA.exe and obfuscated VBScript is a clear signal that attackers are relying on underused system components to slip through unnoticed.
PowerShell, while a legitimate admin tool, is increasingly weaponized. In this campaign, the attackers used 24.ps1 not just as a script but as a memory-only malware loader. This is important — it means no .exe is written to disk, which would normally trigger antivirus alerts.
The memory injection method using the PEB to dynamically resolve API functions is a textbook evasion tactic. This avoids hardcoded API imports that static scanners might catch, giving Remcos a greater chance of surviving in its target environment undetected.
Remcos itself is a robust RAT with wide capabilities. The latest version’s inclusion of host grouping, UID tagging, and privilege monitoring shows its use as a large-scale command-and-control infrastructure tool, not just a one-off spy tool. The use of encrypted configuration, targeting of browser login files, and capability for real-time surveillance reflect an operator who knows how to extract long-term value from an infection.
Most concerning is the fact that traditional antivirus tools barely register this threat, if at all. Fileless threats require behavioral detection and real-time memory analysis — something only advanced EDR or XDR platforms can truly handle. Unfortunately, many businesses still rely on signature-based antivirus solutions.
Security teams must respond by adopting layered defenses. Monitoring PowerShell activity, especially when scripts are run from suspicious paths or involve base64 encoding, is critical. Registry audits, AMSI hooks, and endpoint detection rules focused on LNK and MSHTA abuse must be in place.
The takeaway: we are in the age of invisible malware. Your systems might be infected and you wouldn’t know it until data starts leaking. Detection now means watching behavior, not files.
Fact Checker Results ✅
🔍 Fileless attacks like this one do operate entirely in memory, avoiding file-based detection.
🛡️ Remcos RAT is a well-documented malware strain with keylogging and surveillance features.
📂 The use of PowerShell and MSHTA is a confirmed method of bypassing standard security layers.
Prediction:
Given the advanced evasion capabilities of this attack, similar campaigns are likely to increase, especially targeting enterprises with weak PowerShell and script execution policies. Expect to see attackers incorporate AI-driven reconnaissance and even more sophisticated memory-resident payloads in future iterations. Organizations must prioritize real-time threat detection and move away from purely signature-based defense strategies. This is just the beginning of a growing wave of invisible cyber threats.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
