Remcos RAT Returns: How Hackers Abuse Google Cloud and Microsoft Tools to Evade Detection

Listen to this Post

Featured Image

Introduction: A New Layer of Deception in Modern Phishing

Cybercriminals are no longer relying on crude tricks or suspicious domains to compromise systems. Instead, they are blending into trusted digital ecosystems, making their attacks harder to detect and even harder to stop. A newly uncovered phishing campaign demonstrates just how sophisticated these operations have become. By leveraging legitimate cloud infrastructure and native system tools, attackers are quietly deploying one of the most notorious remote access trojans, Remcos RAT, while staying under the radar of traditional security defenses.

This campaign is not just another phishing attempt. It represents a strategic evolution in cyberattacks, where trust itself becomes the weapon. From deceptive Google Drive lures to stealthy in-memory execution, every step is carefully designed to bypass detection and maintain persistence.

Summary of the Original Report

Security researchers have identified a highly evasive phishing campaign that uses trusted cloud infrastructure to deliver the Remcos Remote Access Trojan. Instead of relying on suspicious or newly created domains, attackers host malicious HTML pages on Google Cloud Storage. This approach allows them to bypass traditional reputation-based security filters, as the infrastructure itself is considered safe and legitimate.

The attack begins with a phishing lure disguised as a Google Drive file. Victims are tricked into interacting with the file, often leading them to unknowingly provide sensitive credentials. Once engaged, the infection process unfolds through a multi-stage chain designed to avoid detection at every step.

The first stage involves a JavaScript file acting as a Windows Script Host launcher. This script includes time-based evasion techniques, allowing it to avoid detection in automated sandbox environments. It then transitions into a Visual Basic Script, which downloads additional components and executes them silently in the background.

The second stage of the attack ensures persistence. Files are copied into the %APPDATA%\WindowsUpdate directory, and the malware establishes itself in the Windows Startup folder. This guarantees that the malicious code will execute every time the system boots.

A PowerShell script is then used to orchestrate the next phase, pulling down obfuscated payloads required for the attack. These payloads are not immediately recognizable as malware, adding another layer of stealth.

An obfuscated executable acts as a staging mechanism for the final payload. At this point, a .NET loader hosted externally is downloaded and executed directly in system memory. This reduces the footprint on disk and minimizes detection by traditional antivirus tools.

One of the most dangerous elements of this campaign is its use of legitimate Microsoft binaries. Attackers exploit RegSvcs.exe, a signed and trusted .NET binary native to Windows. Because this file is legitimate, it passes file-reputation checks and avoids raising suspicion during security analysis.

Instead of placing a malicious executable on disk, attackers copy this trusted binary into a temporary directory and use process hollowing to inject the Remcos RAT into its memory space. This creates a partially fileless infection, making it extremely difficult to detect.

From the system’s perspective, everything appears normal. The binary is legitimate, and its behavior does not immediately trigger alarms. However, in reality, the embedded Remcos RAT is actively communicating with its command-and-control server.

Researchers emphasize that traditional security measures, such as file reputation checks, are no longer sufficient. Detecting such threats requires behavioral analysis, advanced sandboxing, and monitoring of unusual system activities. Indicators like unexpected script execution, abnormal network connections, and suspicious memory behavior are critical for identifying these attacks.

Organizations are advised to rely on threat intelligence platforms and continuously monitor indicators of compromise to improve detection and response capabilities.

What Undercode Say:

The Shift Toward Trusted Infrastructure Abuse

Attackers are no longer building their own infrastructure from scratch. Instead, they are hijacking trust by using well-known platforms. This shift dramatically reduces friction in the attack chain because security systems are less likely to flag activity coming from reputable sources.

Why Google Cloud Storage Changes the Game

Hosting malicious content on a trusted cloud provider eliminates one of the biggest red flags in phishing campaigns: suspicious domains. This makes traditional URL filtering far less effective and forces defenders to rethink how they evaluate trust.

Multi-Stage Attacks Are Now the Standard

The layered infection chain is not accidental. Each stage serves a specific purpose, from evasion to persistence. Breaking the attack into smaller steps makes it harder for security tools to detect the full picture.

Time-Based Evasion Is a Silent Killer

Delaying execution is a clever way to bypass automated analysis systems. Many sandboxes only observe behavior for a limited time. By waiting, the malware effectively “outlives” the detection window.

Living Off the Land Is the New Normal

Using native tools like PowerShell and legitimate Windows binaries allows attackers to blend in with normal system operations. This tactic, often called “living off the land,” reduces the need for custom malware and lowers detection rates.

Process Hollowing Remains Highly Effective

Injecting malicious code into a trusted process is one of the most powerful evasion techniques. It allows malware to operate under the identity of a legitimate application, making detection significantly harder.

Fileless Techniques Are Becoming Dominant

By executing payloads directly in memory, attackers avoid leaving artifacts on disk. This not only complicates forensic analysis but also bypasses many traditional antivirus solutions.

Why Signature-Based Detection Is Failing

This campaign highlights the limitations of relying on known malware signatures. Since much of the attack uses legitimate tools and obfuscated code, there is little for signature-based systems to latch onto.

Behavioral Detection Is No Longer Optional

Security teams must shift their focus toward behavior rather than static indicators. Monitoring anomalies such as unusual script execution or unexpected network traffic is key to identifying modern threats.

SOC Teams Must Evolve Rapidly

Security Operations Centers can no longer depend on traditional alerts alone. They need advanced analytics, real-time monitoring, and threat intelligence integration to stay ahead.

The Human Factor Still Matters

Despite all the technical sophistication, the attack still begins with a phishing lure. This underscores the importance of user awareness and training in preventing initial compromise.

Attackers Are Optimizing for Stealth Over Speed

Modern campaigns prioritize remaining undetected for longer periods rather than executing quickly. This allows attackers to gather more data and maintain control over compromised systems.

Threat Intelligence Is a Critical Defense Layer

Tracking indicators of compromise and correlating them across systems can significantly improve detection rates. Intelligence-driven defense is becoming essential.

Cloud Trust Is Being Exploited

Organizations often assume that cloud-hosted content is safe. This campaign challenges that assumption and highlights the need for deeper inspection of cloud-based resources.

The Future of Malware Is Hybrid

Combining file-based, fileless, and living-off-the-land techniques creates highly resilient attack chains. This hybrid approach is likely to become the standard in future campaigns.

Fact Checker Results

✅ The campaign’s use of trusted cloud infrastructure aligns with modern phishing trends observed in recent threat reports.
✅ Process hollowing and fileless execution are well-documented techniques used to evade detection.
❌ Relying solely on file reputation systems is insufficient against advanced multi-stage attacks.

Prediction

🔮 Attacks leveraging trusted platforms will increase significantly, making traditional domain-based filtering nearly obsolete.
🔮 Fileless malware techniques will dominate future campaigns as attackers prioritize stealth and persistence.
🔮 Security solutions will shift heavily toward AI-driven behavioral analysis to keep up with evolving threats.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon