Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple Remcos RAT campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named MV MERKET COOPER SPECIFICATION.zip delivered an obfuscated JavaScript file that fetched a PowerShell loader from almacensantangel[.]com; the loader then reconstructed and decrypted payloads in memory, including ALTERNATE.dll and Cqeqpvzeia.exe. The malware injected into the legitimate Microsoft .NET utility aspnet_compiler.exe, communicated with 192[.]3[.]27[.]141:8087, and stored captured keystrokes and other data in C:\ProgramData\remcos\logs.dat, leaving few disk artifacts.
A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through Google Cloud Storage and the trusted googleapis.com domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through process hollowing, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers detail purchase-order Remcos RAT phishing chain
Hornetsecurity documented a Remcos RAT phishing campaign using purchase-order themed emails and a double-extension archive attachment. The infection chain executed VBS via wscript.exe, launched hidden PowerShell to fetch a fake PNG from nrmlogistics.ro, reconstructed a .NET payload in memory, and communicated with dentalux202.ydns.eu at 94.198.96.165.
Researchers identify Google Cloud Storage-themed Remcos phishing campaign
Researchers identified a separate multi-stage phishing campaign that abused Google Cloud Storage and the trusted googleapis.com domain to deliver Remcos RAT worldwide. The attack used fake Google Drive-sharing pages, staged script-based delivery, process hollowing, Registry persistence, and encrypted command-and-control communications.
Researchers document obfuscated Remcos RAT phishing campaign
Point Wild’s LAT61 Threat Intelligence Team described a multi-stage Remcos RAT campaign delivered through a phishing email with a ZIP attachment containing obfuscated JavaScript. The infection chain used a PowerShell loader, reconstructed payloads in memory, injected into aspnet_compiler.exe, and communicated with a command-and-control server at 192.3.27.141:8087 while storing stolen data in C:\ProgramData\remcos\logs.dat.
Breakglass documents four-stage Remcos RAT campaign with exposed staging servers
Breakglass Intelligence reported a four-stage Remcos RAT campaign using business-themed lures such as a JavaScript file named "Purchase Inquiry _.js" to launch PowerShell, decrypt a payload with rotational XOR, load DEV.dll, and hollow aspnet_compiler.exe. The analysis linked 10 related builds over three weeks, identified JS, HTA, and XLS delivery variants, and found exposed operator infrastructure including a live XAMPP staging server and RDP-accessible C2.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Remcos RAT: Full attack chain of the phishing campaign
hornetsecurity.com
Open sourceGoogle Cloud Storage weaponized for clandestine Remcos RAT delivery | brief | SC Media
scworld.com
Open sourceNew Phishing Attack Via Google Storage Deploys Remcos RAT
cybersecuritynews.com
Open sourceRemcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries
cybersecuritynews.com
Open sourceRemcosRAT Four-Stage JavaScript Dropper: Rotational XOR, Process Hollowing, and a Staging Server the Operator Forgot to Lock - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaign Abuses Windows Search URI Handlers to Deliver AsyncRAT and Remcos
Trellix reported a phishing campaign that abuses the Windows `search-ms` and `search` URI protocol handlers to push victims from emails, HTML attachments, PDFs, or compromised websites into Windows Explorer views populated with attacker-controlled remote files. The activity relies on JavaScript or script-based redirects to remote WebDAV searches, where malicious `.lnk` files are presented as familiar local search results, lowering suspicion and increasing the likelihood of execution. Researchers observed multiple delivery and execution chains involving HTML, PowerShell, ISO, ZIP, DLL, VBS, and EXE files, with payloads ultimately deploying **AsyncRAT** and **Remcos RAT**. The campaign used SSL-encrypted traffic, rapidly rotated infrastructure and files, and disguised artifacts with deceptive filenames and icons; in some cases, execution was triggered through `regsvr32.exe` or PowerShell. Trellix said the technique can provide initial access from a simple URL visit and recommended mitigating the threat by disabling the vulnerable URI handlers through registry removal.
Jun 3, 2026
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Mar 21, 2026
Fileless Multi-Stage Remcos RAT Campaign Uses Phishing for Memory-Resident Execution
Trellix researchers reported a **multi-stage, fileless Remcos RAT infection chain** that begins with phishing and culminates in **memory-resident execution**, reducing on-disk artifacts and complicating detection. The campaign uses staged delivery and in-memory techniques to deploy **Remcos RAT**, a remote access trojan commonly used for surveillance, credential theft, and hands-on-keyboard follow-on activity. The reported intrusion flow highlights how attackers are combining **phishing-based initial access** with **fileless execution** to evade traditional defenses that rely on file scanning and static indicators. For defenders, the activity underscores the need to prioritize behavioral detection across email, process execution, script interpreters, and memory telemetry, especially for attack chains that move from user interaction to stealthy in-memory payload deployment.
Jun 5, 2026