Fileless Multi-Stage Remcos RAT Campaign Uses Phishing for Memory-Resident Execution
Trellix researchers reported a multi-stage, fileless Remcos RAT infection chain that begins with phishing and culminates in memory-resident execution, reducing on-disk artifacts and complicating detection. The campaign uses staged delivery and in-memory techniques to deploy Remcos RAT, a remote access trojan commonly used for surveillance, credential theft, and hands-on-keyboard follow-on activity.
The reported intrusion flow highlights how attackers are combining phishing-based initial access with fileless execution to evade traditional defenses that rely on file scanning and static indicators. For defenders, the activity underscores the need to prioritize behavioral detection across email, process execution, script interpreters, and memory telemetry, especially for attack chains that move from user interaction to stealthy in-memory payload deployment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
G Data details Remcos RAT variant using DonutLoader shellcode
G Data analysts disclosed a phishing campaign delivering a new Remcos RAT variant that uses SyncAppvPublishingServer.vbs, cloud-hosted payload retrieval, and DonutLoader shellcode to launch the malware in memory. The report highlighted a shift from managed .NET execution toward a more portable runtime-independent delivery model and noted possible AI-assisted script refinement.
Trellix publishes analysis of fileless multi-stage Remcos RAT campaign
Trellix published research describing a phishing-delivered, multi-stage Remcos RAT infection chain that executes filelessly and remains memory-resident. The reference does not provide earlier dated milestones, so the publication date is the only concrete event available from the source provided.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple **Remcos RAT** campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named `MV MERKET COOPER SPECIFICATION.zip` delivered an obfuscated JavaScript file that fetched a PowerShell loader from `almacensantangel[.]com`; the loader then reconstructed and decrypted payloads in memory, including `ALTERNATE.dll` and `Cqeqpvzeia.exe`. The malware injected into the legitimate Microsoft .NET utility `aspnet_compiler.exe`, communicated with `192[.]3[.]27[.]141:8087`, and stored captured keystrokes and other data in `C:\ProgramData\remcos\logs.dat`, leaving few disk artifacts. A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through **Google Cloud Storage** and the trusted `googleapis.com` domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through **process hollowing**, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Apr 25, 2026
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Mar 21, 2026
Shadow#Reactor Multi-Stage Windows Malware Delivers Remcos RAT via Text-Based Payload Fragments
Security researchers reported a **multi-stage Windows malware campaign dubbed Shadow#Reactor (SHADOW#REACTOR)** that uses a VBScript launcher and **PowerShell** to retrieve **fragmented, text-only payloads** from remote infrastructure, then reconstructs and executes them to ultimately deploy **Remcos RAT**. The infection chain relies on user interaction (e.g., phishing/social-engineering lures or compromised web resources) to execute an obfuscated `.vbs` file via Windows Script Host, after which staged PowerShell downloaders pull encoded payload pieces that are stored as plain text to reduce the likelihood of traditional binary-based detections. Securonix analysis (as reported in both trade and vendor writeups) describes a modular handoff between stages, including obfuscation layers, base64 decoding patterns, and integrity/size checks to ensure successful reassembly of the final components. The technique emphasizes **living-off-the-land** execution and flexible staging (allowing attackers to update individual stages independently), with reconstruction activity leveraging legitimate tooling (e.g., **MSBuild** noted in reporting) before in-memory decoding and retrieval of the final Remcos payload; defenders should treat unusual chains of `wscript.exe`/`cscript.exe` spawning PowerShell and subsequent staged text retrieval/reassembly as high-signal behavior for investigation.
Mar 21, 2026