VHDX-Based ZIP Campaign Delivers Remcos RAT via JavaScript, PowerShell, and .NET Loader
A malicious ZIP archive has been observed delivering Remcos RAT through a multi-stage infection chain that starts with a VHDX disk image instead of a more common document or executable. When opened on modern Windows systems, the embedded VHDX auto-mounts and exposes an obfuscated JavaScript file, Partnerschaft_fur_neue_Angebotsanfrage.js, suggesting possible targeting of German-speaking users. Researchers said the use of a mountable virtual disk reduces user friction and helps the malware bypass some first-line security controls; the ZIP sample was identified with SHA-256 a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094.
The JavaScript launches PowerShell through WMI to make process relationships less suspicious, after which additional PowerShell stages use string pollution, selective character extraction, Base64 decoding, and XOR decryption with the key Identificational. The chain then retrieves follow-on payloads from cembusconfort[.]ro, uses a reflective .NET loader and shellcode to fetch the final malware, injects it into backgroundTaskHost.exe, and establishes persistence with an HKCU Run key that re-executes the PowerShell loader. The final payload communicates with animal342[.]duckdns[.]org:53552, and multiple stages reportedly showed weak antivirus detection, including the JavaScript sample, which had only 5/57 detections on VirusTotal.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
SANS ISC documents VHDX-based Remcos RAT delivery chain
A SANS Internet Storm Center diary described a malicious ZIP archive that used a VHDX disk image to deliver Remcos RAT through JavaScript, PowerShell, a reflective .NET loader, and shellcode. The report also published technical details including the likely German-language lure, persistence via an HKCU Run key, and C2 infrastructure at animal342[.]duckdns[.]org:53552.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple **Remcos RAT** campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named `MV MERKET COOPER SPECIFICATION.zip` delivered an obfuscated JavaScript file that fetched a PowerShell loader from `almacensantangel[.]com`; the loader then reconstructed and decrypted payloads in memory, including `ALTERNATE.dll` and `Cqeqpvzeia.exe`. The malware injected into the legitimate Microsoft .NET utility `aspnet_compiler.exe`, communicated with `192[.]3[.]27[.]141:8087`, and stored captured keystrokes and other data in `C:\ProgramData\remcos\logs.dat`, leaving few disk artifacts. A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through **Google Cloud Storage** and the trusted `googleapis.com` domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through **process hollowing**, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Apr 25, 2026
Open Directory Malware Framework Delivers Remcos, XWorm and PNG-Embedded Loaders
LevelBlue SpiderLabs traced a multi-stage malware campaign to attacker-controlled open directories on `news4me[.]xyz` after SentinelOne quarantined a suspicious `Name_File.vbs` file on a compromised endpoint. The initial VBS launcher was heavily obfuscated with Unicode tricks and decoded a Base64 PowerShell command that fetched a seemingly benign PNG from Internet Archive, extracted an embedded .NET assembly dubbed `PhantomVAI`, and executed it directly in memory via `Reflection.Assembly::Load`, leaving little on disk. `PhantomVAI` then pulled additional components from the same infrastructure, including an obfuscated **Remcos RAT** payload and a PNG carrying a UAC bypass DLL for privilege escalation. Researchers said the same infrastructure exposed a broader reusable malware framework with multiple delivery paths and rotating payloads. Open directories hosted additional obfuscated VBS files, **XWorm** variants, **ScorpioRAT**, and a separate `/invoice/` infection chain that used a fake PDF ZIP, Internet Shortcut files, WebDAV, batch scripts, Cloudflare-backed domains, and Python-based payloads identified as **Kramer** malware. The campaign used nontraditional staging formats including `PNG`, `TXT`, `ZIP`, and shortcut-style files to support modular delivery, prompting recommendations to restrict VBS and BAT execution from user-writable directories, enforce constrained PowerShell with in-memory execution logging, and block WebDAV and suspicious `.xyz` domains tied to the operation.
Mar 26, 2026
Shadow#Reactor Multi-Stage Windows Malware Delivers Remcos RAT via Text-Based Payload Fragments
Security researchers reported a **multi-stage Windows malware campaign dubbed Shadow#Reactor (SHADOW#REACTOR)** that uses a VBScript launcher and **PowerShell** to retrieve **fragmented, text-only payloads** from remote infrastructure, then reconstructs and executes them to ultimately deploy **Remcos RAT**. The infection chain relies on user interaction (e.g., phishing/social-engineering lures or compromised web resources) to execute an obfuscated `.vbs` file via Windows Script Host, after which staged PowerShell downloaders pull encoded payload pieces that are stored as plain text to reduce the likelihood of traditional binary-based detections. Securonix analysis (as reported in both trade and vendor writeups) describes a modular handoff between stages, including obfuscation layers, base64 decoding patterns, and integrity/size checks to ensure successful reassembly of the final components. The technique emphasizes **living-off-the-land** execution and flexible staging (allowing attackers to update individual stages independently), with reconstruction activity leveraging legitimate tooling (e.g., **MSBuild** noted in reporting) before in-memory decoding and retrieval of the final Remcos payload; defenders should treat unusual chains of `wscript.exe`/`cscript.exe` spawning PowerShell and subsequent staged text retrieval/reassembly as high-signal behavior for investigation.
Mar 21, 2026