The Qualys TRU has discovered a new PowerShell-based shellcode loader, designed to load and execute a variant of Remcos RAT.
The attack begins with malicious .LNK files embedded in ZIP archives, often disguised as Office documents. When opened, these shortcuts trigger mshta.exe to execute an obfuscated HTA file.
This file contains VBScript that bypasses Windows Defender, downloads additional payloads (including a PowerShell script), and configures the system for persistence by modifying registry keys and setting PowerShell execution policies to bypass mode. Payloads are saved in the C:/Users/Public/ directory and are designed to run silently at system startup.
Stealth, Evasion Capabilities
The core PowerShell script, named 24.ps1, is heavily obfuscated. It deconstructs base64-encoded strings to reassemble two main components in memory: a shellcode loader and the Remcos executable.
It uses low-level Windows API functions like VirtualAlloc() and CallWindowProcW() to allocate memory and execute code without writing any executable files to disk. The shellcode dynamically walks through the Process Environment Block (PEB) to resolve Windows API addresses, further enhancing its stealth and evasion capabilities.
The embedded Remcos RAT payload is a 32-bit executable compiled with Visual Studio and designed to run completely in memory. It uses process hollowing to inject itself into system processes like svchost.exe and performs a series of anti-analysis checks to detect debugging environments. For persistence, it sets registry entries, creates a mutex (“Rmc-7SY4AX”), and employs a “watchdog” thread to restart itself if terminated. It also attempts to bypass User Account Control (UAC) using COM-based elevation techniques.
Launching Surveillance Modules
Once active, Remcos connects to a command-and-control (C2) server at readystearants[.]com over a TLS-encrypted channel (port 2025). It receives and executes commands to collect system information, list running processes, access the registry, perform file operations, and remotely control the victim machine. It launches surveillance modules for keylogging, clipboard monitoring, screen capture, webcam and microphone access, and gathers browser data (including saved credentials and cookies) from Chrome, Firefox, and Internet Explorer directories.
The analyzed version (Remcos v6.0.0 Pro) includes several enhancements. These features include “Group View” to organize infected machines, unique agent identifiers (UIDs), privilege level display, public IP tracking, and improved idle time and geolocation accuracy. It also adds operational controls for attackers to manage large-scale infections more efficiently.
A Shift from Previous Methods
The attackers behind Remcos are evolving their tactics, says Xiaopeng Zhang, IPS Analyst and Security Researcher with Fortinet’s FortiGuard Labs. “Instead of exploiting the CVE-2017-0199 vulnerability through malicious Excel attachments, they now use deceptive LNK files disguised with PDF icons to lure victims into executing a malicious HTA file.”
PowerShell continues to play a role in the campaign, Zhang continues. “However, the latest variant adopts a fileless approach—using PowerShell to parse and execute Remcos directly in memory via the CallWindowProc() API. This marks a shift from previous methods, where Remcos was downloaded as a file before execution.”
Strategic, Not Technical
Jason Soroko, Senior Fellow at Sectigo, says the novel twist in this story is strategic, not technical. “This loader re-frames Remcos as an ephemeral plug-in rather than a resident implant. By shifting every stage of the tool-chain into transient memory and dissolving the loader itself once the session ends, the operators make forensic artifacts nearly as disposable as the lure ZIP. That approach dovetails with the emerging “single-use C2” model we have started to see in commodity stealer campaigns. The adversary spins up infrastructure, extracts value, and tears it all down before defenders can snapshot volatile memory. Remcos is being treated less like a long-term RAT and more like a just-in-time microservice, rented for minutes rather than months.”
The Compliance Irony
Soroko says the second under-appreciated angle is the compliance irony. “Tax season forces enterprises to relax their tightest content-filtering rules so employees can exchange government templates, PDF forms, and yes, zipped LNK shortcuts that many payroll systems still ship by default. Attackers are exploiting that mandated soft spot.”
He says the very policies intended to keep auditors happy become the opening gambit for a fileless breach. “As regulators (from the SEC in the U.S. to OSFI in Canada) demand faster incident reporting, defenders are caught in a bind. They are permissioning finance workflows while proving “reasonable” controls against exactly this sort of LNK-to-PowerShell chain. The real story, then, is less about a clever loader and more about how seasonal business processes and regulatory checklists quietly re-shape an organisation’s attack surface in ways its EDR dashboards rarely quantify.”
Evading Traditional Measures
The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures, comments J Stephen Kowski, Field CTO at SlashNext.
“This fileless malware operates directly in memory, using LNK files and MSHTA.exe to execute obfuscated PowerShell scripts that can bypass conventional defenses. Advanced email security that can detect and block malicious LNK attachments before they reach users is crucial, as is real-time scanning of PowerShell commands for suspicious behaviors. Organizations need multi-layered protection that combines email security, endpoint monitoring, and behavioral analysis to effectively combat these sophisticated memory-resident threats.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.