Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure  This investigation details a multi-stage, reusable malware delivery framework that used obfuscated VBS launchers, a fileless PowerShell loader, PNG-embedded .NET loaders (PhantomVAI), and openly hosted directories to stage and deliver multiple payload families. The campaign delivered and rotated payloads including Remcos RAT and XWorm variants from attacker-controlled infrastructure such as news4me[.]xyz and Cloudflare-backed hosts, enabling additional infection paths via a weaponized “PDF” and batch scripts #PhantomVAI #RemcosRAT

A multi-vector malware campaign employed obfuscated VBS launchers, fileless PowerShell, and PNG-embedded .NET loaders (PhantomVAI), rotating payloads like Remcos RAT and XWorm via open hosting and weaponized PDFs. #PhantomVAI #RemcosRAT

XWorm 7.1 and Remcos RAT Attacks Abuse Windows Tools to Evade Detection New XWorm 7.1 and Remcos RAT campaigns abuse trusted Windows tools to evade detection. The attacks exploit a WinRAR flaw and use process hollowing to spy on victims.

New XWorm 7.1 and Remcos RAT campaigns are abusing trusted #Windows utilities and memory-based execution to evade detection. The campaign also exploits a #WinRAR vulnerability to gain initial access.

Read: hackread.com/xworm-7-1-re...

#CyberSecurity #Malware #XWorm #RemcosRAT

New XWorm 7.1 and Remcos RAT campaigns are abusing trusted #Windows utilities and memory-based execution to evade detection. The campaign also exploits a #WinRAR vulnerability to gain initial access.

Read: mashread.com/xworm-7-1-re...

#PotatoSecurity #Malware #XWorm #RemcosRAT

Screenshot from an infected Windows host showing Remcos RAT and how it is persistent.

2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at www.malware-traffic-analysis.net/2026/01/06/i...

Cybercriminals are disguising Remcos RAT as VeraCrypt installers to steal user credentials. Stay vigilant and download software only from official sources. #CyberSecurity #MalwareAlert #RemcosRAT Link: thedailytechfeed.com/cybercrimina...

Fake Employee Reports Spread Guloader and Remcos RAT Malware Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.

Read: hackread.com/fake-employe...

#Malware #Guloader #RemcosRAT #Phishing #CyberSecurity

Example of a legitimate but compromised site showing the SmartApeSG fake CAPTCHA page.

HTTPS URLs from the infection run.

Traffic from an infection filtered in Wireshark.

Remcos RAT infection persistent on an infected Windows host.

2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT, with #Remcos #RAT C2 server at 192.144.56[.]80. A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at www.malware-traffic-analysis.net/2026/01/06/i...

Cybersecurity alert: Over 150 active Remcos RAT C2 servers detected globally. Stay vigilant against this evolving threat. #CyberSecurity #RemcosRAT #ThreatDetection Link: thedailytechfeed.com/remcos-rat-t...

Il CERT-AGID analizza la campagna phishing GLS che diffonde Remcos RAT in Italia tramite tecnica ClickFix e allegati malevoli.

#CERTAgID #ClickFix #RemcosRAT
www.matricedigitale.it/2025/11/10/r...

A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode A beginner-friendly tutorial on analyzing .NET malware teaches you how to use common tools, recognize techniques and understand ...

#Learning #Hub #Malware #.NET #IDA #Pro […]

[Original post on unit42.paloaltonetworks.com]

New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

New malware campaign uses #Windows shortcut files to deliver the #REMCOS backdoor, giving attackers full control over victims' systems.

🔗 hackread.com/attack-windo...

#CyberSecurity #RemcosRAT #Malware #Phishing #InfoSec

Russian-aligned Hive0156 escalates cyber attacks on Ukrainian government and military, deploying Remcos RAT via sophisticated social engineering. #CyberSecurity #Hive0156 #Ukraine #RemcosRAT Link: thedailytechfeed.com/hive0156-int...

Fileless Remcos RAT Attack Evades Antivirus Using PowerShell Scripts Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

⚠️ Watch out for ZIP and shortcut files on #Windows as attackers are using fake PDF icons to trick users into installing #Remcos trojan and take over computers.

Read: hackread.com/fileless-rem...

#CyberSecurity #Windows #Malware #RemcosRAT

Screenshot of the email with the malicious attachment containing GuLoader for Remcos RAT

Traffic from the infection by GuLoader for Remcos RAT filtered in Wireshark. The Remcos RAT C2 server for HTTPS traffic over TCP port 9090 uses a self-signed certficate.

2025-03-24 (Monday): #GuLoader for #Remcos #RAT ( #RemcosRAT ) distributed through email - More info at github.com/malware-traf...

A #pcap of the #RemcosRAT infection traffic and the associated #malware files are available at malware-traffic-analysis.net/2025/03/10/i...

Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware Fileless Remcos RAT spreads through Excel phishing, exploiting remote code flaws to steal data undetected.

Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called #RemcosRAT. #malware #phishing #CyberSecurity thehackernews.com/2024/11/cybe...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign Excel file that exploits CVE-2017-0199. By

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT
gbhackers.com/weaponized-e...
#Infosec #Security #Cybersecurity #CeptBiro #ExcelDocument #RemcosRAT

Hackers Employing Steganography Methods to Deliver Notorious RemcosRAT Hackers are now using steganography techniques to distribute the notorious Remote Access Trojan (RAT) known as RemcosRAT.

Hackers Employing Steganography Methods To Deliver Notorious RemcosRAT
gbhackers.com/hackers-empl...
#Infosec #Security #Cybersecurity #CeptBiro #SteganographyMethods #Notorious #RemcosRAT

UAC-0184 Targets Ukrainian Entity in Finland with Remcos RAT | Cyware Hacker News Morphisec found that the UAC-0184 threat actor used steganography to deliver the Remcos RAT via the IDAT Loader, targeting a Ukrainian entity in Finland. Learn more!

UAC-0184 Targets Ukrainian Entity in Finland with Remcos RAT
cyware.com/news/uac-018...
#Infosec #Security #Cybersecurity #CeptBiro #UAC0184 #UkrainianEntity #Finland #RemcosRAT

New IDAT loader version uses steganography to push Remcos RAT A hacking group tracked as 'UAC-0184' was observed utilizing steganographic image files to deliver the Remcos remote access trojan (RAT) onto the systems of a Ukrainian entity operating in Finland.

New IDAT loader version uses steganography to push Remcos RAT
www.bleepingcomputer.com/news/securit...
#Infosec #Security #Cybersecurity #CeptBiro #IDAT #Steganography #RemcosRAT