Do Son 
Kill chain of Remcos RAT | Image: K7 Security Labs
At a Glance
| Malware family | Remcos RAT (final payload), via a multi-stage .NET loader chain |
|---|---|
| Threat actor | Unattributed; Turkish-language decoy artifacts; loader-as-a-service |
| Targets / victims | Windows users in India (banking and tax-themed lures) |
| Delivery vector | Phishing email with an archive attachment posing as a GST debit note |
| Key capabilities | Keylogging, webcam/audio capture, browser credential theft, process hollowing |
| Source | K7 Security Labs |
TL;DR
K7 Security Labs found a phishing campaign that delivers Remcos RAT. A steganographic loader hides the malware inside a bitmap image. The whole chain runs in memory, leaving few traces on disk.
Delivery
The attack starts with a phishing email. It carries an archive attachment posing as a GST debit note. Inside sits a packed, unsigned .NET file with a .com extension. The file masquerades as a brick-building game to lower suspicion. Meanwhile, the decoy runs quietly in the background. It also carries Turkish-language artifacts. These hint at the builder’s origin, though K7 names no group. Banking lures like NEFT, RTGS, and GST point to Indian targets.
Infection Chain
K7 spotted the campaign through routine telemetry monitoring. The decoy hides its next stage inside an embedded image resource. K7 said it uses “a steganographic-style delivery technique to obscure malicious content.” Pixel color values store the hidden loader bytes. The loader then runs directly in memory, never touching disk. A first .NET loader pulls a second loader into memory. That second stage drops the Remcos RAT payload, also in memory. Finally, Remcos uses process hollowing to hide inside a browser process.
What Remcos RAT Does
Persistence and stealth
Remcos copies itself into a hidden AppData folder. It sets a Run registry key for startup. It also checks for sandboxes and virtual machines before acting. Then it bypasses User Account Control to gain rights. It can also wipe its own traces when needed.
Spying and theft
The RAT logs keystrokes and tracks the active window. It can also record audio and webcam video. Moreover, it steals Chrome and Firefox credentials and cookies.
Command and Control
Stolen data lands in a local log file first. The malware then sends it to a hardcoded C2 server. K7 traced that server to an address hosted in Sweden. A Remcos-specific mutex confirmed the payload family. K7 said avoiding disk artifacts “reduces forensic evidence.”
A Loader for Hire
This steganographic loader is not tied to one payload. K7 found related samples dropping Agent Tesla, RedLine, Formbook, and others. The team said the setup shows “loader-as-a-service functionality; only the payload differs.” So the same infrastructure can serve many criminals.
How to Stay Protected
Treat unexpected GST or payment attachments with caution. Block executables with mismatched extensions, such as .com files. Watch for PowerShell that reads image resources or loads code in memory. Keep email filtering and macro controls tight. Use endpoint tools that inspect behavior, not just files. For the full technical write-up, see the K7 Security Labs analysis.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
