Ddos 
Attack Flow | Image: Qualys Threat Research Unit
In the latest threat intelligence from the Qualys Threat Research Unit (TRU), cybersecurity researchers have uncovered a highly stealthy malware campaign that leverages PowerShell to deploy Remcos RAT—a remote access trojan with full system control capabilities—without leaving traces on disk. This advanced intrusion method is designed to evade traditional antivirus and endpoint defenses.
“Cybercriminals are progressively turning PowerShell to launch stealthy attacks that evade traditional antivirus and endpoint defenses,” the report warns.
The campaign begins with malicious LNK files embedded within ZIP archives, often masquerading as legitimate Office documents. The attacker uses mshta.exe to proxy execution of a heavily obfuscated HTA file, which bypasses Windows Defender and drops multiple payloads into the victim’s C:/Users/Public/ directory.
Key dropped files:
- pp1.pdf (decoy)
- 311.hta (persistence)
- 24.ps1 (malicious PowerShell loader)
The 311.hta file is set to execute at system startup, ensuring persistence even after reboots.
The core malicious logic is hidden in the 24.ps1 script, which uses heavy obfuscation and custom base64 decoding to extract shellcode and a PE payload: “It reconstructs two blobs of byte arrays… allocates memory and executes binary code directly in memory.”
Execution flow:
- Memory allocated via VirtualAlloc()
- Shellcode injected using Marshal.Copy()
- Executed using CallWindowProcW()—a rarely used, stealthy method
This approach avoids writing executable files to disk, bypassing file-based detection mechanisms entirely.
Once decrypted, the PE payload is identified as Remcos RAT v6.0.0 Pro, compiled with Visual Studio and designed for maximum persistence and stealth. It includes a watchdog module, keylogger, and data exfiltration capabilities.
Remcos Core Features:
- Full system surveillance: screenshots, keystrokes, mic and webcam access
- Process injection using process hollowing
- Browser credential theft from Chrome, Firefox, IE
- UAC bypass via ICMLuaUtil and COM interface abuse
- TLS-encrypted communication with readystearants[.]com
- Registry persistence via mutex Rmc-7SY4AX
To evade researchers and sandboxes, Remcos uses:
- Vectored exception handling
- Heap and tick count monitoring
- Anti-debug checks like IsDebuggerPresent()
Additionally, it dynamically resolves API calls by walking the Process Environment Block (PEB), avoiding static imports that might trigger detection.
Although unconfirmed, the campaign appears to use a new dropper possibly dubbed “K-Loader” by underground sources. However, no formal attribution has been made.
Donate