{"id":11798,"date":"2026-04-02T10:04:19","date_gmt":"2026-04-02T10:04:19","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/04\/02\/remcos-rat-infection-chain-hides-behind-obfuscated-scripts-and-trusted-windows-binaries\/"},"modified":"2026-04-02T10:04:19","modified_gmt":"2026-04-02T10:04:19","slug":"remcos-rat-infection-chain-hides-behind-obfuscated-scripts-and-trusted-windows-binaries","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/04\/02\/remcos-rat-infection-chain-hides-behind-obfuscated-scripts-and-trusted-windows-binaries\/","title":{"rendered":"Remcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries"},"content":{"rendered":"<p>    Remcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Cybercriminals are getting better at hiding their tracks, and a recently uncovered Remcos RAT campaign is proof of that. This attack does not rely on a single malicious file dropped onto a system. <\/p>\n<p>Instead, it uses a carefully built, multi-stage chain that starts with a simple phishing email and ends with a full, in-memory system compromise \u2014 leaving almost no trace on the disk.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2e86b948-259e-45d3-842e-7edd149fd77b\/Remcos-RAT-Infection-Chain-Hides-Behind-Obfuscated-Scripts-and-Trusted-Windows-Binaries.pdf?AWSAccessKeyId=ASIA2F3EMEYE4M2NJ4TA&amp;Signature=5V7SFBWNaAg%2BaaDO9aeAMBP02QM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBGDjVlz19vHzsMuqb%2By4R99HELdTKYcR7xaNkB8zoJxAiEAxRq%2F03nN36e3Mm%2F7E32yQ7kXADHL1R9cJ%2BQ%2BvCSukqwq8wQIZxABGgw2OTk3NTMzMDk3MDUiDI3OQCG5ckm4BJcHKirQBBHnltVui8flWwHLXCcL%2Fom7EQJO4clS%2B3bShCTUdzY4KUaBbGqY2RAcMRAVoe%2F2CTse%2F8xq7yTtpCTsG%2Flo2mD5Hm64oSebS2Iv21mlZTPMudBJLb9XAKHuOlD2JpM3VwU%2BjnZ9B7Qykh2zFhyjk6a%2FXKIvnjjl54ttweTC5PIUDCHKK0JNUdcc0BABYKUf5yFMtDi9Num1tOVFOe2AZT3R5Fb%2FOftpUnd9mlk5wkKShX4oZlpNKJBHOKtTSPmgcokZTAKDx7HWGsjEhK8pG4mcOEeqlZCSOV1X1VFeV6KToxB%2F9A%2FJLexOdtCtq9lyBl6KOewHLVhH3%2B5aIwdi5VBneeYHZ%2FZQwDEYU%2FHH5wKxR9H7thk4LQI%2FcSQLONBkmU%2BupCPiIWLzf3kVWDMU6dLEA8VVs8Cpzqo8uqUQzPz1%2FVqv%2BswNTFrGaGTdwwosNlFZBPTA9fBmAdc796LViJNTpQIvlgS2PAq4Rj7nhwQngQ9gZSlalaFw9b464OavIKCa%2B%2BfdbIzRZ38q9jpb7Gzl3E2v0KhvNwFOiWXi59zNTo8%2Fk9%2FC1Piivb3DLPXANaI1SXHQ55qEa4lnNsuxvBwEZEq%2FdZ8%2FzCqHOsBuk0CoGSuJh0EtFlHn8Cy0JB7tqeIep5zE4HLbZXlqLF8lqhhJXbCV3CkUnbJzW6qujbv60SdWENlbqYx57oyepdxU8qb1ZO7LpZL899Ff%2F1FlSwdvBUCNfaWky6jAPKSPZdXW80YW3deMLftAcze8lOFFjvnfFcrZC7%2Fdw3f9Sa9%2Fpqkw9YK4zgY6mAEDsS5GNuc2HolSxtBvgEDnZxdaMB7h3pygJ6YXL5Jpv5dJgWcw%2BdKzNNzcwSuY7RUbSIvF5ztcG3IG348%2BQyi%2BasrdcpcJQZiH9dAOlT9VfA0qzqjPLeGSMgRCqcVt1Z5bbDMI5t%2Bl0PvCICEtc7JURguAd%2F8Qzl4ZewLwXlLkkxEVg0P5IyJZxvz%2BJq98A7cwUMPZPCgj1A%3D%3D&amp;Expires=1775109581\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Remcos RAT, short for Remote Control and Surveillance, has been a known threat for years. Attackers use it to steal data, log keystrokes, and remotely control infected machines. <\/p>\n<p>What makes this latest campaign stand out is how it reaches the victim. Rather than relying on easy-to-spot delivery methods, this operation strings together multiple layers of obfuscation, trusted Windows tools, and a live C2 server to deliver its payload with precision.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2e86b948-259e-45d3-842e-7edd149fd77b\/Remcos-RAT-Infection-Chain-Hides-Behind-Obfuscated-Scripts-and-Trusted-Windows-Binaries.pdf?AWSAccessKeyId=ASIA2F3EMEYE4M2NJ4TA&amp;Signature=5V7SFBWNaAg%2BaaDO9aeAMBP02QM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBGDjVlz19vHzsMuqb%2By4R99HELdTKYcR7xaNkB8zoJxAiEAxRq%2F03nN36e3Mm%2F7E32yQ7kXADHL1R9cJ%2BQ%2BvCSukqwq8wQIZxABGgw2OTk3NTMzMDk3MDUiDI3OQCG5ckm4BJcHKirQBBHnltVui8flWwHLXCcL%2Fom7EQJO4clS%2B3bShCTUdzY4KUaBbGqY2RAcMRAVoe%2F2CTse%2F8xq7yTtpCTsG%2Flo2mD5Hm64oSebS2Iv21mlZTPMudBJLb9XAKHuOlD2JpM3VwU%2BjnZ9B7Qykh2zFhyjk6a%2FXKIvnjjl54ttweTC5PIUDCHKK0JNUdcc0BABYKUf5yFMtDi9Num1tOVFOe2AZT3R5Fb%2FOftpUnd9mlk5wkKShX4oZlpNKJBHOKtTSPmgcokZTAKDx7HWGsjEhK8pG4mcOEeqlZCSOV1X1VFeV6KToxB%2F9A%2FJLexOdtCtq9lyBl6KOewHLVhH3%2B5aIwdi5VBneeYHZ%2FZQwDEYU%2FHH5wKxR9H7thk4LQI%2FcSQLONBkmU%2BupCPiIWLzf3kVWDMU6dLEA8VVs8Cpzqo8uqUQzPz1%2FVqv%2BswNTFrGaGTdwwosNlFZBPTA9fBmAdc796LViJNTpQIvlgS2PAq4Rj7nhwQngQ9gZSlalaFw9b464OavIKCa%2B%2BfdbIzRZ38q9jpb7Gzl3E2v0KhvNwFOiWXi59zNTo8%2Fk9%2FC1Piivb3DLPXANaI1SXHQ55qEa4lnNsuxvBwEZEq%2FdZ8%2FzCqHOsBuk0CoGSuJh0EtFlHn8Cy0JB7tqeIep5zE4HLbZXlqLF8lqhhJXbCV3CkUnbJzW6qujbv60SdWENlbqYx57oyepdxU8qb1ZO7LpZL899Ff%2F1FlSwdvBUCNfaWky6jAPKSPZdXW80YW3deMLftAcze8lOFFjvnfFcrZC7%2Fdw3f9Sa9%2Fpqkw9YK4zgY6mAEDsS5GNuc2HolSxtBvgEDnZxdaMB7h3pygJ6YXL5Jpv5dJgWcw%2BdKzNNzcwSuY7RUbSIvF5ztcG3IG348%2BQyi%2BasrdcpcJQZiH9dAOlT9VfA0qzqjPLeGSMgRCqcVt1Z5bbDMI5t%2Bl0PvCICEtc7JURguAd%2F8Qzl4ZewLwXlLkkxEVg0P5IyJZxvz%2BJq98A7cwUMPZPCgj1A%3D%3D&amp;Expires=1775109581\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Analysts and researchers at <a href=\"https:\/\/www.pointwild.com\/threat-intelligence\/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network\/\" id=\"https:\/\/www.pointwild.com\/threat-intelligence\/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Point Wild\u2019s LAT61 Threat Intelligence Team identified this campaign<\/a> after examining a malicious email file (.eml). <\/p>\n<p>They found that the attack begins with a ZIP attachment named \u201cMV MERKET COOPER SPECIFICATION.zip,\u201d designed to look like a routine business document. <\/p>\n<p>Once opened, it releases an obfuscated JavaScript file that quietly sets the attack in motion, all without triggering standard security alerts.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2e86b948-259e-45d3-842e-7edd149fd77b\/Remcos-RAT-Infection-Chain-Hides-Behind-Obfuscated-Scripts-and-Trusted-Windows-Binaries.pdf?AWSAccessKeyId=ASIA2F3EMEYE4M2NJ4TA&amp;Signature=5V7SFBWNaAg%2BaaDO9aeAMBP02QM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBGDjVlz19vHzsMuqb%2By4R99HELdTKYcR7xaNkB8zoJxAiEAxRq%2F03nN36e3Mm%2F7E32yQ7kXADHL1R9cJ%2BQ%2BvCSukqwq8wQIZxABGgw2OTk3NTMzMDk3MDUiDI3OQCG5ckm4BJcHKirQBBHnltVui8flWwHLXCcL%2Fom7EQJO4clS%2B3bShCTUdzY4KUaBbGqY2RAcMRAVoe%2F2CTse%2F8xq7yTtpCTsG%2Flo2mD5Hm64oSebS2Iv21mlZTPMudBJLb9XAKHuOlD2JpM3VwU%2BjnZ9B7Qykh2zFhyjk6a%2FXKIvnjjl54ttweTC5PIUDCHKK0JNUdcc0BABYKUf5yFMtDi9Num1tOVFOe2AZT3R5Fb%2FOftpUnd9mlk5wkKShX4oZlpNKJBHOKtTSPmgcokZTAKDx7HWGsjEhK8pG4mcOEeqlZCSOV1X1VFeV6KToxB%2F9A%2FJLexOdtCtq9lyBl6KOewHLVhH3%2B5aIwdi5VBneeYHZ%2FZQwDEYU%2FHH5wKxR9H7thk4LQI%2FcSQLONBkmU%2BupCPiIWLzf3kVWDMU6dLEA8VVs8Cpzqo8uqUQzPz1%2FVqv%2BswNTFrGaGTdwwosNlFZBPTA9fBmAdc796LViJNTpQIvlgS2PAq4Rj7nhwQngQ9gZSlalaFw9b464OavIKCa%2B%2BfdbIzRZ38q9jpb7Gzl3E2v0KhvNwFOiWXi59zNTo8%2Fk9%2FC1Piivb3DLPXANaI1SXHQ55qEa4lnNsuxvBwEZEq%2FdZ8%2FzCqHOsBuk0CoGSuJh0EtFlHn8Cy0JB7tqeIep5zE4HLbZXlqLF8lqhhJXbCV3CkUnbJzW6qujbv60SdWENlbqYx57oyepdxU8qb1ZO7LpZL899Ff%2F1FlSwdvBUCNfaWky6jAPKSPZdXW80YW3deMLftAcze8lOFFjvnfFcrZC7%2Fdw3f9Sa9%2Fpqkw9YK4zgY6mAEDsS5GNuc2HolSxtBvgEDnZxdaMB7h3pygJ6YXL5Jpv5dJgWcw%2BdKzNNzcwSuY7RUbSIvF5ztcG3IG348%2BQyi%2BasrdcpcJQZiH9dAOlT9VfA0qzqjPLeGSMgRCqcVt1Z5bbDMI5t%2Bl0PvCICEtc7JURguAd%2F8Qzl4ZewLwXlLkkxEVg0P5IyJZxvz%2BJq98A7cwUMPZPCgj1A%3D%3D&amp;Expires=1775109581\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The campaign\u2019s impact is serious. Once fully deployed, Remcos establishes a persistent connection to a remote C2 server at 192[.]3[.]27[.]141:8087, actively sending and receiving data. <\/p>\n<p>Evidence of data collection was confirmed through the creation of a log file at\u00a0<code>C:ProgramDataremcoslogs.dat<\/code>, which stores captured keystrokes and other system information. This indicates the malware was actively staging <a href=\"https:\/\/cybersecuritynews.com\/cl0p-ransomware-data-exfiltration-vulnerable\/\" id=\"113974\" target=\"_blank\" rel=\"noreferrer noopener\">data for exfiltration<\/a>.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2e86b948-259e-45d3-842e-7edd149fd77b\/Remcos-RAT-Infection-Chain-Hides-Behind-Obfuscated-Scripts-and-Trusted-Windows-Binaries.pdf?AWSAccessKeyId=ASIA2F3EMEYE4M2NJ4TA&amp;Signature=5V7SFBWNaAg%2BaaDO9aeAMBP02QM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBGDjVlz19vHzsMuqb%2By4R99HELdTKYcR7xaNkB8zoJxAiEAxRq%2F03nN36e3Mm%2F7E32yQ7kXADHL1R9cJ%2BQ%2BvCSukqwq8wQIZxABGgw2OTk3NTMzMDk3MDUiDI3OQCG5ckm4BJcHKirQBBHnltVui8flWwHLXCcL%2Fom7EQJO4clS%2B3bShCTUdzY4KUaBbGqY2RAcMRAVoe%2F2CTse%2F8xq7yTtpCTsG%2Flo2mD5Hm64oSebS2Iv21mlZTPMudBJLb9XAKHuOlD2JpM3VwU%2BjnZ9B7Qykh2zFhyjk6a%2FXKIvnjjl54ttweTC5PIUDCHKK0JNUdcc0BABYKUf5yFMtDi9Num1tOVFOe2AZT3R5Fb%2FOftpUnd9mlk5wkKShX4oZlpNKJBHOKtTSPmgcokZTAKDx7HWGsjEhK8pG4mcOEeqlZCSOV1X1VFeV6KToxB%2F9A%2FJLexOdtCtq9lyBl6KOewHLVhH3%2B5aIwdi5VBneeYHZ%2FZQwDEYU%2FHH5wKxR9H7thk4LQI%2FcSQLONBkmU%2BupCPiIWLzf3kVWDMU6dLEA8VVs8Cpzqo8uqUQzPz1%2FVqv%2BswNTFrGaGTdwwosNlFZBPTA9fBmAdc796LViJNTpQIvlgS2PAq4Rj7nhwQngQ9gZSlalaFw9b464OavIKCa%2B%2BfdbIzRZ38q9jpb7Gzl3E2v0KhvNwFOiWXi59zNTo8%2Fk9%2FC1Piivb3DLPXANaI1SXHQ55qEa4lnNsuxvBwEZEq%2FdZ8%2FzCqHOsBuk0CoGSuJh0EtFlHn8Cy0JB7tqeIep5zE4HLbZXlqLF8lqhhJXbCV3CkUnbJzW6qujbv60SdWENlbqYx57oyepdxU8qb1ZO7LpZL899Ff%2F1FlSwdvBUCNfaWky6jAPKSPZdXW80YW3deMLftAcze8lOFFjvnfFcrZC7%2Fdw3f9Sa9%2Fpqkw9YK4zgY6mAEDsS5GNuc2HolSxtBvgEDnZxdaMB7h3pygJ6YXL5Jpv5dJgWcw%2BdKzNNzcwSuY7RUbSIvF5ztcG3IG348%2BQyi%2BasrdcpcJQZiH9dAOlT9VfA0qzqjPLeGSMgRCqcVt1Z5bbDMI5t%2Bl0PvCICEtc7JURguAd%2F8Qzl4ZewLwXlLkkxEVg0P5IyJZxvz%2BJq98A7cwUMPZPCgj1A%3D%3D&amp;Expires=1775109581\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>What makes this threat particularly difficult to stop is its ability to hide inside the very tools Windows users trust every day. <\/p>\n<p>By abusing legitimate system binaries and running entirely in memory, the attackers managed to bypass many traditional security defenses. This kind of attack shows how far threat actors have come in designing operations that blend into normal system activity.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2e86b948-259e-45d3-842e-7edd149fd77b\/Remcos-RAT-Infection-Chain-Hides-Behind-Obfuscated-Scripts-and-Trusted-Windows-Binaries.pdf?AWSAccessKeyId=ASIA2F3EMEYE4M2NJ4TA&amp;Signature=5V7SFBWNaAg%2BaaDO9aeAMBP02QM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBGDjVlz19vHzsMuqb%2By4R99HELdTKYcR7xaNkB8zoJxAiEAxRq%2F03nN36e3Mm%2F7E32yQ7kXADHL1R9cJ%2BQ%2BvCSukqwq8wQIZxABGgw2OTk3NTMzMDk3MDUiDI3OQCG5ckm4BJcHKirQBBHnltVui8flWwHLXCcL%2Fom7EQJO4clS%2B3bShCTUdzY4KUaBbGqY2RAcMRAVoe%2F2CTse%2F8xq7yTtpCTsG%2Flo2mD5Hm64oSebS2Iv21mlZTPMudBJLb9XAKHuOlD2JpM3VwU%2BjnZ9B7Qykh2zFhyjk6a%2FXKIvnjjl54ttweTC5PIUDCHKK0JNUdcc0BABYKUf5yFMtDi9Num1tOVFOe2AZT3R5Fb%2FOftpUnd9mlk5wkKShX4oZlpNKJBHOKtTSPmgcokZTAKDx7HWGsjEhK8pG4mcOEeqlZCSOV1X1VFeV6KToxB%2F9A%2FJLexOdtCtq9lyBl6KOewHLVhH3%2B5aIwdi5VBneeYHZ%2FZQwDEYU%2FHH5wKxR9H7thk4LQI%2FcSQLONBkmU%2BupCPiIWLzf3kVWDMU6dLEA8VVs8Cpzqo8uqUQzPz1%2FVqv%2BswNTFrGaGTdwwosNlFZBPTA9fBmAdc796LViJNTpQIvlgS2PAq4Rj7nhwQngQ9gZSlalaFw9b464OavIKCa%2B%2BfdbIzRZ38q9jpb7Gzl3E2v0KhvNwFOiWXi59zNTo8%2Fk9%2FC1Piivb3DLPXANaI1SXHQ55qEa4lnNsuxvBwEZEq%2FdZ8%2FzCqHOsBuk0CoGSuJh0EtFlHn8Cy0JB7tqeIep5zE4HLbZXlqLF8lqhhJXbCV3CkUnbJzW6qujbv60SdWENlbqYx57oyepdxU8qb1ZO7LpZL899Ff%2F1FlSwdvBUCNfaWky6jAPKSPZdXW80YW3deMLftAcze8lOFFjvnfFcrZC7%2Fdw3f9Sa9%2Fpqkw9YK4zgY6mAEDsS5GNuc2HolSxtBvgEDnZxdaMB7h3pygJ6YXL5Jpv5dJgWcw%2BdKzNNzcwSuY7RUbSIvF5ztcG3IG348%2BQyi%2BasrdcpcJQZiH9dAOlT9VfA0qzqjPLeGSMgRCqcVt1Z5bbDMI5t%2Bl0PvCICEtc7JURguAd%2F8Qzl4ZewLwXlLkkxEVg0P5IyJZxvz%2BJq98A7cwUMPZPCgj1A%3D%3D&amp;Expires=1775109581\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"multi-stage-infection-mechanism-from-phishing-to-i\"><strong>Multi-Stage Infection Mechanism: From Phishing to In-Memory Execution<\/strong><\/h2>\n<p>The infection begins the moment a user opens the phishing email and extracts the ZIP file. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhEfNhmaU3xBjfEMyZMjWQW9A77OKAHdLl8AzH9uSFLaH-blyMeVT4o4fgji0MoxEsY8auytDxzHr1Ge46Oz3fByN81iro8j3rza1T3zDQeY8w49P70UvyQD64DxkliZ3Z3D7GqrDZQ_SNJVCSLmObRxB0Lz8HHl9c4mEY2J1vdI1ZtlWKg5glxFlsZ_HA\/s16000\/Attack%2520Flow%2520%28Source%2520-%2520Point%2520Wild%29.webp?ssl=1\" alt=\"Attack Flow (Source - Point Wild)\"><figcaption class=\"wp-element-caption\">Attack Flow (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n<p>Inside the archive is a JavaScript file \u2014 MV MERKET COOPER SPECIFICATION.js \u2014 that is heavily obfuscated using string-mapping functions and encoded arrays to hide its true purpose. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhyXMq0pAC2kuqWGnnaYcw9Z2zVBCe7f17wUbJP3MJNq7lZuLRcFKcdlwFsA0X0fi-dZBenKooDqkb5OgptJYROU_rz92aJ4DiWQnXZu1KdJZDkOD9G34VGFnMasYJx9qCuocjOQsxQ3KxobQmRTgypeFwCQ2uqPZPyskwOJxZn4IYJDKCPjDH5MbswrQI\/s16000\/MV%2520MERKET%2520COOPER%2520SPECIFICATION.js%2520%28Source%2520-%2520Point%2520Wild%29.webp?ssl=1\" alt=\"MV MERKET COOPER SPECIFICATION.js (Source - Point Wild)\"><figcaption class=\"wp-element-caption\">MV MERKET COOPER SPECIFICATION.js (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n<p>Upon execution via Windows Script Host, the script creates ActiveX objects to handle HTTP communication, command execution, and file operations, and then contacts almacensantangel[.]com to download a remote <a href=\"https:\/\/cybersecuritynews.com\/vice-society-ransomware-2\/\" id=\"16203\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell script<\/a> called ENCRYPT.Ps1.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg1C67TAuPmPfbgVFABeq9RhnR5o86oIc2t_VKxR2u8LZe1ZOj51WdVdULMEw8cKisCg4T6zRhcc2np0M6mJ3HbLz55VhYLybTxXmDTfSYtYXg2sy0XhYJKspMir-DRnpQUmimyfezXkHccKd7wvPD-NNCatzYns8q71rIH1Q2qMlFZRe19gw2I_sox9B0\/s16000\/Email%2520Attachment%2520%28Source%2520-%2520Point%2520Wild%29.webp?ssl=1\" alt=\"Email Attachment (Source - Point Wild)\"><figcaption class=\"wp-element-caption\">Email Attachment (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n<p>The PowerShell loader applies multiple layers of obfuscation to rebuild the payload in memory. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh4hyphenhyphenLgaxkmqf-QebhdHl2cUuz2XBXC-4uBkPXpfg4uyaDBUMXUrMX0uktDJWGt8VONs_FV8en9aL5r6tegcw5iiaOztKpTX8BtmjXFQ7kuaky5miy1bS72b87Mq5FrUSdSobMFn0gx8-4dqnHjNbtyL1Q57nIpwoIVwm8uhIOa6gIIZb726kJiRoYrJ_0\/s16000\/Encrypted%2520Data%2520in%2520ps1%2520file%2520%28Source%2520-%2520Point%2520Wild%29.webp?ssl=1\" alt=\"Encrypted Data in ps1 file (Source - Point Wild)\"><figcaption class=\"wp-element-caption\">Encrypted Data in ps1 file (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n<p>The data is stored as a large Base64-encoded string inside the\u00a0<code>$securecontainer<\/code>\u00a0variable, which the\u00a0<code>$base64reconstruction<\/code>\u00a0function converts into raw byte arrays. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWyPzzw1e4hqI78g-jvaxbRpcDMKSTieqV44Db2VAGPehS6I35WWf0tRDnGFcncukEUVsEkEEc1x0Eiw3z4ijKTBuQRD2bNDp4xHBZyvwtLBzo0jWKAohyphenhyphenx-iCDfUmKUyit091onUKrFiQi3YlMW6U5pUy_XF3LzCyXEUmao_aSN8Fpp_shwzfpLQbORA\/s16000\/Base64%2520Reconstruction%2520Module%2520%28Source%2520-%2520Point%2520Wild%29.webp?ssl=1\" alt=\"Base64 Reconstruction Module (Source - Point Wild)\"><figcaption class=\"wp-element-caption\">Base64 Reconstruction Module (Source \u2013 Point Wild)<\/figcaption><\/figure>\n<\/div>\n<p>A rotational XOR function then decrypts the data using a shifting key mechanism, and the\u00a0<code>$masterdecoder<\/code>\u00a0function brings the full decryption together. <\/p>\n<p>The\u00a0<code>$executionhandler<\/code>\u00a0finally runs the recovered script through Invoke-Expression with built-in fallback methods<em>.<\/em><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2e86b948-259e-45d3-842e-7edd149fd77b\/Remcos-RAT-Infection-Chain-Hides-Behind-Obfuscated-Scripts-and-Trusted-Windows-Binaries.pdf?AWSAccessKeyId=ASIA2F3EMEYE4M2NJ4TA&amp;Signature=5V7SFBWNaAg%2BaaDO9aeAMBP02QM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBGDjVlz19vHzsMuqb%2By4R99HELdTKYcR7xaNkB8zoJxAiEAxRq%2F03nN36e3Mm%2F7E32yQ7kXADHL1R9cJ%2BQ%2BvCSukqwq8wQIZxABGgw2OTk3NTMzMDk3MDUiDI3OQCG5ckm4BJcHKirQBBHnltVui8flWwHLXCcL%2Fom7EQJO4clS%2B3bShCTUdzY4KUaBbGqY2RAcMRAVoe%2F2CTse%2F8xq7yTtpCTsG%2Flo2mD5Hm64oSebS2Iv21mlZTPMudBJLb9XAKHuOlD2JpM3VwU%2BjnZ9B7Qykh2zFhyjk6a%2FXKIvnjjl54ttweTC5PIUDCHKK0JNUdcc0BABYKUf5yFMtDi9Num1tOVFOe2AZT3R5Fb%2FOftpUnd9mlk5wkKShX4oZlpNKJBHOKtTSPmgcokZTAKDx7HWGsjEhK8pG4mcOEeqlZCSOV1X1VFeV6KToxB%2F9A%2FJLexOdtCtq9lyBl6KOewHLVhH3%2B5aIwdi5VBneeYHZ%2FZQwDEYU%2FHH5wKxR9H7thk4LQI%2FcSQLONBkmU%2BupCPiIWLzf3kVWDMU6dLEA8VVs8Cpzqo8uqUQzPz1%2FVqv%2BswNTFrGaGTdwwosNlFZBPTA9fBmAdc796LViJNTpQIvlgS2PAq4Rj7nhwQngQ9gZSlalaFw9b464OavIKCa%2B%2BfdbIzRZ38q9jpb7Gzl3E2v0KhvNwFOiWXi59zNTo8%2Fk9%2FC1Piivb3DLPXANaI1SXHQ55qEa4lnNsuxvBwEZEq%2FdZ8%2FzCqHOsBuk0CoGSuJh0EtFlHn8Cy0JB7tqeIep5zE4HLbZXlqLF8lqhhJXbCV3CkUnbJzW6qujbv60SdWENlbqYx57oyepdxU8qb1ZO7LpZL899Ff%2F1FlSwdvBUCNfaWky6jAPKSPZdXW80YW3deMLftAcze8lOFFjvnfFcrZC7%2Fdw3f9Sa9%2Fpqkw9YK4zgY6mAEDsS5GNuc2HolSxtBvgEDnZxdaMB7h3pygJ6YXL5Jpv5dJgWcw%2BdKzNNzcwSuY7RUbSIvF5ztcG3IG348%2BQyi%2BasrdcpcJQZiH9dAOlT9VfA0qzqjPLeGSMgRCqcVt1Z5bbDMI5t%2Bl0PvCICEtc7JURguAd%2F8Qzl4ZewLwXlLkkxEVg0P5IyJZxvz%2BJq98A7cwUMPZPCgj1A%3D%3D&amp;Expires=1775109581\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The decrypted script reveals a .NET assembly called ALTERNATE.dll, loaded directly into memory through .NET Reflection APIs with no file written to disk.<\/p>\n<p>A secondary payload, Cqeqpvzeia.exe, is embedded as a raw byte array starting with the \u201cMZ\u201d PE signature\u00a0and injected into aspnet_compiler.exe \u2014 a legitimate Microsoft .NET tool \u2014 through a Living-off-the-Land technique. <\/p>\n<p>This abused process handles all outbound C2 communication, making malicious traffic appear as routine system activity.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2e86b948-259e-45d3-842e-7edd149fd77b\/Remcos-RAT-Infection-Chain-Hides-Behind-Obfuscated-Scripts-and-Trusted-Windows-Binaries.pdf?AWSAccessKeyId=ASIA2F3EMEYE4M2NJ4TA&amp;Signature=5V7SFBWNaAg%2BaaDO9aeAMBP02QM%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEJ7%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBGDjVlz19vHzsMuqb%2By4R99HELdTKYcR7xaNkB8zoJxAiEAxRq%2F03nN36e3Mm%2F7E32yQ7kXADHL1R9cJ%2BQ%2BvCSukqwq8wQIZxABGgw2OTk3NTMzMDk3MDUiDI3OQCG5ckm4BJcHKirQBBHnltVui8flWwHLXCcL%2Fom7EQJO4clS%2B3bShCTUdzY4KUaBbGqY2RAcMRAVoe%2F2CTse%2F8xq7yTtpCTsG%2Flo2mD5Hm64oSebS2Iv21mlZTPMudBJLb9XAKHuOlD2JpM3VwU%2BjnZ9B7Qykh2zFhyjk6a%2FXKIvnjjl54ttweTC5PIUDCHKK0JNUdcc0BABYKUf5yFMtDi9Num1tOVFOe2AZT3R5Fb%2FOftpUnd9mlk5wkKShX4oZlpNKJBHOKtTSPmgcokZTAKDx7HWGsjEhK8pG4mcOEeqlZCSOV1X1VFeV6KToxB%2F9A%2FJLexOdtCtq9lyBl6KOewHLVhH3%2B5aIwdi5VBneeYHZ%2FZQwDEYU%2FHH5wKxR9H7thk4LQI%2FcSQLONBkmU%2BupCPiIWLzf3kVWDMU6dLEA8VVs8Cpzqo8uqUQzPz1%2FVqv%2BswNTFrGaGTdwwosNlFZBPTA9fBmAdc796LViJNTpQIvlgS2PAq4Rj7nhwQngQ9gZSlalaFw9b464OavIKCa%2B%2BfdbIzRZ38q9jpb7Gzl3E2v0KhvNwFOiWXi59zNTo8%2Fk9%2FC1Piivb3DLPXANaI1SXHQ55qEa4lnNsuxvBwEZEq%2FdZ8%2FzCqHOsBuk0CoGSuJh0EtFlHn8Cy0JB7tqeIep5zE4HLbZXlqLF8lqhhJXbCV3CkUnbJzW6qujbv60SdWENlbqYx57oyepdxU8qb1ZO7LpZL899Ff%2F1FlSwdvBUCNfaWky6jAPKSPZdXW80YW3deMLftAcze8lOFFjvnfFcrZC7%2Fdw3f9Sa9%2Fpqkw9YK4zgY6mAEDsS5GNuc2HolSxtBvgEDnZxdaMB7h3pygJ6YXL5Jpv5dJgWcw%2BdKzNNzcwSuY7RUbSIvF5ztcG3IG348%2BQyi%2BasrdcpcJQZiH9dAOlT9VfA0qzqjPLeGSMgRCqcVt1Z5bbDMI5t%2Bl0PvCICEtc7JURguAd%2F8Qzl4ZewLwXlLkkxEVg0P5IyJZxvz%2BJq98A7cwUMPZPCgj1A%3D%3D&amp;Expires=1775109581\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Organizations should monitor <a href=\"https:\/\/cybersecuritynews.com\/powershell-loaders-with-in-memory-execution-techniques\/\" id=\"111782\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell execution<\/a> events, especially those involving Base64-encoded commands and execution policy bypass flags. <\/p>\n<p>Outbound connections from system utilities like aspnet_compiler.exe to unknown external hosts should be treated as suspicious. <\/p>\n<p>Security teams should also watch for the file\u00a0<code>C:ProgramDataremcoslogs.dat<\/code>\u00a0as a key indicator of compromise. Blocking known <a href=\"https:\/\/cybersecuritynews.com\/ai-based-obfuscated-malicious-apps-evading-av-detection\/\" id=\"133994\" target=\"_blank\" rel=\"noreferrer noopener\">malicious URLs<\/a>, hashes, and C2 infrastructure from the IOC table remains a critical step in containing this threat early.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/remcos-rat-infection-chain-hides-behind-obfuscated\/\">Remcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/remcos-rat-infection-chain-hides-behind-obfuscated\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Remcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries Cybercriminals are getting better at hiding their tracks, and a recently uncovered Remcos RAT campaign is proof of that. This attack does not rely on a single malicious file dropped onto a system. Instead, it uses a carefully built, multi-stage chain that starts [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-11798","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11798"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11798"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11798\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}