Remcos, a commercial remote access tool marketed as legitimate surveillance software, has become the leading infostealer in malware campaigns during the third quarter of 2025, accounting for approximately 11 percent of detected cases.<\/p>\n
In a notable shift from traditional deployment methods, threat actors are now weaponizing this remote control and surveillance platform through sophisticated fileless attack chains that successfully evade endpoint detection and response systems.<\/p>\n
The malware\u2019s primary motivation centers on credential theft<\/a> through opportunistic targeted attacks, with particular focus on the financial sector, though recent evidence suggests attackers have compromised legitimate websites to host additional malicious payloads supporting the broader operation.<\/p>\n The attack begins deceptively with users receiving emails containing seemingly innocent business attachments. A file named \u201cEFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz\u201d initiates the infection chain.<\/p>\n Once extracted, this archive deploys a batch file into the Windows temporary directory, which subsequently executes a heavily obfuscated PowerShell script employing custom string de-obfuscation functions named \u201cLotusblo\u201d and \u201cGarrots.\u201d<\/p>\n CyberProof analysts identified<\/a> the PowerShell script initiating hidden processes while configuring web requests to use TLS 1.2 and custom User-Agent strings for legitimate-appearing network traffic.<\/p>\n The script constructs a target file path at C:Users\\AppDataRoamingHereni.Gen and enters a continuous download loop, attempting to retrieve files from a malicious C2 domain every four seconds.<\/p>\n Upon successful download, the script Base64 decodes and GZip decompresses the retrieved payload before executing it through Invoke-Expression, enabling dynamic command execution while leaving no traces on disk.<\/p>\n The sophisticated technique deployed by attackers involves leveraging msiexec.exe, a legitimate Windows installer executable, to perform process injection into RmClient.exe, a Microsoft-distributed file.<\/p>\n This fileless approach proves effective against traditional EDR solutions<\/a> because RmClient.exe carries legitimate digital signatures, causing many detection systems to overlook the injected Remcos payload.<\/p>\n Once injected, the malware immediately begins accessing browser credential stores, targeting key4.db, logins.json, and Login Data files containing saved passwords and sensitive authentication information.<\/p>\n Network communications from the compromised RmClient.exe process directed to command-and-control servers at ablelifepurelife.ydns.eu and icebergtbilisi.ge on non-standard ports like 57864 and 50807 reveal the attacker\u2019s infrastructure.<\/p>\n The malware demonstrates persistence<\/a> through multiple RmClient.exe instances spawning with random parameters stored in the temporary directory, multiplying detection complexity and enabling the threat actor to maintain long-term access for subsequent, more destructive operations.<\/p>\n Organizations must enhance detection capabilities to identify process injection patterns and monitor unusual credential access activities, particularly when involving legitimate system binaries.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Fileless Remcos Attacks Bypassing EDRs Malicious Code into RMClient<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh_awvY5rn9yPUT99xJU5sJlm2JeyM79I2X4bXaazV3vd_JHRhLAnUQAypBzsh9wlt8_2QptDRLC7R4SwK6NWEd0M1fSdactyCykJxZt7bFBl0_UGyEGqdEzP8UORr3yuokbb7oNfCRifvrUd3ljq8Tor707qfqbIJRyMAiQdGuLz4J4aV9nY8xC9GBmNI\/s16000\/Launch%2520of%2520PowerShell%2520script%2520from%2520batch%2520file%2520%28Source%2520-%2520CyberProof%29.webp?ssl=1\")
Process Injection and Detection Evasion<\/strong><\/h2>\n