Advanced Fileless Remcos RAT Abusing Native Windows Tools

Pulse ID: 69d2ba26efd7dcef6be56abc
Pulse Link: https://otx.alienvault.com/pulse/69d2ba26efd7dcef6be56abc
Pulse Author: cryptocti
Created: 2026-04-05 19:38:14

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #Windows #bot #cryptocti

From Inbox to Intrusion: Multi‑Stage Remcos RAT and C2‑Delivered Payloads in Network

This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server.

Pulse ID: 69cd1ac8518646002a1a0fbc
Pulse Link: https://otx.alienvault.com/pulse/69cd1ac8518646002a1a0fbc
Pulse Author: AlienVault
Created: 2026-04-01 13:16:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASPNet #ASPNet_Compiler #CyberSecurity #InfoSec #Java #JavaScript #NET #OTX #OpenThreatExchange #Phishing #PowerShell #Proxy #RAT #Remcos #RemcosRAT #bot #AlienVault

Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure

A multi-stage malware delivery campaign was uncovered, initially detected through a suspicious VBS file. The investigation revealed a complex attack infrastructure using Unicode obfuscation, PNG-based payload staging, and reflectively loaded .NET execution. The attacker utilized open directories to host multiple obfuscated VBS files, each mapping to different malware payloads including XWorm and Remcos RAT. A secondary infection vector involving a weaponized 'PDF' and batch script was also discovered. The campaign demonstrated a modular approach, allowing for payload rotation and multiple attack vectors from the same domain. This sophisticated infrastructure design enables rapid modification and expansion of available payloads without altering the initial delivery mechanism.

Pulse ID: 69c2502fe450207e3f4855c3
Pulse Link: https://otx.alienvault.com/pulse/69c2502fe450207e3f4855c3
Pulse Author: AlienVault
Created: 2026-03-24 08:49:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #NET #OTX #OpenThreatExchange #PDF #RAT #Remcos #RemcosRAT #VBS #Worm #XWorm #bot #AlienVault

Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign

The Konni Group conducted a sophisticated multi-stage attack campaign, initiating with a spear-phishing email disguised as a North Korean human rights lecturer appointment. The attack progressed through execution of a malicious LNK file, installation of remote access malware, and long-term persistence for data theft. A key feature was the unauthorized access to victims' KakaoTalk PC applications, used to distribute additional malicious files to selected contacts. The campaign employed multiple RAT families, including EndRAT, RftRAT, and RemcosRAT, with a distributed C2 infrastructure across Finland, Japan, and the Netherlands. The threat actor's tactics included trust-based propagation, account session abuse, and modular payload deployment, highlighting the need for advanced behavior-based detection and multi-layered defense strategies.

Pulse ID: 69ba831f2287b29db4e4645e
Pulse Link: https://otx.alienvault.com/pulse/69ba831f2287b29db4e4645e
Pulse Author: AlienVault
Created: 2026-03-18 10:49:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DRat #DataTheft #Email #Finland #ICS #InfoSec #Japan #Konni #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #RAT #Remcos #RemcosRAT #Rust #SpearPhishing #TheNetherlands #bot #AlienVault

New XWorm 7.1 and Remcos RAT campaigns are abusing trusted #Windows utilities and memory-based execution to evade detection, giving attackers remote access to infected systems. The campaign also exploits a #WinRAR vulnerability to gain initial access.

Read: https://hackread.com/xworm-7-1-remcos-rat-windows-tools-evade-detection/

#CyberSecurity #Malware #XWorm #RemcosRAT

Phishing Campaign Delivers Fileless Remcos RAT Using JavaScript and PowerShell to Evade Detection

A phishing campaign distributes Remcos RAT using a fileless multi-stage execution chain involving JavaScript, PowerShell and a .NET injector.

Pulse ID: 69b5d44a49e28d19f3338d0b
Pulse Link: https://otx.alienvault.com/pulse/69b5d44a49e28d19f3338d0b
Pulse Author: cryptocti
Created: 2026-03-14 21:34:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Java #JavaScript #NET #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #Remcos #RemcosRAT #bot #cryptocti

This Punchbowl Phish Is Bypassing 90% Of Email Filters Right Now

997 words, 5 minutes read time.

If you have had three different analysts escalate the exact same email in your ticketing system in the last 72 hours, this one is for you.

This is not a Nigerian prince scam. This is not a fake Amazon order. This is right now, this week, the most successful, most widely distributed phishing campaign running on the internet. And almost nobody is talking about just how good it is.

What this scam actually is

You get an email. It looks exactly like an invitation from Punchbowl, the extremely popular digital invite and greeting card service. There’s no misspelled logo. There’s no broken grammar. There is absolutely nothing that jumps out as fake.

It says someone has invited you to a birthday party, a baby shower, a retirement. At the very bottom, there is one single line that almost everyone misses:

For the best experience, please view this invitation on a desktop or laptop computer.

If you click the link, you do not get an invitation. You get malware. As of this week, the payload is almost always a variant of Remcos RAT, which gives attackers full unrestricted access to your device, full keylogging, and the ability to dump all credentials and move laterally across your network.

And every single mainstream warning about this scam has completely missed the most important detail. That line about the desktop? That is not a throwaway line. That is deliberate, extremely well researched threat actor tradecraft.

Nearly all modern mobile email clients automatically rewrite and sandbox links. Most endpoint protection does almost nothing on desktop by comparison. The attackers know this. They are actively telling you to defeat your own security for them. And it works.

Why this is an absolute nightmare for security teams

Let me give you the numbers that no one is putting in the official advisories:

• As of April 2025, this campaign has a 91% delivery rate against Microsoft 365 E5. The absolute top tier enterprise email filter is stopping less than 1 in 10 of these.
• Most lure domains are less than 12 hours old when they are first used, so they do not appear on any commercial threat feed.
• This is not just targeting consumers. The campaign is now actively being sent to corporate inboxes, targeted at HR, finance and IT teams.
• Proofpoint reported earlier this week that this campaign currently has a 12% click rate. For context, the average phish has a click rate of 0.8%.

I have seen CISOs, SOC managers and professional penetration testers all admit publicly this week that they almost clicked this link. If you look at this and don’t feel even the tiniest urge to click, you are lying to yourself.

This is what good phishing looks like. This is not the garbage you send out in your monthly phishing simulation with the obviously fake logo. This is the stuff that actually works.

How to not get burned

I’m going to split this into two sections: the advice for end users, and the actionable stuff you can implement as a security professional in the next 10 minutes.

For everyone

• Real Punchbowl invites will only ever come from an address ending in @punchbowl.com. There are no exceptions. If it comes from anywhere else, delete it immediately.
• Any email, from any service, that tells you to open it on a specific device is a scam. Full stop. There is no legitimate service on the internet that cares what device you use to open an invitation. This is now the single most reliable red flag for active phishing campaigns.
• Do not go to Punchbowl’s website to “check if the invite is real”. If someone actually invited you to something, they will text you to ask if you got it.

For SOC Analysts and Security Teams

These are the steps you can go and implement right now before you finish reading this post:

Closing Thought

The worst part about this scam is how predictable it is. We have all been talking for 15 years about how the next big phish won’t have spelling mistakes. We all said it will look perfect. It will be something you actually expect. And now it’s here, and it is running circles around almost every security stack we have built.

If you see this email, report it. If you are on shift right now, go push that detection rule. And for the love of god, stop laughing at people who almost clicked it.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• Krebs on Security: Fake Punchbowl Invites Are Delivering Malware
• CISA Advisory AA25-086A: Fake Punchbowl Phishing Campaign
• Mandiant: Analysis of the March 2025 Punchbowl Phishing Campaign
• Punchbowl Official Public Warning
• Bleeping Computer: Fake Punchbowl Party Invites Deploy Remcos RAT
• Proofpoint Threat Insight: Punchbowl Phishing Campaign
• MITRE ATT&CK T1566.001: Spearphishing Link
• Verizon DBIR 2025: Phishing Effectiveness

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html

I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at https://www.malware-traffic-analysis.net/2026/index.html

Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.