⚠️ Remote access malware remained resilient despite broader declines. #AsyncRAT continued to grow and #Remcos rebounded, while most other major families trended downward.

📌 Trend to watch: when fewer families account for a larger share of activity, defenders can miss the signal by focusing on overall volume alone. Concentrated campaigns often create repeated exposure to the same attack paths, increasing the likelihood of successful compromise.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=080626&utm_content=linktoenterprise

#cybersecurity #infosec

Reloaded in a modern Remcos RAT Infection

Pulse ID: 6a1ff4afb1422149b0e41662
Pulse Link: https://otx.alienvault.com/pulse/6a1ff4afb1422149b0e41662
Pulse Author: Tr1sa111
Created: 2026-06-03 09:32:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #bot #Tr1sa111

Reloaded in a modern Remcos RAT Infection

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt-based staging for in-memory payload delivery. The infection begins with a phishing email containing a malicious batch file named Bestellung.CMD. The chain abuses legitimate Windows utilities including cscript.exe and SyncAppvPublishingServer.vbs to execute Base64-encoded payloads. Additional components are downloaded from cloud storage, including 7Zip tools and password-protected archives containing obfuscated JScript. The final payload consists of DonutLoader shellcode that injects Remcos RAT version 7.2.1 Pro into colorcpl.exe, enabling remote control, credential harvesting, keystroke logging, and additional payload deployment.

Pulse ID: 6a1a2dd905d9f8c4474cb45e
Pulse Link: https://otx.alienvault.com/pulse/6a1a2dd905d9f8c4474cb45e
Pulse Author: AlienVault
Created: 2026-05-30 00:22:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #Autoit #Cloud #CredentialHarvesting #CyberSecurity #Email #InfoSec #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #Remcos #RemcosRAT #ShellCode #VBS #Windows #Word #ZIP #bot #AlienVault

UAC0184 Steganography Based Remcos Campaign

UAC0184 runs a multi-stage phishing campaign using fake documents and shortcut files to trick users into execution. The attack abuses legitimate Windows tools like BITSAdmin and PowerShell to download and run malicious content. It uses steganography to hide malware inside image files, which is then extracted by a loader.

Pulse ID: 6a10b4b34a90f600cf8a1fc7
Pulse Link: https://otx.alienvault.com/pulse/6a10b4b34a90f600cf8a1fc7
Pulse Author: cryptocti
Created: 2026-05-22 19:55:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #Phishing #PowerShell #Remcos #Steganography #Windows #bot #cryptocti

⚠️ Overall RAT activity cooled down last week, with #AsyncRAT, #XWorm, and #Remcos all declining, while stealers like #Vidar and #Stealc continued to grow.

📌 Trend to watch: this points to a shift toward credential access and large-scale delivery activity. For defenders, that usually means higher alert volume, broader exposure, and more pressure on early-stage triage.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=180526&utm_content=linktoenterprise
#cybersecurity

⚠️ Remote access tooling remained active last week. #AsyncRAT, #Remcos, #Warzone, and #Netwire all increased, while #Vidar continued to decline.

📌 Trend to watch: the activity points to attackers prioritizing persistence and operator access over large-scale credential theft. For defenders, that usually means fewer obvious indicators and more time between initial compromise and detection.

Expand threat visibility in your SOC: https://any.run/enterprise/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=110526&utm_content=linktoenterprise

#reverseloader payloads at:

http://66.179.248\.120/img/

#remcos c2: 23.95.62\.25:7070

Top 10 last week's threats by uploads 🌐
⬇️ #Xworm 575 (632)
⬆️ #Weedhack 414 (336)
⬇️ #Asyncrat 402 (720)
⬆️ #Gh0st 393 (343)
⬆️ #Dcrat 319 (223)
⬇️ #Remcos 310 (373)
⬆️ #Vidar 301 (266)
⬇️ #Quasar 221 (325)
⬆️ #Rustystealer 204 (175)
⬆️ #Lumma 199 (161)
Explore malware in action: https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=top_ten&utm_term=270426&utm_content=linktoregister#register

#cybersecurity

When your #malspam threat actor forgets to properly configure their #remcos ....ya "Juniorer" indeed 🤣

https://app.any.run/tasks/1ff77354-94ca-4d30-b6f7-a86aff32e1af