The malware campaign, distributed primarily through email attachments and social engineering lures, accounted for roughly 11% of all infostealer incidents during the quarter.
Although marketed as a legitimate remote administration tool, Remcos continues to be abused by threat actors for full-scale credential theft and persistence operations.
In the most recent attack analyzed by CyberProof’s Threat Research team, victims received phishing emails containing an archive named ‘EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz’. When extracted, it dropped a batch file that executed an obfuscated PowerShell script.
The script demonstrated heavy code obfuscation using custom functions such as Lotusblo and Garrots to evade static detection and signature-based scanners.
Upon execution, the PowerShell loader created a hidden process and established TLS 1.2 web requests to hxxps://icebergtbilisi.ge/Sluknin.afm, attempting continuous downloads of an encoded payload.
After retrieving and Base64-decoding the data, the loader decompressed it using GZip and executed it directly in memory via Invoke-Expression, confirming the use of a fileless execution chain. The downloaded payload was identified as the Remcos RAT.
The PowerShell code then launched msiexec.exe, which executed additional commands and performed process hollowing to inject its malicious payload into RmClient.exe, a legitimate Microsoft-distributed binary.
Telemetry logs showed subsequent attempts to access browser credential storage, triggering partial EDR alerts that revealed the credential-theft functionality.
The RMClient binary involved in this injection was cryptographically validated as genuine, highlighting the attacker’s precision in exploiting trusted binaries to bypass endpoint defenses.
Analysis of system timelines and network telemetry linked the msiexec process to external command-and-control connections, including the domains ablelifepurelife[.]ydns.eu, ablelifepurelifebk[.]ydns.eu, and icebergtbilisi[.]ge.
The attack temporarily stored payloads in the AppDataRoamingHereni.The Gen directory contains several random temporary files dropped in user profile paths.
CyberProof’s custom hunting query for rmclient.exe processes spawned from temporary directories successfully correlated multiple intrusion events.
Hash analysis confirmed the involvement of PowerShell loaders and scripts with SHA256 values 5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e and 3ec5b13ee66d84dd75ac619ebb79c64cef7986dd6e8049f689f9ac39c272fea2.
Email attachments, disguised as corporate order inquiries, carried distinctive filenames across regions, including German, Polish, and Portuguese variants.
CyberProof emphasizes that this campaign’s sophistication lies in its stealthy, fileless infection method and credential-theft motivation.
As attackers continue refining obfuscation and process injection methods, organizations are urged to strengthen their detection layers and maintain vigilance toward targeted phishing lures.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Remcos Fileless Attacks Bypass EDRs Using RMClient Injection Technique appeared first on Cyber Security News.
Netflix has reportedly picked Maxwell Jenkins to play Fred Jones, Tanner Hagen as Norville “Shaggy”…
Crimson Desert feels like it was designed in a lab by someone who wanted to…
Ahead of Easter, Target is offering the lowest price on a pair of Beats Studio…
Denise Hudson-Bryan, Director of the Convention and Visitors Bureau for the City of Early, Texas,…
ABILENE, Texas (KTAB/KRBC) - After 22 years of serving the Abilene community, the owners of…
This website uses cookies.