Security researchers have tracked a multi-stage Remcos RAT attack that uses JavaScript, PowerShell, and process hollowing to avoid leaving obvious traces on infected systems.
Instead of dropping the main malware file onto disk, the attackers keep most of the activity in memory, making it much harder for traditional security tools to detect.
The attack starts with a phishing email disguised as a normal business message. In the observed cases, the emails used request-for-quotation (RFQ) themes to trick victims into opening an archive attachment.
Inside that archive was a JavaScript file that appeared to be a business document. Once opened, the script did not perform many actions on its own.
Its main job was to contact attacker-controlled infrastructure and quietly download the next stage.
The downloaded file was an AES-encrypted PowerShell payload. This stage acted as the main loader for the attack.
It decrypted content directly in memory, avoiding the need to save the malicious payload to disk. That made the infection chain more stealthy and reduced the number of artifacts defenders could collect during analysis.
After decryption, the PowerShell script loaded two important components into memory. The first was a .NET injector, and the second was the final Remcos RAT payload.
The injector then used a technique called process hollowing against the legitimate Windows process aspnet_compiler.exe.
In simple terms, the malware created a trusted process, emptied its memory, and replaced it with malicious code. This allowed Remcos RAT to run under the name of a legitimate Windows tool.
This approach is important because many security systems trust signed or well-known Windows files. By hiding inside one of them, the malware blends in with normal system activity.
Once active, Remcos RAT runs fully in memory and begins preparing for long-term control.
Researchers from Trellix found that it dynamically resolved Windows APIs, decrypted its internal configuration, and created a mutex to ensure only one copy runs on the system.
It also collected system details, including the operating system version, process architecture, and privilege level.
| Type | Indicator / Sample | Description |
|---|---|---|
de59f9c1b237af2b27df59a6cec82fd2 | Phishing email – Request for Quotation – Coaxial Cable, Solar, Surge Relay | |
| RAR | 47b1603f62306dfa34bd7d52b7159c7f | Price Offer_PT. Asianfast Marine Industries I6799006392.r01 |
| JS | c2b601dc165fa0b4837019f1152d005a | JavaScript downloader attachment |
| PS1 | 6f61c2917c7dac70b4703700b3aafb33 | PowerShell__script_layer1 |
| PS1 | ffe4dc0ebc7b0b76d95dad2f383f6034 | PowerShell__script_layer2 |
| DLL | e7983c9dc42001baeafedebdaba8b310 | .NET injector (MAFFIA.dll) |
| EXE | df8a0d943f6df9394f0116521536a938 | Remcos RAT payload |
This campaign shows how commodity malware is becoming more advanced. Fileless execution, script abuse, and memory-only payloads are now common tactics. For defenders trellix, that means basic file scanning is no longer enough.
Organizations need better visibility into script execution, memory behavior, process injection, and suspicious outbound connections to catch these attacks before they turn into full remote access compromises.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Multi-Stage Remcos RAT Campaign Hides Behind JavaScript and PowerShell appeared first on Cyber Security News.
In September, Donald Trump claimed that "the United States is getting a tremendous fee" for…
ABILENE, Texas (KTAB/KRBC) - Two men in Abilene, a father and son, were arrested Friday…
According to Reuters, Meta is looking to offset spending on AI and data centers with…
Hulu has decided to scrap Buffy the Vampire Slayer: New Sunnydale, its planned continuation series…
Jostling a folded piece of paper, holding it marooned in the air, selectman Beth Blair…
Boscawen voters cruised through a speedy town meeting Friday night, one with so little controversy…
This website uses cookies.