Remcos, a commercial remote access tool marketed as legitimate surveillance software, has become the leading infostealer in malware campaigns during the third quarter of 2025, accounting for approximately 11 percent of detected cases.
In a notable shift from traditional deployment methods, threat actors are now weaponizing this remote control and surveillance platform through sophisticated fileless attack chains that successfully evade endpoint detection and response systems.
The malware’s primary motivation centers on credential theft through opportunistic targeted attacks, with particular focus on the financial sector, though recent evidence suggests attackers have compromised legitimate websites to host additional malicious payloads supporting the broader operation.
The attack begins deceptively with users receiving emails containing seemingly innocent business attachments. A file named “EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz” initiates the infection chain.
Once extracted, this archive deploys a batch file into the Windows temporary directory, which subsequently executes a heavily obfuscated PowerShell script employing custom string de-obfuscation functions named “Lotusblo” and “Garrots.”
CyberProof analysts identified the PowerShell script initiating hidden processes while configuring web requests to use TLS 1.2 and custom User-Agent strings for legitimate-appearing network traffic.
The script constructs a target file path at C:Users\AppDataRoamingHereni.Gen and enters a continuous download loop, attempting to retrieve files from a malicious C2 domain every four seconds.
.webp)
Upon successful download, the script Base64 decodes and GZip decompresses the retrieved payload before executing it through Invoke-Expression, enabling dynamic command execution while leaving no traces on disk.
Process Injection and Detection Evasion
The sophisticated technique deployed by attackers involves leveraging msiexec.exe, a legitimate Windows installer executable, to perform process injection into RmClient.exe, a Microsoft-distributed file.
This fileless approach proves effective against traditional EDR solutions because RmClient.exe carries legitimate digital signatures, causing many detection systems to overlook the injected Remcos payload.
Once injected, the malware immediately begins accessing browser credential stores, targeting key4.db, logins.json, and Login Data files containing saved passwords and sensitive authentication information.
Network communications from the compromised RmClient.exe process directed to command-and-control servers at ablelifepurelife.ydns.eu and icebergtbilisi.ge on non-standard ports like 57864 and 50807 reveal the attacker’s infrastructure.
The malware demonstrates persistence through multiple RmClient.exe instances spawning with random parameters stored in the temporary directory, multiplying detection complexity and enabling the threat actor to maintain long-term access for subsequent, more destructive operations.
Organizations must enhance detection capabilities to identify process injection patterns and monitor unusual credential access activities, particularly when involving legitimate system binaries.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
