Threat Research

A recent campaign involving Remcos RAT demonstrates the shift toward fileless malware techniques, using phishing emails with procurement-themed lures to initiate infection. The attack chain delivers a JavaScript downloader that retrieves an AES-obfuscated PowerShell payload, which then loads a .NET injector to perform process hollowing on a legitimate Windows process....

Labs identified a new phishing campaign active in the wild. The attack delivers a new variant of Remcos, a lightweight commercial RAT with extensive capabilities. These include system resource control, remote surveillance, network operations, and agent management. I performed an in-depth analysis of the campaign’s full infection chain....

UAC-0184, also known as Hive0156, is a Russia-aligned threat actor that conducts cyber operations against Ukraine using commercially available malware and lure documents. The group primarily targets Ukrainian military personnel by distributing weaponized LNK files or PowerShell scripts that result in Remcos malware infections....

A GLS-themed ClickFix social-engineering campaign in Italy delivered the Remcos RAT by tricking users into manually running malicious commands. ClickFix campaigns have risen over the past year because manual execution helps attackers evade AV, sandbox, and EDR detection....

QuirkyLoader is a newly observed malware loader, active since November 2024, used to deliver various infostealers and remote access trojans (RATs) like Agent Tesla, AsyncRAT, FormBook, Remcos, and others. The infection begins with phishing emails containing malicious archives. These archives include a legitimate executable, an encrypted payload, and a malicious DLL....

A campaign targeting users in Ukraine is using malicious LNK files, which run a PowerShell downloader. These files are named with Russian words related to troop movements in Ukraine to lure victims. The downloader connects to geo-fenced servers in Russia and Germany to retrieve a second-stage Zip file containing the Remcos backdoor....

In March 2025, activity from APT-C-36, also known as Blind Eagle, was detected following similar tactics used in previous campaigns. The group, believed to be a South American threat actor, initiates attacks with .url files that download an initial downloader from a WebDAV server....

Email continues to be a common method for malware distribution, with most malicious messages intercepted by spam traps and security filters. Threat actors constantly adapt their techniques to bypass these defenses, including altering file extensions for attached zip archives. In this case, the email contained a zip archive disguised with a 7-Zip file extension....