Aktuelles
Qualys Announces New PowerShell-based Shellcode Loader Executing Remcos RAT
May 2025 by Qualys
The Qualys Threat Research Unit (TRU) announced that they have discovered a new PowerShell-based shellcode loader, designed to load and execute a variant of Remcos RAT.
The infection begins with a ZIP archive (new-tax311.ZIP), which contains a malicious LNK file (new-tax311.lnk). When executed, the LNK file triggers an attack, leveraging MSHTA.exe to run an obfuscated PowerShell script.The downloaded PowerShell payload 24.ps1 is heavily obfuscated, containing numerous functions and variables. It reconstructs two blobs of byte arrays from obfuscated base64 content using a custom string join/replace de-obfuscation technique. The script then leverages Win32 APIs to allocate memory and execute binary code directly in memory.
Remcos RAT is a stealthy, PowerShell-based malware that uses advanced evasion techniques to avoid detection. It operates in memory, making it hard to catch with security tools. This highlights the importance of monitoring LNK files, MSHTA abuse, registry changes, and unusual PowerShell activity.
