{
	"id": "57f0cc45-1ad6-4fdb-af64-3243e4fd1e3c",
	"created_at": "2026-04-06T00:07:53.292896Z",
	"updated_at": "2026-04-10T13:11:21.598416Z",
	"deleted_at": null,
	"sha1_hash": "01c2f988a1bd542ce71356b50a3347825c6f1d11",
	"title": "RemcosRAT Distributed Using Steganography - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1331370,
	"plain_text": "RemcosRAT Distributed Using Steganography - ASEC\r\nBy ATCP\r\nPublished: 2024-04-24 · Archived: 2026-04-05 19:09:19 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the\r\nsteganography technique. Attacks begin with a Word document using the template injection technique, after which\r\nan RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed.\r\nThe RTF file downloads a VBScript with the “.jpg” file extension from the C2 and another VBScript from\r\n“paste.ee”, a service similar to “Pastebin” where one can upload text for free.\r\nhttps://asec.ahnlab.com/en/65111/\r\nPage 1 of 5\n\nThe downloaded VBScript is obfuscated with many special characters and ultimately executes a PowerShell script\r\nthrough Replace.\r\nThis PowerShell script downloads an image uploaded to an external source. The image file contains the data\r\nencoded in Base64 behind “FF D9” which denotes the end (footer) of the jpg file. It then loads the data between\r\nthe strings “\u003c\u003cBASE64 START\u003e\u003e” and “BASE64_END” to decode it in Base64. The decoded data is “.NET\r\nDLL” which is given 6 arguments and executed through reflective code loading.\r\nhttps://asec.ahnlab.com/en/65111/\r\nPage 2 of 5\n\nThe script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child\r\nprocess to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.\r\nhttps://asec.ahnlab.com/en/65111/\r\nPage 3 of 5\n\nBecause Remcos RAT is distributed in many ways including spam emails and under the guise of crack software\r\ndownload links, users are advised to practice particular caution. In addition, they must update V3 to the latest\r\nversion to prevent malware infection in advance.\r\nFile Detection\r\nDownloader/VBS.Agent.SC199181 (2024.04.19.00)\r\nData/BIN.Encoded (2024.04.18.03)\r\nDownloader/VBS.Agent.SC198254 (2024.03.19.03)\r\nRTF/Malform-A.Gen (2024.03.19.01)\r\nBehavior Detection\r\nExecution/MDP.Powershell.M2514\r\nReference\r\n1) https://www.cyfirma.com/research/exploiting-document-templates-stego-campaign-deploying-remcos-rat-and-agent-tesla/\r\nMD5\r\n6605b28a03ea7caa3a40451cbbc75034\r\nhttps://asec.ahnlab.com/en/65111/\r\nPage 4 of 5\n\nb06fe78aad12f615595040308affc0d8\r\nc7603f1da9d5ebb35076f285eb374ba6\r\nf5a49410d9ea23dc2cf67d7d3ba8fad0\r\nfdfd9e702f54e28dc2ca5f7c04bf1c8f\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//192[.]210[.]201[.]57[:]52748/\r\nhttp[:]//ur8ly[.]com/asy2xr\r\nhttps[:]//paste[.]ee/dEh1G4\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/65111/\r\nhttps://asec.ahnlab.com/en/65111/\r\nPage 5 of 5\n\n  https://asec.ahnlab.com/en/65111/    \nThe script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child\nprocess to execute it through the process hollowing technique. RemcosRAT is the ultimately executed process.\n   Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/65111/"
	],
	"report_names": [
		"65111"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434073,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01c2f988a1bd542ce71356b50a3347825c6f1d11.pdf",
		"text": "https://archive.orkl.eu/01c2f988a1bd542ce71356b50a3347825c6f1d11.txt",
		"img": "https://archive.orkl.eu/01c2f988a1bd542ce71356b50a3347825c6f1d11.jpg"
	}
}