A newly identified phishing campaign deploys the Remcos Remote Access Trojan (RAT) using DBatLoader, leveraging a User Account Control (UAC) bypass technique involving mock trusted directories to evade security controls.
The attack chain employs obfuscated .cmd scripts, Windows Living Off the Land Binaries (LOLBAS) techniques, and sophisticated persistence mechanisms. At the time of analysis on May 19, 2025, the samples were undetected on VirusTotal, indicating high evasion capabilities.
The infection begins with a phishing email delivering an archive file containing DBatLoader. This triggers an obfuscated .cmd script, which executes SndVol.exe (Windows Volume Control) with Remcos RAT injected into its process memory.
.png
)
The chain is as follows: Phishing Email → Archive → DBatLoader → Obfuscated. cmd → SndVol.exe (Remcos Injected).
Technical Analysis
The campaign employs a series of sophisticated techniques to evade detection and maintain persistence. It begins with obfuscation using BatCloak, which encrypts and scrambles .cmd scripts to hinder static analysis, allowing these scripts to covertly download and execute the malicious payload.
Process injection further enhances stealth. Remcos injects its code into trusted Windows processes like SndVol.exe (Volume Control) and colorcpl.exe (Color Management), enabling the malware to operate under the guise of legitimate system activity and bypass process-based detection.
For persistence, the campaign creates scheduled tasks that execute a Cmwdnsyn.url file, which acts as a dropper to launch a .pif file containing the malicious payload, ensuring the RAT remains active across system reboots.
Additionally, the campaign abuses Esentutl.exe, a legitimate Windows utility, as a Living Off the Land Binary (LOLBAS) to copy cmd[.]exe into a file named alpha[.]pif, disguising the command-line interpreter as a benign file for covert command execution.
The most critical technique is the UAC bypass, achieved by exploiting Windows’ folder naming behavior with a mock directory, “C:\Windows ” (with a trailing space), which is treated as distinct from the legitimate “C(:)\Windows” path, allowing the malware to store and execute payloads without triggering UAC prompts by masquerading as a trusted location.
The campaign’s reliance on legitimate Windows tools and stealth techniques, such as process injection and LOLBAS, makes it difficult to detect using signatures.
Behavioral detection is critical, focusing on anomalous file paths (e.g., directories with trailing spaces), unusual process behavior (e.g., SndVol.exe initiating network connections), and suspicious scheduled tasks or . pif /. url file executions.
Analysis with ANY.RUN
The ANY.RUN interactive sandbox provides visibility into these evasive techniques, enabling analysts to observe LOLBAS abuse, process injection, and UAC bypass in a controlled environment. The full analysis is available a, ANY.RUN Analysis.
This campaign demonstrates advanced evasion through UAC bypass, LOLBAS abuse, and obfuscation, highlighting the need for behavioral analysis and real-time sandboxing to detect and mitigate such threats. Security teams should prioritize monitoring for unusual system activity and leverage tools like ANY.RUN for rapid threat analysis.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
