Traditional malware campaigns have long relied on dropping executable files onto disk—artifacts that security tools can scan, quarantine, and analyze using signature-based detection. These files often leave behind clear traces that defenders can investigate during incident response.
However, modern adversaries have increasingly shifted toward fileless attack techniques. Instead of writing payloads to disk, these attacks execute malicious code directly in memory and abuse trusted system components to evade detection. This approach significantly reduces forensic visibility while enabling attackers to deploy payloads more rapidly and at scale. Remcos RAT, a widely used commodity remote access trojan, clearly illustrates this evolution.
Earlier campaigns involving Remcos typically relied on straightforward file delivery methods. Today, operators are adopting multi-stage, memory-resident infection chains, replacing static payloads with layered scripting, in-memory decryption, and process injection.
This blog analyzes a recent Remcos RAT campaign observed during our investigation that demonstrates this transition in action—from phishing-based initial access to fully fileless execution using JavaScript, PowerShell, and a managed .NET injector. By examining the attack chain from the victim’s inbox to memory execution, we highlight how traditional malware delivery methods are being replaced by stealthier, behavior-driven techniques. The analysis also underscores why defenders must adopt memory-centric and behavior-based detection strategies to keep pace with this shift.
Remcos RAT Infection Chain
Our analysis identified a multi-stage fileless Remcos RAT infection chain that begins with procurement-themed phishing emails used to gain initial access. The campaign delivers a compressed archive attachment containing a JavaScript downloader, which retrieves an AES-obfuscated PowerShell payload from attacker-controlled infrastructure.
Once decrypted, the PowerShell script acts as a memory-resident loader and watchdog, reflectively loading a managed .NET injector. This injector performs process hollowing against a legitimate Windows executable, aspnet_compiler.exe. The final Remcos RAT payload is injected into this process and executed entirely in memory, leaving no payload artifacts on disk.
This execution chain demonstrates common tradecraft seen in commodity malware operations, including layered scripting, managed code injection, abuse of legitimate Windows utilities, and fileless execution techniques often associated with Initial Access Brokers (IABs) and Remcos RAT affiliates.
Phishing Email Delivery and Initial Execution
The infection process begins with procurement-themed spam emails that use generic Request for Quotation (RFQ) lures to impersonate legitimate business communications. The sender identity is spoofed to resemble a marine and industrial company, and the subject lines frequently indicate SPF violations, which may signal email spoofing.
The emails contain an archived attachment disguised as a quotation document. Inside the archive is a JavaScript file masquerading as a business document, using a misleading filename to appear legitimate. When executed, the script initiates the download of the next-stage payload from attacker-controlled infrastructure.
JavaScript Downloader and Encrypted PowerShell Retrieval
Once executed, the JavaScript attachment functions as a minimal downloader, whose sole purpose is to retrieve the next stage of the infection chain. The script issues an HTTP request to attacker-controlled infrastructure to download the payload. The downloaded file is an AES-encrypted PowerShell script that is executed directly in memory instead of being written to disk.
The JavaScript stage performs only minimal logic, deliberately keeping its behavior simple to reduce detection risk. All major functionality—including decryption, execution, and persistence—is handled by the PowerShell loader.
This modular design reflects a common pattern in modern malware campaigns: initial scripts act solely as delivery mechanisms, allowing attackers to update or replace later-stage payloads hosted remotely without modifying the initial infection vector.
Decoded PowerShell Loader – In-Memory AES Decryption and Execution
After retrieval, the decrypted PowerShell script operates as a fully fileless loader, performing AES decryption entirely in memory. The script uses embedded Base64-encoded keys and Initialization Vector (IV) values to reconstruct the payload from multiple encoded fragments.
The decryption process uses AES-256 in CBC mode with PKCS7 padding, ensuring that no intermediate artifacts are written to disk.
Following decryption, the PowerShell loader places two executable payloads directly into memory:
- A Base64-encoded .NET injector assembly
- A Remcos RAT payload stored as raw decimal byte data
The injector assembly is then reflectively loaded, enabling it to perform process hollowing against the legitimate Windows binary aspnet_compiler.exe. Once the process is hollowed, the Remcos RAT payload is injected and executed inside it.
At this stage, the malware is fully memory-resident, operating without leaving any traditional file artifacts on disk.
Fileless .NET Injector Using Process Hollowing
The decrypted PowerShell loader loads the managed .NET injector assembly directly into memory, avoiding any interaction with the file system. The injector exposes a static method responsible for performing process hollowing against the trusted Windows executable aspnet_compiler.exe.
By creating and hollowing a legitimate process, the malware replaces the process memory with the malicious payload while inheriting the identity of the original executable. This allows the attacker to run malicious code under the context of a signed and commonly used .NET utility, significantly reducing the likelihood of detection by both behavioral and signature-based security tools.
Final Stage: Memory-Resident Remcos RAT Operation
In the final stage, Remcos RAT runs entirely in memory within the hollowed aspnet_compiler.exe process. The malware initializes its runtime environment, decrypts its configuration data, and launches several worker threads responsible for command-and-control communication, surveillance activities, and persistence mechanisms.
By executing solely in memory and leveraging a trusted Windows component, the RAT significantly minimizes forensic artifacts while maintaining full remote access capabilities.
Analysis of the Final Remcos RAT Payload
The final payload is a Visual C++ compiled executable with a size of 481.5 KB.
The first routine executed by the malware is a runtime initialization function responsible for dynamically resolving all required Windows APIs.
This routine loads the necessary system libraries and retrieves the corresponding function pointers at runtime. This approach enables the malware to operate across different Windows versions while minimizing its static import footprint, making static analysis more difficult.
Configuration Decryption
After initialization, the malware decrypts its configuration data from a suspicious resource labeled “SETTINGS.” The resource contains encrypted configuration data. In the analyzed sample, the resource size is 0x2C8 bytes, consisting of:
- 0xC8 bytes: RC4 encryption key
- 0x200 bytes: Encrypted configuration data
After decryption, the configuration reveals critical operational details, including:
- C2 server domains
- Port number: 2404
- Hostname: RemaHost1
- Mutex name: Rmc-ZOCNDU
- Keylogging file names
- Collected system information
Mutex Creation and Single-Instance Control
Following configuration extraction, the malware performs an execution control check to ensure that only one instance runs on the system.
This is implemented using the CreateMutexA function with the mutex name Rmc-ZOCNDU. By checking the return value using GetLastError, the malware determines whether another instance is already active. If the mutex exists, execution is terminated or modified to prevent duplicate infections and reduce operational noise.
Host OS and Architecture Enumeration
Next, Remcos RAT profiles the host environment by identifying the operating system version and architecture.
The malware first determines whether it is running in a 32-bit or 64-bit process context. It then queries the Windows registry key: SOFTWARE\Microsoft\Windows NT\CurrentVersion to retrieve the OS product name.
To distinguish Windows 10 from Windows 11, the malware reads the CurrentBuildNumber value. Systems with build numbers ≥ 22000 are classified as Windows 11. The detected OS version and architecture are appended to the system profile and later transmitted during C2 registration.
Local Log File Creation and Offline Data Buffering
Before establishing communication with the C2 server, Remcos RAT creates a local log file at: C:\ProgramData\rema\logs.dat
This file stores runtime events and collected data, allowing the malware to buffer surveillance information when network exfiltration is not immediately possible.
Observed log entries confirm activation of the offline keylogger module, along with execution metadata such as:
- Process identifiers (PID)
- Thread context
- Privilege levels
Clipboard capture events are also recorded in plaintext, demonstrating the malware’s ability to monitor and store sensitive user activity locally. Once network connectivity is available, this data is staged for exfiltration.
Command-and-Control (C2) Communication and Host Registration
After completing initialization and system profiling, Remcos RAT establishes an outbound connection to its C2 infrastructure.
In-memory status buffers indicate:
Connected | TLS Off
This suggests that the C2 channel operates without transport-layer encryption.
Immediately after establishing the connection, the malware sends an initial registration beacon containing a system profile.
The transmitted data includes:
- Host name: RemaHost1
- Campaign identifier: Rmc-ZOCNDU
- OS details: Windows 10 Enterprise (64-bit)
- Process name and PID
- Privilege level
- File paths
- CPU model
The beacon also reveals the local log file path: C:\ProgramData\rema\logs.dat
Although the traffic may appear malformed when interpreted as IEC 60870-5-104, it actually represents Remcos RAT’s custom delimiter-based C2 protocol transmitted over raw TCP.
This communication confirms successful infection and marks the transition from local reconnaissance to fully interactive remote access.
Conclusion
This investigation highlights a fully fileless Remcos RAT attack chain that leverages layered scripting, in-memory decryption, managed code injection, and process hollowing to achieve stealthy and persistent execution.
By eliminating on-disk payload artifacts and abusing legitimate Windows components, the malware significantly reduces its forensic footprint while maintaining reliable remote access.
Runtime behaviors such as dynamic API resolution, mutex-based execution control, host profiling, and offline data buffering demonstrate a mature and configurable malware framework designed for operational stability.
The successful C2 registration beacon confirms that the infected system has transitioned into an interactive remote access phase.
Overall, this campaign reflects the evolution of commodity malware tradecraft, where fileless techniques and living-off-the-land (LOLBins) strategies are becoming standard practice. As a result, organizations must shift toward memory-focused and behavior-based detection approaches to effectively identify and mitigate these threats.
To strengthen defenses, organizations should:
- Restrict misuse of native system tools
- Enforce least-privilege access policies
- Deploy security controls capable of inspecting memory and script execution
- Enable centralized logging and command-line monitoring
- Conduct proactive threat hunting activities
- Implement network segmentation
- Provide continuous security awareness training
These measures help reduce the likelihood of social engineering attacks, lateral movement, and stealthy malware persistence.
