AsyncRAT and Remcos delivered in an optimistic campaign
Essential information
- Published
- 24/06/2026 11:33
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- asyncrat heavy obfuscation phishing remcos steganography
- Related entities
- 70 indicators, 13 observables, 11 techniques (mitre)
Description
A global phishing campaign targets business functions with emails carrying malicious Excel attachments that initiate a multi-stage infection chain when macros are enabled.
The attack uses layered obfuscation, including HTA scripts, PowerShell, encoded payloads, and steganography in PNG files, to deliver and execute Remote Access Trojans such as Remcos and AsyncRAT in a largely fileless manner.
It achieves scale and persistence through high variability, automation, disposable infrastructure, and consistent patterns that help evade detection despite relatively simple techniques.