216.73.217.19

Behind the Refund: From GST Phishing to Remcos RAT Through a Multi-Stage .NET Infection Chain

· Published 17/07/2026 13:18

Export JSON

Essential information

Published
17/07/2026 13:18
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
bitmap steganography credential theft dynamic dns fileless execution gst phishing india targeting multi-stage loader remcos rat
Related entities
24 techniques (mitre), 1 malware

Description

A sophisticated phishing campaign targeting Indian businesses and taxpayers leverages GST-related themes to distribute through a multi-stage .NET framework. Threat actors impersonate Government of India GST communications using fraudulent refund notifications with convincing ARN references. The attack chain begins with a malicious RAR archive containing a .NET executable that employs bitmap-based payload concealment techniques. Through successive stages including Windows Health Optimizer Plus.dll and perfgurd.dll, the malware deploys entirely in memory, establishing persistence via PowerShell scripts and registry modifications. Command-and-control infrastructure utilizes services with randomized subdomains under aofmokighoig.hath.network. The deployed enables remote command execution, keylogging, credential harvesting, file manipulation, and comprehensive system reconnaissance capabilities, representing a financially motivated cybercrime operation specifically t...

External references