216.73.217.22

From Inbox to Intrusion: Multi‑Stage Remcos RAT and C2‑Delivered Payloads in Network

· Published 01/04/2026 13:16 · Modified 01/04/2026 15:26

Export JSON

Essential information

Published
01/04/2026 13:16
Modified
01/04/2026 15:26
Tags
2026-04-01 js dropper phishing rat remcos remote access trojan
Related entities
2 observables, 1 malware, 2 others

Description

This multi-stage fileless attack leverages a -delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (2)

  • http://192-3-27-141.host.colocrossing.com:8087
  • ee25bbfc7de3f5b04d555c0f754645286ccb27be8a1e618c9ef9d239d22b083e

Malware (1)

  • Remcos
    Family
    Published 05/05/2026 18:45 · Modified 05/05/2026 18:45

Others (2)

  • 192-3-27-141.host.colocrossing.com
  • almacensantangel.com

External references