{
  "name": "From Inbox to Intrusion: Multi\u2011Stage Remcos RAT and C2\u2011Delivered Payloads in Network",
  "slug": "from-inbox-to-intrusion-multistage-remcos-rat-and-c2delivered-payloads-in-network",
  "description": "This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server.",
  "published": "2026-04-01T11:16:56+00:00",
  "created_at": "2026-04-01T11:16:56+00:00",
  "modified_at": "2026-04-01T13:26:26+00:00",
  "created_at_opencti": "2026-04-01T11:16:56+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-01",
    "js dropper",
    "phishing",
    "rat",
    "remcos",
    "remote access trojan"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://192-3-27-141.host.colocrossing.com:8087"
      },
      {
        "id": "",
        "name": "ee25bbfc7de3f5b04d555c0f754645286ccb27be8a1e618c9ef9d239d22b083e"
      }
    ],
    "malware": [
      {
        "id": "29d292f7-f50d-4c23-900d-035ab7488290",
        "name": "Remcos",
        "slug": "remcos"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "192-3-27-141.host.colocrossing.com"
      },
      {
        "id": "",
        "name": "almacensantangel.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69cd1ac8518646002a1a0fbc",
    "https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/"
  ]
}