LNK Trojan delivers REMCOS
Essential information
- Published
- 30/07/2025 14:55
- Modified
- 30/07/2025 15:20
- Tags
- 2025-07-30 backdoor base64 encoding c2 communication keylogger lnk file multi-stage attack pif file powershell remcos
- Related entities
- 8 observables, 12 techniques (mitre), 1 malware, 2 others
Description
This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chain involves file download, Base64 decoding, and execution of a malicious PIF file masquerading as a Chrome-related program. The LNK file contains a PowerShell command that downloads and executes a payload, which is then decoded and run as CHROME.PIF. This file is identified as the REMCOS backdoor, capable of various malicious activities including keylogging, screen capture, and remote access. The attack utilizes multiple stages to evade detection and establish persistence on the victim's system.