{
  "name": "LNK Trojan delivers REMCOS",
  "slug": "lnk-trojan-delivers-remcos",
  "description": "This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chain involves file download, Base64 decoding, and execution of a malicious PIF file masquerading as a Chrome-related program. The LNK file contains a PowerShell command that downloads and executes a payload, which is then decoded and run as CHROME.PIF. This file is identified as the REMCOS backdoor, capable of various malicious activities including keylogging, screen capture, and remote access. The attack utilizes multiple stages to evade detection and establish persistence on the victim's system.",
  "published": "2025-07-30T12:55:09+00:00",
  "created_at": "2025-07-30T12:55:09+00:00",
  "modified_at": "2025-07-30T13:20:40+00:00",
  "created_at_opencti": "2025-07-30T12:55:09+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-30",
    "backdoor",
    "base64 encoding",
    "c2 communication",
    "keylogger",
    "lnk file",
    "multi-stage attack",
    "pif file",
    "powershell",
    "remcos"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "92.82.184.33"
      },
      {
        "id": "",
        "name": "198.23.251.10"
      },
      {
        "id": "",
        "name": "http://shipping-hr.ro/m/r/r.txt"
      },
      {
        "id": "",
        "name": "shipping-hr.ro"
      },
      {
        "id": "",
        "name": "mal289re1.es"
      },
      {
        "id": "",
        "name": "506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6"
      },
      {
        "id": "",
        "name": "5ec8268a5995a1fac3530acafe4a10eab73c08b03cabb5d76154a7d693085cc2"
      },
      {
        "id": "",
        "name": "8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:196436899fefaba3",
        "name": "REMCOS",
        "slug": "remcos"
      }
    ],
    "attack_patterns": [
      {
        "id": "f90b00e3-95b7-432f-b163-6a9a2102e598",
        "name": "T1060"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Romania"
      },
      {
        "id": "",
        "name": "United States of America"
      }
    ]
  },
  "external_refs": [
    "https://www.pointwild.com/threat-intelligence/trojan-winlnk-powershell-runner",
    "https://otx.alienvault.com/pulse/688a324d62b64db244b9463f"
  ]
}