New Remcos Campaign Distributed Through Fake Shipping Document
Essential information
- Published
- 19/01/2026 09:40
- Modified
- 19/01/2026 09:58
- Tags
- 2026-01-19 CVE-2017-11882 fileless malware phishing process-hollowing remcos remcos rat remote access tool
- Related entities
- 1 vulnerabilities (cve), 13 observables, 19 techniques (mitre), 1 malware
Description
A new phishing campaign has been discovered that delivers a fileless variant of the Remcos RAT. The attack begins with an email impersonating a Vietnamese shipping company, luring victims to open a malicious Word document. This document retrieves a remote RTF file, exploits a vulnerability, and executes VBScript and PowerShell code, resulting in the in-memory loading of a .NET module. The module acts as both a loader and persistence mechanism for the Remcos payload. The Remcos variant (version 7.0.4 Pro) is downloaded into memory and injected into a legitimate system process via process hollowing. It offers extensive remote control capabilities across six categories, including system management, surveillance, networking, communication, and agent control. The analysis details the infection chain, payload structure, and Remcos features, providing insights into this sophisticated attack methodology.