Stealth in the Shadows: How Remcos RAT Slips Past Defenses with Fileless Tactics

It starts like any other mundane day in the inbox: a business request, a price offer, an urgent quotation. But behind these routine emails lurks a sophisticated digital predator - one that leaves barely a trace. Security researchers are sounding the alarm about a new wave of Remcos RAT attacks that never touch the disk, instead thriving in the shadows of memory and trusted Windows processes. This is cybercrime’s latest evolution: fileless, multi-stage, and nearly invisible.

The Anatomy of a Fileless Attack

The campaign begins innocently enough: a phishing email, themed as a request-for-quotation (RFQ), lands in a victim’s inbox. The attached archive contains a JavaScript file masquerading as a business document. When opened, this script quietly reaches out to attacker-controlled servers, downloading an encrypted PowerShell payload.

What sets this attack apart is its commitment to stealth. The PowerShell script decrypts its contents in memory, never writing the malicious code to disk. This memory-only execution is a nightmare for defenders, who can’t rely on the usual telltale files or artifacts. The decrypted script loads two more components - first, a .NET-based injector, and second, the Remcos RAT itself.

The injector then employs “process hollowing,” a technique where a legitimate Windows process (in this case, aspnet_compiler.exe) is started, its memory wiped, and replaced with malicious code. To the untrained eye - and many security tools - the malware is simply a trusted Windows process running as normal.

Invisible, Persistent, and Hard to Stop

Once active, Remcos RAT operates entirely in memory, establishing persistence and preparing for long-term control. It dynamically resolves Windows APIs and decrypts its own configuration on the fly. The malware checks the system’s architecture, privilege level, and other details to ensure it’s running optimally and exclusively.

For organizations, this campaign is a wake-up call. The use of commodity malware like Remcos RAT is nothing new, but the sophistication of these fileless, script-driven attacks is escalating. Traditional defenses - focused on scanning files - are rendered toothless. Instead, defenders must pivot to monitoring script execution, memory behavior, process injection, and network anomalies if they hope to spot such threats before sensitive data or systems are compromised.

Reflections: The New Normal for Defenders

The Remcos RAT campaign is a stark reminder: cybercriminals are innovating as quickly as defenders. Fileless attacks, abuse of legitimate tools, and stealthy memory techniques are no longer reserved for nation-state actors - they’re now in the hands of everyday cybercriminals. As the line between normal system activity and malicious behavior blurs, only vigilant, adaptive defenses can hope to keep pace.

WIKICROOK

• Fileless Malware: Fileless malware is malicious software that runs in a computer’s memory, avoiding disk storage and making it difficult for traditional security tools to detect.
• Phishing Email: A phishing email is a deceptive message that pretends to be from a trusted source to trick you into revealing sensitive information or clicking malicious links.
• PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
• Process Hollowing: Process hollowing is a technique where malware hides in a legitimate program’s memory, allowing it to evade detection and execute malicious actions.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.