Affected Platforms: Microsoft Windows
Impacted Users: Windows Users
Impact: Full remote control of the victim’s computer
Severity Level: High

Background

FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool  (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management.

I conducted an in-depth investigation into this malicious campaign. This analysis covers how the phishing email initializes the attack, how the attached Word document downloads an RTF file, the vulnerability the attack leverages within the RTF file, the VBScript and PowerShell code, how a fileless .NET module is loaded and executed in a PowerShell process, and how the fileless Remcos agent is downloaded and loaded using process hollowing.

The analysis also details this Remcos variant’s internal configuration block, packet structures, and capabilities across six categories, which are illustrated with examples.

Infection Chain

Figure 1 shows the infection chain for the new Remcos variant, illustrating how it is distributed and installed on a victim’s machine.

Captured Phishing Email

The captured phishing email, disguised as a message from a shipping company in Vietnam, lures the recipient to open an attached Word file to view an updated shipping document, as shown in Figure 2.

Note that the email in this image has been flagged as “virus detected” by the FortiMail service, so the email would be blocked and quarantined by FortiMail and not delivered to the recipient, thwarting the attack.

Dissecting the Word Document

When examining the internal structure of the attached Word document, we find that it contains an online attachedTemplate option in the settings.xml.rels file, as shown in Figure 3.

The URL of the template file is specified in the “Target” attribute, hxxps://go-shorty[.]killcod3[.]com/OkkxCrq. The URL is a short URL service that ultimately redirects to the file's full URL.

Once the fake shipping document is opened in Microsoft Word, the application automatically downloads and loads the online template into the current Word document.

According to Figure 4, the Word file passed through two URL-shortening services before downloading the RTF document “w.doc.”

The three relevant URLs are:

hxxps://go-shorty[.]killcod3[.]com/OkkxCrq
hxxps://tnvs[.]de/e4gUVc
hxxp://66[.]179[.]94[.]117/157/w/w.doc

Exploiting CVE-2017-11882

The online template file is an RTF file (w.doc) containing crafted, malformed equation data. It triggers CVE-2017-11882, a known Remote Code Execution (RCE) vulnerability in the Microsoft Equation Editor (EQNEDT32.EXE).

The shellcode’s primary function is to download a VBScript file from a decrypted URL. Figure 6 shows the shellcode running in an EQNEDT32.EXE process, about to call URLDownloadToFileW() to download the VBScript file. At the bottom of Figure 6, the decrypted URL hxxp://66[.]179.94.117/157/fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe and the full path of a local file %AppData%\90g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00d.vbs is marked. Finally, the shellcode calls the ShellExecuteW() API to execute the downloaded VBScript file.

Analyzing the VBScript File and PowerShell Code

The VBScript file is lightly obfuscated and contains a Base64-encoded PowerShell code.

Below is a snippet of the VBScript code.

Dim millilitres, panzer, undulant, prostrates, sawhorse
Set millilitres = GetObject("winmgmts:root\cimv2")
Set panzer = millilitres.Get("Win32_ProcessStartup").SpawnInstance_
panzer.ShowWindow = 0
Set undulant = millilitres.Get("Win32_Process")
prostrates = 0
sawhorse = undulant.Create(microliths(crummier), banie, panzer, prostrates)
wscript.quit(1)

The PowerShell code is assembled into the following command line, which is stored in the variable “crummier.”

powershell -NoProfile -WindowStyle Hidden -Command {Base64-decoded PowerShell code}

Then, the VBScript code creates a WMI object to execute the command line.

In Figure 7, the Base64-encoded string is shown on the left, while the Base64-decoded PowerShell code appears on the right.

The PowerShell code downloads a .NET module (.NET DLL) that is transformed and embedded in a normal image file (an optimized_MSI.png, which actually has JPEG data). The Base64-encoded .NET module is appended to the PNG file and enclosed between the markers BaseStart- and -BaseEnd.

After decoding, the code calls the [Reflection.Assembly]::Load() method to load the .NET module into the PowerShell’s process and invokes its VAI() method with a large number of parameters, as shown in Figure 7. Figure 8 illustrates the binary structure of the image file.

The .NET Module

The assembly name of the .NET module (DLL) is Microsoft.Win32.TaskScheduler, which is disguised as a legitimate TaskScheduler-related system module to mislead both the victim and researchers.

Similar .NET modules have been observed in prior analyses and used by multiple malware families, including DrakCloud and Agent Tesla.

Based on my analysis, this .NET module serves as both a Remcos agent loader and a persistence installer.

Figure 9 shows the VAI() method in a debugger when invoked from the PowerShell process. The parameters passed to the method are shown at the bottom of the view. 

1. Persistence

According to the value in the flagStartupTask parameter, which is set to 1 in this case, the .NET module creates a scheduled task (named "5V3EBWmhxc") in the Windows Task Scheduler to maintain persistence on the compromised computer.

The .NET module creates a TaskService object and invokes its methods to set the trigger conditions, execution action, and repeat interval. It then registers the new scheduled task by calling the taskService.RootFolder.RegisterTaskDefinition() method. Figure 10 shows the created scheduled task.

The task’s action is to execute the following command line every minute:

wscript.exe C:\Users\Public\Downloads\eOTJ0Dniy5.vbs

The eOTJ0Dniy5.vbs file is a duplicate of %AppData%\90g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00d.vbs, which was downloaded earlier in the infection chain. This file was copied by the .NET module before the scheduled task was created.

2. Remcos Payload Loader

The first parameter to the VAI() method is a Base64-encoded string in reverse order. The .NET module decodes it to obtain the URL:
hxxps://idliya[.]com/arquivo_20251130221101.txt.

The .NET module downloads the file and keeps it in memory. The file contains the Remcos agent payload, which is obfuscated in two stages: Base64 encoding followed by reversing the encoded string. The bottom of Figure 11 shows the Base64-decoded Remcos payload in memory.

As the entry point function of the Remcos payload is called in the colorcpl.exe process, the Remcos agent becomes active on the compromised computer.

Remcos Payload File

Although the Remcos payload file remains fileless throughout the entire campaign, it can be dumped from the PowerShell process’s memory. As shown in Figure 13, the payload is a 32-bit executable (EXE) compiled with Microsoft Visual C++. It is not protected by any packer.

Based on static analysis, this Remcos variant is version 7.0.4 Pro, released on September 10, 2025. The version information is defined in the payload file, shown below.

.rdata:00469814        a704Pro         db '7.0.4 Pro',0

Remcos Configuration Block

Every Remcos agent contains an encrypted configuration block located in the resource section of the executable file named “SETTINGS.” Figure 14 shows the configuration data after decryption and decompression.

The configuration items are delimited by |…| (hex str: \x7C\x1E \x1E \x1F\x7C). This variant contains 57 configuration values. It uses these configuration values to control the Remcos agent's behavior on the victim’s device.

The configuration block includes the C2 server information, specified as 216.9.224.26:51010:1. It is the IP address, TCP port, and a flag indicating whether TLS is enabled (1) or disabled (0).

The Remcos agent name and register key/mutex name are also defined in the configuration block as RemoteHost and Rmc-LCCCTQ, respectively.

In addition, the configuration block contains numerous flags that automatically enable or disable features, such as screen logging, keylogging, camera and microphone recording, sensitive data collection, and other capabilities.

Finally, several certificate-related values, including public keys, appearing at the end of the configuration block, are used to communicate with the C2 server over the TLS protocol.

Remcos Packet

Once Remcos establishes a connection with the C2 server, it sends the first packet containing basic information collected from the compromised computer, as shown in Figure 15.

To better explain the packet format, I reproduced the communication in a controlled local environment using plaintext packets.

The packet begins with a packet magic value 0xff0424, followed by the packet size 0x250, the command ID 0x4b, and the command data, which is encrypted when TLS is enabled.

All the packets follow the same general packet structure:

packet magic | packet size | command ID | command data

This 0x4b command data consists of the following values:

• Remcos agent name
• Victim’s computer name + username
• Victim’s geographic location
• OS version
• Physical memory size
• Processor information
• Remcos agent version
• Full path of the process running the Remcos agent
• Title of the active application
• Remcos agent type
• Registry key name
• Remcos agent installation time
• C2 server’s IP address
• Additional system and agent metadata

Each value within the command data is separated by |…| (hex str \x7C\x1E\x1E\x1F\x7C), as shown in Figure 15.

Figure 16 shows the Remcos Control Center interface on the C2 server, which displays most of the values extracted from the 0x4b command data along with live screen logging output.

Remcos Features

This Remcos variant provides six major features for remotely managing compromised computers. To support these features, this Remcos implements a total of 211 command IDs.

System:

In this category, Remcos provides Screen Capture, File Manager, File Search, Process Manager, Service Manager, Windows Manager, Registry Editor, Installed Programs, Run System Command, Command Line, Remote Scripting, Clipboard Manager, Set Wallpaper, and Power Manager features.

These features allow the attacker to fully manage and control the victim’s computer system resources. Figure 17 shows an example of the remote Registry Editor interface on the C2 server, which the attacker can use to view and modify keys and values.

Surveillance:

This category enables the attacker to monitor the victim’s activities using features such as Camera, Microphone, Keylogger, ScreenLogger, Browser History, Password Recovery, Cookie Recovery, and Activity Notification.

Figure 18 shows an example of a screen-logging packet. The C2 server sends command 0x10, after which the Remcos agent captures the victim’s screen into a JPEG file and sends the picture file back to C2 server.

Network:

Remcos provides network-related features, such as Network Monitor, Proxy, Downloader, DNS redirection, Open Webpage, and IP Info. It can remotely display the status of processes using network resources (LISTENING, ESTABLISHED).

It can also configure direct or reverse SOCKS5 proxies on the compromised system. Using the Downloader, the Remcos agent can download and execute additional executable files. It can also force the victim’s default web browser to open a specified webpage.

In addition, Remcos can block the victim from accessing a website via the DNS Redirection feature. Figure 19 shows how to block an example website (e.g., www.test.com) from the victim’s computer. It actually modifies the hosts file on the victim’s computer.

Comms:

This category contains Chat, MessageBox, and Audio Player features. These features provide interactive communication between the victim and the attacker. Figure 20 shows the Chat feature in use on the C2 server.

Extra:

The Extra category includes DLL Loader, Logins Cleaner, and Extra Functions features. These features support the attacker with the ability to remotely load and execute a given DLL and clear saved credentials, browser history, and cookies on the compromised computer. An attacker can also control the victim’s mouse and keyboard, monitor, CD Drive, Windows Taskbar, and Start Button.

Remcos:

This category’s functions manage the Remcos agent: Rename, Elevate to Admin, Elevate to System, Ping, Reconnection, Restart, Show, Update, Close, and Uninstall.

Previous analysis of Remcos RAT has already documented most of these command IDs and their corresponding features in detail, so they are not repeated in this analysis. Please refer to that analysis for additional information on the command IDs.

Summary

This analysis introduces a newly observed phishing campaign that delivers  a fileless variant of the Remcos RAT. The infection chain begins with a phishing email impersonating a Vietnamese shipping company which lures victims into opening a malicious Word document. The document then retrieves a remote RTF file, exploits a vulnerability, and executes VBScript and PowerShell code, resulting in in-memory loading of a .NET module that serves as both a loader and a persistence mechanism for the Remcos payload.

The Remcos payload (version 7.0.4 Pro) is never written to a local file. It is downloaded into memory and injected into a legitimate system process via process hollowing. Examining its encrypted configuration block reveals C2 server details, feature flags, and TLS-related certificates used for secure communication.

This analysis also breaks down the Remcos features across six categories, including system management, surveillance, networking, communication, and agent control, which give the attacker full remote control of the compromised systems.

Fortinet Protections

Fortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, IPS, and AntiVirus services as follows:

The URLs associated with this malicious campaign are rated as Malicious Websites by the FortiGuard Web Filtering service.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by FortiSandbox embedded in Fortinet FortiMail, web filtering, and antivirus solutions provides advanced protection against both known and unknown phishing attempts.

FortiGuard Antivirus service detects the Word document, RTF file, and the fileless Remcos payload file with the following AV signatures.

XML/Agent.EDC!tr.dldr
MSOffice/CVE_2017_11882.DMP!exploit
W32/Rescoms.B!tr

Fortinet FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service, and the FortiGuard AntiVirus engine is part of each solution. As a result, customers using these products already have up-to-date protections.

To stay informed of new and emerging threats, you can sign up to receive future alerts.

We also suggest that our readers complete the free NSE training: NSE 1 – Information Security Awareness, which includes information on Internet threats and is designed to help end users identify and protect themselves against phishing attacks.

The FortiPhish Phishing Simulation Service, together with Fortinet’s Security Awareness and Training Service, uses real-world phishing scenarios to train and test employees against common social engineering tactics. By improving users’ ability to recognize and respond to suspicious content—especially during high-risk periods of distraction or urgency—these services help reduce the risk of successful phishing and malware attacks.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

URLs:

hxxp://66[.]179[.]94[.]117/157/w/w.doc
hxxp://66[.]179[.]94[.]117/157/fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe
hxxps://idliya[.]com/assets/optimized_MSI.png
hxxps://idliya[.]com/arquivo_20251130221101.txt

Relevant Sample SHA-256:

[BL DRAFT ITL13746259.docx]
7798059D678BCA13EEEEBB44A8DB3588E4AA287701AEDE94B094B18F33B58F84

[w.doc]
A35DD25CD31E4A7CCA528DBFFF37B5CDBB4076AAC28B83FD4DA397027402BADD

[fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe]
E915CE8F7271902FA7D270717A5C08E57014528F19C92266F7B192793D40972F

[Remcos payload]
94CA3BEEB0DFD3F02FE14DE2E6FB0D26E29BEB426AEE911422B08465AFBD2FAA