The visualization reveals how legitimate Windows processes are hijacked to execute malicious code, creating a complex chain that makes attribution and detection challenging for security teams. Cybersecurity experts have identified a concerning trend in the malware landscape as threat actors increasingly leverage fileless techniques to circumvent traditional security measures. These files exploit proxy execution through trusted system binaries to establish persistence while operating almost entirely within memory, effectively bypassing signature-based detection mechanisms that rely on file scanning. Security professionals are advised to implement comprehensive PowerShell logging, enable Antimalware Scan Interface (AMSI) monitoring, and deploy robust EDR solutions capable of detecting behavioral anomalies rather than relying solely on file signatures. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A sophisticated PowerShell-based shellcode loader executing Remcos Remote Access Trojan (RAT) has emerged as the latest example of this evolution, demonstrating how attackers are adapting their methods to remain undetected in compromised systems. The attack chain begins when users interact with malicious LNK files that execute MSHTA with specifically crafted command arguments. The attack begins with seemingly innocuous ZIP archives containing weaponized LNK files that, once executed, trigger a chain of events designed to leave minimal forensic evidence. “This malware exemplifies the growing sophistication of fileless attacks,” explained Prashant Pawar, Lead Threat Research Engineer at Qualys. When opened, these trigger a sophisticated execution chain that ultimately loads the Remcos RAT directly into memory without writing the malicious payload to disk. The malware authors have implemented multiple layers of obfuscation within their PowerShell scripts, including encrypted strings, dynamic API resolution, and binary padding to confuse automated analysis tools. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Qualys researchers identified this threat during routine threat hunting operations, noting its remarkable ability to evade traditional endpoint protection platforms. The malware establishes persistence by modifying registry run keys, ensuring it survives system reboots without creating suspicious files on disk. It also employs User Account Control bypass techniques to elevate privileges, allowing it to perform sensitive operations without triggering security alerts. At its core, the attack leverages PowerShell’s ability to execute code directly in memory, bypassing file-based scanning engines. Its stealthy nature means infections can persist for extended periods, giving threat actors ample time to accomplish their objectives while defenders remain unaware of the breach. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Once established, Remcos RAT provides attackers with extensive capabilities including screen capture, keylogging, credential theft from web browsers, and automated data exfiltration.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 16 May 2025 11:39:54 +0000